File name: | cscript.bat.zip |
Full analysis: | https://app.any.run/tasks/60680ba3-dfe7-46e7-8e0e-cc707185a783 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 17:29:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C985C2B0501C2F0E4EEC05A3723F39C5 |
SHA1: | F0AFCF51F6AB404757B272CDCDB1873C0B96CCD5 |
SHA256: | 1212B9CCB96548E67DEE04A9ED40C0F837255A9624867FACE952E98FE538321B |
SSDEEP: | 12288:nqU9S8lNZmp7SI2rrU0hpPwyQgn7M4FL9eISfgNBDvnMUTdGZxDE1EmbZs9IK87:nk8lNZ+pwrU0SCAynzfoLE1EmbZKI/ |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:07:17 19:24:04 |
ZipCRC: | 0xe571d253 |
ZipCompressedSize: | 833628 |
ZipUncompressedSize: | 1379844 |
ZipFileName: | cscript.bat |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3852 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\cscript.bat.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3448 | "C:\Users\admin\AppData\Local\Temp\Rar$DIb3852.12889\cscript.bat" | C:\Users\admin\AppData\Local\Temp\Rar$DIb3852.12889\cscript.bat | WinRAR.exe | |
User: admin Company: dasHost Integrity Level: MEDIUM Description: RAVBg64 Version: 752.777.546.180 | ||||
2896 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | cscript.bat | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3056 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
2380 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | cscript.bat | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
2504 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
4092 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | cscript.bat | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
2084 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3604 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | cscript.bat | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
2092 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3448 | cscript.bat | C:\Users\Public\phNTDIOTYV.vbs | text | |
MD5:6B1378456DB7CE62565B808580F3E26D | SHA256:E6074F38F060623685FB8B003114041185F905246F3E466415DA49E2744D4A43 | |||
3852 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3852.12889\cscript.bat | executable | |
MD5:F782333547682BA20E00501FE8807D8C | SHA256:9C3BAF4A84909D15E7BE3A59FEF7803A5EDC27A29C2B52F12FDE071241FF5530 | |||
3448 | cscript.bat | C:\Users\admin\AppData\Roaming\auditpolcore\cscript.bat | executable | |
MD5:C95DC1B95040A26265427E635C7ECD58 | SHA256:2EC09C5ECD917B8B96F3C33BECDE6259F7DC0DF575B7CD53C74A88A5F2D650C4 | |||
2380 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
3604 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
2896 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
4092 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 |