File name: | FemwellScript.txt |
Full analysis: | https://app.any.run/tasks/def51a8a-8d69-4d38-b8c0-348aefbcf7be |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 15:46:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | DF710F15AFC3856AA898E55F12917069 |
SHA1: | C41540E70F3A082511074FCD604687BD0EEE36EE |
SHA256: | 2E921355D8315A3EDA831D32A91EB830C30D6E4FD64D96A4914E2D47B3875C64 |
SSDEEP: | 1536:a2m2SaSyM/psnIBcKAwbTdhfuLuwrsvxrkVZS:C7/psoAwPdhwS |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3124 | "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\FemwellScript.txt" | C:\Windows\system32\NOTEPAD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2816 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 3221225786 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3708 | "C:\Windows\regedit.exe" | C:\Windows\regedit.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
832 | "C:\Windows\regedit.exe" | C:\Windows\regedit.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3972 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2816 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF128584.TMP | binary | |
MD5:CCFCF369F751CE8DA0370D84E52A7EED | SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9 | |||
2816 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TY8CHGGVSR7YF6M3BE0O.temp | binary | |
MD5:4265CC95241DC86435498C187647D02E | SHA256:94C6CF00546C60BD17327FA92152963034E946CDAE41B9C2FB92ADAC7325C2B0 | |||
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JEIIK37I69L2GYBKBDMF.temp | binary | |
MD5:4265CC95241DC86435498C187647D02E | SHA256:94C6CF00546C60BD17327FA92152963034E946CDAE41B9C2FB92ADAC7325C2B0 | |||
2816 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF164bf2.TMP | binary | |
MD5:4265CC95241DC86435498C187647D02E | SHA256:94C6CF00546C60BD17327FA92152963034E946CDAE41B9C2FB92ADAC7325C2B0 | |||
2816 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:D3C284009A5790C3AA90D7C5D620CA65 | SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39 | |||
2816 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4265CC95241DC86435498C187647D02E | SHA256:94C6CF00546C60BD17327FA92152963034E946CDAE41B9C2FB92ADAC7325C2B0 | |||
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4265CC95241DC86435498C187647D02E | SHA256:94C6CF00546C60BD17327FA92152963034E946CDAE41B9C2FB92ADAC7325C2B0 | |||
3972 | powershell.exe | C:\Users\admin\AppData\Local\Temp\rt4ta4cr.uss.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2816 | powershell.exe | C:\Users\admin\AppData\Local\Temp\3wwaxq5v.x40.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |