File name: | bootstrap.js.ps1 |
Full analysis: | https://app.any.run/tasks/3508ba5e-b920-496f-af2e-dc1dc16d7fcc |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 19:48:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 0C50E7FA14B23B5E1BAD40B9A795CCFD |
SHA1: | F66789D7F74A6E1AB674F8E5887C4E15ED8AAD90 |
SHA256: | 308B2D478638C74F28729CC790678E150B4F58955595CE777445E22187CEB4A6 |
SSDEEP: | 768:D6JEjFHNnyjSnrFxJaWJxNif60eeXxwo0mN3ZR8qOny6/4d/kW/2FRUyB:2JoHgy7aKii0eeBtR8Nnrgd/kWOFBB |
.ini | | | Generic INI configuration (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
532 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\bootstrap.js.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1252 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\9e37evmk.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3272 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESAB4F.tmp" "c:\Users\admin\AppData\Local\Temp\CSCAB4E.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
352 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2112 | C:\Users\admin\AppData\Local\Temp\\a6aa3e36.exe | C:\Users\admin\AppData\Local\Temp\a6aa3e36.exe | — | explorer.exe |
User: admin Company: YANDEX LLC Integrity Level: MEDIUM Description: Investment Inportant Products Raw Exit code: 0 Version: 2.4.8.8 | ||||
3156 | C:\Users\admin\AppData\Local\Temp\a6aa3e36.exe | C:\Users\admin\AppData\Local\Temp\a6aa3e36.exe | — | a6aa3e36.exe |
User: admin Company: YANDEX LLC Integrity Level: MEDIUM Description: Investment Inportant Products Raw Exit code: 0 Version: 2.4.8.8 |
PID | Process | Filename | Type | |
---|---|---|---|---|
532 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7RYCIP9HZF8FPSU2Z80R.temp | — | |
MD5:— | SHA256:— | |||
1252 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCAB4E.tmp | — | |
MD5:— | SHA256:— | |||
1252 | csc.exe | C:\Users\admin\AppData\Local\Temp\9e37evmk.pdb | — | |
MD5:— | SHA256:— | |||
3272 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESAB4F.tmp | — | |
MD5:— | SHA256:— | |||
1252 | csc.exe | C:\Users\admin\AppData\Local\Temp\9e37evmk.dll | — | |
MD5:— | SHA256:— | |||
1252 | csc.exe | C:\Users\admin\AppData\Local\Temp\9e37evmk.out | — | |
MD5:— | SHA256:— | |||
352 | explorer.exe | C:\Users\admin\AppData\Local\Temp\CabC250.tmp | — | |
MD5:— | SHA256:— | |||
352 | explorer.exe | C:\Users\admin\AppData\Local\Temp\TarC251.tmp | — | |
MD5:— | SHA256:— | |||
352 | explorer.exe | C:\Users\admin\AppData\Local\Temp\CabC262.tmp | — | |
MD5:— | SHA256:— | |||
352 | explorer.exe | C:\Users\admin\AppData\Local\Temp\TarC263.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
352 | explorer.exe | GET | 200 | 92.122.213.217:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | unknown | compressed | 57.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
352 | explorer.exe | 159.89.85.252:443 | perplevax.org | — | US | unknown |
352 | explorer.exe | 92.122.213.217:80 | www.download.windowsupdate.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
perplevax.org |
| malicious |
www.download.windowsupdate.com |
| whitelisted |
mylovelyrose.info |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
352 | explorer.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|