File name: | asdasd.txt |
Full analysis: | https://app.any.run/tasks/42f6ac21-4b15-41fc-8521-b6be81fdbfc5 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 00:46:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with CRLF line terminators |
MD5: | 393457D7C5C099F33FC57B1149DFC0DB |
SHA1: | 9522B1B78A20557E57AE5C872604467717DEDE45 |
SHA256: | 48C7DBD6E1DD60BD379E74E317FACCFB2748A19C27BE38BE25F60B0470AFAFF7 |
SSDEEP: | 6:hgWm6ghF+2OgF128PNSg/8fhrhy3Idw9PvJo9wsUZ7G3kbfb3bgYD:mLnQMQgEZV6ZiUBgkbrbgYD |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
856 | "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\asdasd.txt" | C:\Windows\system32\NOTEPAD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3032 | "C:\Windows\System32\NOTEPAD.EXE" /p C:\Users\admin\Desktop\asdasd.bat | C:\Windows\System32\NOTEPAD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3756 | C:\Windows\system32\printfilterpipelinesvc.exe -Embedding | C:\Windows\system32\printfilterpipelinesvc.exe | — | svchost.exe | |||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Print Filter Pipeline Host Version: 6.1.7601.24537 (win7sp1_ldr_escrow.191114-1547) Modules
| |||||||||||||||
2944 | /insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{78C6B0E9-7B58-4570-922A-B253F42F42A9}.xps" 133147612131550000 | C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE | — | printfilterpipelinesvc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Version: 14.0.6022.1000 Modules
| |||||||||||||||
1860 | "C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE" "ONENOTE" "Microsoft OneNote" | C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE | — | ONENOTE.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Help Viewer Version: 14.0.6015.1000 Modules
|
(PID) Process: | (3756) printfilterpipelinesvc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | OneNoteFiles |
Value: | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2944) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
3756 | printfilterpipelinesvc.exe | C:\Windows\system32\spool\PRINTERS\PP15qsw7cibyad9v3dmuylmvk.TMP | — | |
MD5:— | SHA256:— | |||
3756 | printfilterpipelinesvc.exe | C:\Windows\system32\spool\PRINTERS\PPr80tjy504g84c0untr7qo4p2b.TMP | — | |
MD5:— | SHA256:— | |||
3756 | printfilterpipelinesvc.exe | C:\Windows\system32\spool\PRINTERS\PP04kvdfuu4n0bglqbw2fr9dwde.TMP | — | |
MD5:— | SHA256:— | |||
2944 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\CVR44BA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3756 | printfilterpipelinesvc.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{78C6B0E9-7B58-4570-922A-B253F42F42A9}.xps | compressed | |
MD5:1C1C734DBE63BC051E0943E688E39721 | SHA256:58CFDB812E33CBB2B8BFEBB6148F694DAF305F13EE7543BAC1F4A2A8BC7AE269 | |||
1860 | CLVIEW.EXE | C:\Users\admin\AppData\Local\Temp\IMT53C8.tmp | binary | |
MD5:4FB16910A702B3A39C49FEF150DCD828 | SHA256:FD582DC7B4B981C859A6AF64D4702553DB419463FF1C1D46D615A270864A61F0 | |||
1860 | CLVIEW.EXE | C:\Users\admin\AppData\Local\Temp\IMT53D8.tmp | binary | |
MD5:6B6FCB72BAB54571B702E9E5534C7252 | SHA256:8BF2C4ECE691F4AFFCE7FA48719245490DC33FEDA3835BDA5A61E005C7CB22AA | |||
1860 | CLVIEW.EXE | C:\Users\admin\AppData\Local\Microsoft Help\MS.ONENOTE.14.1033_1033_MTOC_ONENOTE_COL.HxH | binary | |
MD5:9A8FDFAE6F85641961683FC3F0915E08 | SHA256:B488D3FDB3FFA768C851F92B4409715D2CEF1CC3A2528DAC7E0A2C3F52BEE8D8 | |||
1860 | CLVIEW.EXE | C:\Users\admin\AppData\Local\Temp\IMT53A0.tmp | binary | |
MD5:73E5F16AA352D7188E7266C6C20EAAF1 | SHA256:57408D0184C465A18379CAAF84030C6835B480BC644804F5670A02B985E84A0C | |||
3032 | NOTEPAD.EXE | C:\Windows\system32\spool\PRINTERS\00002.SPL | compressed | |
MD5:1C1C734DBE63BC051E0943E688E39721 | SHA256:58CFDB812E33CBB2B8BFEBB6148F694DAF305F13EE7543BAC1F4A2A8BC7AE269 |