File name:

asdasd.txt

Full analysis: https://app.any.run/tasks/f9536e7b-5471-4589-9101-5f74da90f690
Verdict: Malicious activity
Analysis date: December 06, 2022, 00:40:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

393457D7C5C099F33FC57B1149DFC0DB

SHA1:

9522B1B78A20557E57AE5C872604467717DEDE45

SHA256:

48C7DBD6E1DD60BD379E74E317FACCFB2748A19C27BE38BE25F60B0470AFAFF7

SSDEEP:

6:hgWm6ghF+2OgF128PNSg/8fhrhy3Idw9PvJo9wsUZ7G3kbfb3bgYD:mLnQMQgEZV6ZiUBgkbrbgYD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 1944)
    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 1944)
  • SUSPICIOUS

    • Executes as Windows Service

      • vssvc.exe (PID: 3184)
  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs cmd.exe bcdedit.exe no specs bcdedit.exe no specs vssadmin.exe no specs vssvc.exe no specs attrib.exe no specs takeown.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\asdasd.txt"C:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1944"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\asdasd.bat" C:\Windows\System32\cmd.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
1464BCDEDIT /SET RECOVERYENABLED NO C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1912BCDEDIT /DELETE {BOOTMGR} /f /CLEANUP C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3140VSSADMIN DELETE SHADOWS /all -quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\atl.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3184C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3852ATTRIB -R -A -S -H -I C:\*.* /S /D C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2548TAKEOWN /F C:\*.* /R /D Y C:\Windows\system32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
720
Read events
707
Write events
1
Delete events
12

Modification events

(PID) Process:(1464) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009
Operation:writeName:Element
Value:
00
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Description
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000004
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000005
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\23000003
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\23000006
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\24000001
Operation:delete keyName:(default)
Value:
(PID) Process:(1912) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\24000010
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
4
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
1944cmd.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
MD5:
SHA256:
1944cmd.exeC:\Windows\System32\winevt\Logs\Application.evtx
MD5:
SHA256:
1944cmd.exeC:\Windows\System32\winevt\Logs\System.evtx
MD5:
SHA256:
3852attrib.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logbinary
MD5:969890E3BBD644C98DC64CAEC7AED96F
SHA256:A0D868C0F263847A1F11F80202CA12C04A056244AE4C63D050EEFD632EC4319A
3852attrib.exeC:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtxevtx
MD5:CBAD757EC11AE221377FAB60F6849540
SHA256:7AF6F000FF721629F538DEF21BD2D071DF604225F61454276D4625958EC4A699
856NOTEPAD.EXEC:\Users\admin\Desktop\asdasd.txttext
MD5:393457D7C5C099F33FC57B1149DFC0DB
SHA256:48C7DBD6E1DD60BD379E74E317FACCFB2748A19C27BE38BE25F60B0470AFAFF7
1944cmd.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datbinary
MD5:BA71717819F680A38E9A3E0FFBE0C441
SHA256:3059F02AA7DA426E3865B3A9304B02F04433BFCE846BE0094BF4B9E643F509CC
1944cmd.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.14.Crwltext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
1944cmd.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.14.gthrtext
MD5:4B4892BCBCFF79413BA22D475D650885
SHA256:94C2FDF7E2445A2F625D037D0C50C43FA759D162A212C2E9A738479A6776963F
1944cmd.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000binary
MD5:213F03C41E5AAE316C55C2291F15CC0F
SHA256:E0EF84E21BCE8E31A1CF9948B7AF57EDCB2F0DF4D321C61A18E3872C291E48BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info