File name: | 4 power_shell_script.ps1 |
Full analysis: | https://app.any.run/tasks/21adaf76-cde6-4996-b2c2-4cdaf0877e88 |
Verdict: | Malicious activity |
Analysis date: | October 19, 2020, 22:33:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators |
MD5: | 7AE918B8A56E3369EDC14A07A546C0A7 |
SHA1: | 3D1B3D1A1B516DD41FB6EDA44AE35C0284E4BFAE |
SHA256: | 4EE8A0E7464A2E915AC86D3BF2F77D1C3F8843095AA3D414086CF599417F2D56 |
SSDEEP: | 12288:X2gnwBM/2zZOW6TubD7e6xZmN0Zc/87/2EdTa0xutDUlLP/oyEsbD:mgnu8g3L4Nqe8yk8sH |
.txt | | | Text - UTF-16 (LE) encoded (66.6) |
---|---|---|
.mp3 | | | MP3 audio (33.3) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2028 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\4 power_shell_script.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3432 | "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2028 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1KATOSS70XP70S15U4QA.temp | — | |
MD5:— | SHA256:— | |||
3432 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7RNCNK0DCVUJ9W4135EP.temp | — | |
MD5:— | SHA256:— | |||
2028 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
3432 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:5C20874A548996F13181161510BEA1FD | SHA256:722BC6276F6CF53B54C90B4479A10CBAA202517D26BB78913304349AA6D33900 | |||
2028 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d3d6b.TMP | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
3432 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2e055f.TMP | binary | |
MD5:5C20874A548996F13181161510BEA1FD | SHA256:722BC6276F6CF53B54C90B4479A10CBAA202517D26BB78913304349AA6D33900 |
Domain | IP | Reputation |
---|---|---|
kvaladrigrosdrom.top |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
Process | Message |
---|---|
powershell.exe | WMA 0 |
powershell.exe | WMA 0 |