File name: | anketa (3).VBS |
Full analysis: | https://app.any.run/tasks/d2eebd22-2996-4ac8-8129-413b23ddb5b4 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 10:13:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 48EDB465A9908416E5AEA1F5A8C9229D |
SHA1: | 16BC6A2CC791F0F2C26566AC0A6FF2D7A239CE53 |
SHA256: | 57B37FFA2FADDD2FBFC7FD52822C1D73B4C8C5F4536A18E4B60D4562228B3DFC |
SSDEEP: | 768:CnD8ser6rEMD0hhSbyiXUyTcW8MJMXjHzEw/D/VjbCz611E:jER2lifw861m |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2812 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\anketa (3).VBS" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3580 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path "C:\Users\admin\AppData\Local\Temp\anketa (3).VBS" -Destination "C:\Users\admin\AppData\Roaming\NpVQtDXmfnWPSyopKMdCneqrC.vbs" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3012 | "C:\Windows\System32\cmd.exe" /C systeminfo > ~tmp_si.txt | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3492 | systeminfo | C:\Windows\system32\systeminfo.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Displays system information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3912 | "C:\Windows\System32\cmd.exe" /C nslookup e > ~tmp_ns.txt | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2328 | nslookup e | C:\Windows\system32\nslookup.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3356 | "C:\Windows\System32\cmd.exe" /C net view> ~tmp_nv.txt | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3868 | net view | C:\Windows\system32\net.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3408 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command New-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name ARSv5 -PropertyType String -Value C:\Users\admin\AppData\Roaming\NpVQtDXmfnWPSyopKMdCneqrC.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2920 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name ARSv5 -PropertyType String -Value C:\Users\admin\AppData\Roaming\NpVQtDXmfnWPSyopKMdCneqrC.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8XNE0ZRJ0IFGRY8BFP8G.temp | — | |
MD5:— | SHA256:— | |||
3408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AF8L9G64CRGPJMY6B6K3.temp | — | |
MD5:— | SHA256:— | |||
2920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ZFLLZ9YZR88WR9JCILJ.temp | — | |
MD5:— | SHA256:— | |||
3408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF140137.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
2920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF140483.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3012 | cmd.exe | C:\Users\admin\AppData\Local\Temp\~tmp_si.txt | text | |
MD5:0C536A2FE30C7CFA242D4CCCE6A305A1 | SHA256:12C5ABAFB768C9B98942B188768FF065119C569BC822AD571FF2530DC9692ECD | |||
3580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13c631.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
2920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA |
Domain | IP | Reputation |
---|---|---|
cloud-protection-service.bid |
| unknown |
e |
| unknown |