File name: | 6.ps1 |
Full analysis: | https://app.any.run/tasks/2410491f-796b-4173-8524-d32dc149462a |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 15:06:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 8C837DC092FB0E79C8DB32EBFAED2DD0 |
SHA1: | 222CDDD11BE2B67236538D15F2313DBC90803CD0 |
SHA256: | 5D51B10A401C8E6CC935960291E24FFE4CF91E2A5601F7D1A81E7F6783BCD579 |
SSDEEP: | 48:nKQ9xMK9ONUKwtfZSKSxUfYIwCk2GBfbGnbU:KcMK9ayfZ3STT28bGn4 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3576 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\6.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2288 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\6.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4044 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\admin\Desktop\6.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell ISE Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3632 | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | — | services.exe |
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: PresentationFontCache.exe Version: 3.0.6920.4902 built by: NetFXw7 | ||||
184 | "C:\Windows\system32\rundll32.exe" InetCpl.cpl ClearMyTracksByProcess 260 | C:\Windows\system32\rundll32.exe | — | powershell_ise.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
324 | "C:\Windows\system32\rundll32.exe" /s C:\Users\admin\AppData\Local\Temp\zdwnkzae. DllRegisterServer | C:\Windows\system32\rundll32.exe | — | powershell_ise.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3708 | "C:\Windows\system32\rundll32.exe" InetCpl.cpl ClearMyTracksByProcess 260 | C:\Windows\system32\rundll32.exe | — | powershell_ise.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3360 | "C:\Windows\system32\rundll32.exe" /s C:\Users\admin\AppData\Local\Temp\yfj1mkx3. DllRegisterServer | C:\Windows\system32\rundll32.exe | — | powershell_ise.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3576 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0WUFGTCAQN9K17T27JV6.temp | — | |
MD5:— | SHA256:— | |||
2288 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GB0VPFZ07R6QZZM2RV1K.temp | — | |
MD5:— | SHA256:— | |||
184 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DF9F4878A370F4246D.TMP | — | |
MD5:— | SHA256:— | |||
184 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DF56719DC3C9686DFD.TMP | — | |
MD5:— | SHA256:— | |||
184 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DFF428739594C186B7.TMP | — | |
MD5:— | SHA256:— | |||
184 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DF48D133BD0B27C86A.TMP | — | |
MD5:— | SHA256:— | |||
3708 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DFA02F66965C416B20.TMP | — | |
MD5:— | SHA256:— | |||
3708 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DFD3CC27951DE8BB55.TMP | — | |
MD5:— | SHA256:— | |||
3708 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DFF2794A23EEFC18FB.TMP | — | |
MD5:— | SHA256:— | |||
3708 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\~DFC47C87F026D93CAF.TMP | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4044 | powershell_ise.exe | 185.158.249.75:443 | woeiuyfgowe.xyz | easystores GmbH | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
woeiuyfgowe.xyz |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
4044 | powershell_ise.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
Process | Message |
---|---|
powershell_ise.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
powershell_ise.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
powershell_ise.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
powershell_ise.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
powershell_ise.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
powershell_ise.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
powershell_ise.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
powershell_ise.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
powershell_ise.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
powershell_ise.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|