File name: | in3.ps1 |
Full analysis: | https://app.any.run/tasks/0a0bc1e9-b241-4c0d-8e8f-72ddadb0a1bb |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 02:10:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 1AAFB3096F879F7463A5A3F97D3C38A6 |
SHA1: | 9B9B9CA10266C92F67C04C04B2F61E29F0AC9559 |
SHA256: | 64BE37C0094032D1DD6367042E2ADE7094AAC954692CCE8380CFE97D4223AE20 |
SSDEEP: | 49152:enxlB4rYCK+0KbtI4mjkSNn4CY4Yqj1LjmmxDWau:d |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2924 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\in3.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4012 | "C:\Windows\system32\schtasks.exe" /delete /tn sysupdater0 /f | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2660 | "C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3244 | "C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3740 | "C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2296 | "C:\Windows\system32\NETSTAT.EXE" -anop tcp | C:\Windows\system32\NETSTAT.EXE | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2376 | "C:\Windows\system32\schtasks.exe" /delete /tn sysupdater0 /f | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3008 | "C:\Windows\system32\powercfg.exe" /CHANGE -standby-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3496 | "C:\Windows\system32\powercfg.exe" /CHANGE -hibernate-timeout-ac 0 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4008 | "C:\Windows\system32\powercfg.exe" -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 | C:\Windows\system32\powercfg.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2924 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5KGWD8BVVRAMH9NDJ8MX.temp | — | |
MD5:— | SHA256:— | |||
2924 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF168f25.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2924 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/in3.ps1 | US | text | 3.31 Mb | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/in3.ps1 | US | text | 3.31 Mb | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/in3.ps1 | US | text | 3.31 Mb | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
2924 | powershell.exe | GET | 200 | 128.14.23.149:8000 | http://profetestruec.net:8000/banner | US | text | 14 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2924 | powershell.exe | 128.14.23.149:8000 | profetestruec.net | Zenlayer Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
profetestruec.net |
| malicious |