File name: | tela azul.bat |
Full analysis: | https://app.any.run/tasks/002c25f8-bd49-455a-9128-49d8f41954c3 |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 21:26:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | 4F62FE594A8D97775E80C8FCD251F28D |
SHA1: | ED7DE7E18006579FF128C8AA3D05276211A8FA11 |
SHA256: | 87AF7310A324F05CBAFB337B491454C513324F64723391D64D1CE521DC8E8108 |
SSDEEP: | 3:nnWsTaXACoviAnWscWmIn:nWyaKvnW0/ |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1580 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tela azul.bat" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2480 | taskkill /f /im svchost.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
588 | taskkill /f /im system | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2296 | "C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\New Text Document.bat | C:\Windows\System32\NOTEPAD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3372 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\New Text Document.bat" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3804 | taskkill svchost.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2952 | taskkill system | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2256 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\New Text Document.bat" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2660 | taskkill svchost.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1684 | taskkill system | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3352) opera.exe | Key: | HKEY_CURRENT_USER\Software\Opera Software |
Operation: | write | Name: | Last CommandLine v2 |
Value: C:\Program Files\Opera\opera.exe | |||
(PID) Process: | (3352) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: A9368C7E0E000000 | |||
(PID) Process: | (4000) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 96E18D7E0E000000 | |||
(PID) Process: | (4044) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: ED0D9E7E0E000000 | |||
(PID) Process: | (2792) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 3E6EA07E0E000000 | |||
(PID) Process: | (3180) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: E350B87E0E000000 | |||
(PID) Process: | (2924) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 20F8B97E0E000000 | |||
(PID) Process: | (4000) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (4000) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2296 | NOTEPAD.EXE | C:\Users\admin\Desktop\New Text Document.txt | text | |
MD5:804EEA9917D99A77038E796139BCF009 | SHA256:B79994368B4367AB18C14DE2C848D6AD5AE0048B7941B84A055DAD34F73FD52C | |||
3352 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:A085B872B8A36D007530C6E515680AA1 | SHA256:A72D5ADDF56AB9B36C12865D7A759B02250E025F90626C8327DEC33CA5469BE3 | |||
3352 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr3659.tmp | text | |
MD5:A085B872B8A36D007530C6E515680AA1 | SHA256:A72D5ADDF56AB9B36C12865D7A759B02250E025F90626C8327DEC33CA5469BE3 | |||
3352 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:89A0E0E38999A1C615A64056E7AC34B8 | SHA256:790D5340BABE18030E433D241B5D169E231F2B9A4BB56A5812E04BC735BD46B3 | |||
3352 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:4482829514E248F5B4F5A922338C7B75 | SHA256:9C979EA1EE0F862B6C3B4611EF6C81756A5E635F98D65AC2E1898D059A1DAC40 | |||
3352 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr36A8.tmp | xml | |
MD5:4482829514E248F5B4F5A922338C7B75 | SHA256:9C979EA1EE0F862B6C3B4611EF6C81756A5E635F98D65AC2E1898D059A1DAC40 | |||
3352 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF1094165.TMP | binary | |
MD5:DBC8C3C79F0DFF4745A5E25E13611AEF | SHA256:70C54F2C53CF246603B8DE4755D95C5AA51BF4B232340BEA5879724A1F84F675 | |||
3352 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat | binary | |
MD5:1AA8644C9261DC10F7247F6A145C1DD2 | SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3 | |||
3352 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00003.tmp | html | |
MD5:7F077F1FCE3D566040B0D69EB1F27D8F | SHA256:487AD0D2CF075F4328A1ADF57EF428759AD4E2C873A8EBD2AD9653990829C9CF | |||
4000 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3352 | opera.exe | GET | 301 | 23.35.238.110:80 | http://www.amazon.co.uk/exec/obidos/redirect-home/opspeeddial-norway-21 | US | — | — | whitelisted |
3352 | opera.exe | GET | — | 23.35.238.110:80 | http://www.amazon.co.uk/exec/obidos/redirect-home/opspeeddial-norway-21 | US | — | — | whitelisted |
3352 | opera.exe | GET | 301 | 23.35.238.110:80 | http://www.amazon.co.uk/exec/obidos/redirect-home/opspeeddial-norway-21 | US | — | — | whitelisted |
3352 | opera.exe | GET | 301 | 23.35.238.110:80 | http://www.amazon.co.uk/exec/obidos/redirect-home/opspeeddial-norway-21 | US | — | — | whitelisted |
4000 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3352 | opera.exe | GET | 200 | 93.184.220.29:80 | http://s.symcb.com/pca3-g5.crl | US | der | 834 b | whitelisted |
3352 | opera.exe | GET | 400 | 185.26.182.94:80 | http://sitecheck2.opera.com/?host=redir.opera.com&hdn=H0WKpMbVXsif0I8OJoRVZA== | unknown | html | 150 b | whitelisted |
3352 | opera.exe | GET | 302 | 185.26.182.109:80 | http://redir.opera.com/speeddials/amazon/ | unknown | html | 329 b | whitelisted |
3352 | opera.exe | GET | 400 | 185.26.182.94:80 | http://sitecheck2.opera.com/?host=www.amazon.co.uk&hdn=GnMPVW003l2SdK9PNfwsSg== | unknown | html | 150 b | whitelisted |
3352 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 740 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3352 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3352 | opera.exe | 93.184.220.29:80 | crl3.digicert.com | EDGECAST | GB | whitelisted |
3352 | opera.exe | 185.26.182.109:80 | redir.opera.com | Opera Software AS | — | unknown |
3352 | opera.exe | 143.204.209.194:443 | m.media-amazon.com | AMAZON-02 | US | unknown |
3352 | opera.exe | 23.35.238.110:80 | www.amazon.co.uk | AKAMAI-AS | DE | unknown |
3352 | opera.exe | 23.35.238.110:443 | www.amazon.co.uk | AKAMAI-AS | DE | unknown |
4000 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
3352 | opera.exe | 185.26.182.94:80 | certs.opera.com | Opera Software AS | — | whitelisted |
4000 | firefox.exe | 93.184.220.29:80 | crl3.digicert.com | EDGECAST | GB | whitelisted |
4000 | firefox.exe | 35.161.188.203:443 | location.services.mozilla.com | AMAZON-02 | US | unknown |
Domain | IP | Reputation |
---|---|---|
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
redir.opera.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
www.amazon.co.uk |
| whitelisted |
crl4.digicert.com |
| whitelisted |
s.symcb.com |
| whitelisted |
m.media-amazon.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4000 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
4000 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2792 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2792 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2924 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2924 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |