File name: | suspicious.ps1 |
Full analysis: | https://app.any.run/tasks/19a2a062-7dc0-4663-a9e5-2ab776d09384 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 10:51:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
MIME: | text/plain |
File info: | ASCII text |
MD5: | 409FAC3B7553DF58F9B974047977E300 |
SHA1: | EB4D8C3764DA249EDC642005AB09A44DB74D22F3 |
SHA256: | 91035E797F626839CCEC9F7EA9927605E3FC20C2F637678E4F98ED095D09ABA2 |
SSDEEP: | 48:R0KDB31orI2JSmz0gH+RP3kOfDJEc+2NxW+ma4sC7wnwN637vtIJXV6/:R0uBKIawgeRP0OfDP/u+mYCMnwemFe |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1000 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\suspicious.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDZDMOVMERJO2YLZ7APY.temp | binary | |
MD5:65E2FAFEBB18B602C4CE6726C6221464 | SHA256:81F9642D5E529577EAE99C9D8DE96882D031C1DF780DDE31D0B3E525E08D347C | |||
1000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:65E2FAFEBB18B602C4CE6726C6221464 | SHA256:81F9642D5E529577EAE99C9D8DE96882D031C1DF780DDE31D0B3E525E08D347C | |||
1000 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:D3C284009A5790C3AA90D7C5D620CA65 | SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39 | |||
1000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf985e.TMP | binary | |
MD5:CCFCF369F751CE8DA0370D84E52A7EED | SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9 | |||
1000 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jlijjdoh.h4r.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1000 | powershell.exe | C:\Users\admin\AppData\Local\Temp\qxo20hky.hwo.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1000 | powershell.exe | 104.21.66.80:443 | playkooblni.com | Cloudflare Inc | US | unknown |
1000 | powershell.exe | 172.67.157.132:443 | playkooblni.com | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
playkooblni.com |
| unknown |
dns.msftncsi.com |
| shared |