File name: | Remmitance Copy.js |
Full analysis: | https://app.any.run/tasks/62e8a841-c851-422f-8974-4544b5bb6def |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 16:32:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators |
MD5: | 821A6D89CA3378D14B05EB10144814D0 |
SHA1: | CAF5D87117254C4EC92C78A9A08ED577F1A57C10 |
SHA256: | E0299EC97F4E882600B5583FCED3A5191443C2B43B531ABCC06E535ED96C8B0D |
SSDEEP: | 192:VNgnrKVQXKYwGSJHMbzL3iufHZOxu83yk:VerKVQXKYTyHMbzLNf0u83yk |
.txt | | | Text - UTF-16 (LE) encoded (66.6) |
---|---|---|
.mp3 | | | MP3 audio (33.3) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2832 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2584 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3544 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
924 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
3088 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2268 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js" | C:\Windows\System32\wscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3956 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
3036 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js" | C:\Windows\System32\wscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 | ||||
2888 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
3708 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js" | C:\Windows\System32\wscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2832 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remmitance Copy.js | text | |
MD5:821A6D89CA3378D14B05EB10144814D0 | SHA256:E0299EC97F4E882600B5583FCED3A5191443C2B43B531ABCC06E535ED96C8B0D | |||
3604 | notepad++.exe | C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js | text | |
MD5:7F5808FCFBDC13890EA8647FBC178CA1 | SHA256:1D43E8264BD357B314E1003202356AE45B96D3DADAD2AE494342D9A8920C815F | |||
3544 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:D2190EA6B5CFD7AD5154CF0FAA4F6703 | SHA256:4F20AF8512D007D6FC153DF50990C118228F2DAFF0632AFB08F65B89E608E82C | |||
3956 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:200B2AAFD04E2B323A4DBA550CA8435C | SHA256:62B21B4133322A3B96331F179C681343927E4FDD2801279792A1CAB4BBA65A4E | |||
3956 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\backup\Remmitance Copy.js@2018-12-18_163550 | text | |
MD5:91BC1683F820D7C630B23D7A6D925A82 | SHA256:473798B9FAF916BB307FAA0FC3786AD5A4D6F040B2471346C52047D71A9C0A14 | |||
3544 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\backup\Remmitance Copy.js@2018-12-18_163406 | text | |
MD5:0D7A4C29B1342965D3E69EB61D7E3620 | SHA256:5A9E774FD926025FA054EC6AB2A4E7EA2A4922E50C687D573E5F169B53242D9C | |||
3544 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini | text | |
MD5:F70F579156C93B097E656CABA577A5C9 | SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4 | |||
3544 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:31401E84150FDD475E79C0F607AF1D50 | SHA256:AB20E3EAE7C4EF474F9C4C279BB5A94578E39EB2E363826065D3B037F367EC9D | |||
3544 | notepad++.exe | C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js | text | |
MD5:D40003800559CC25DB961F2418F0236B | SHA256:C787FBA0A36EDB8117E3DB936221D1BE89BB51CA2FAAFC5418263EC053595C1A | |||
2888 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:200B2AAFD04E2B323A4DBA550CA8435C | SHA256:62B21B4133322A3B96331F179C681343927E4FDD2801279792A1CAB4BBA65A4E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.186.32:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | unknown | der | 471 b | whitelisted |
— | — | GET | 200 | 2.16.186.32:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D | unknown | der | 727 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 2.16.186.32:80 | ocsp.usertrust.com | Akamai International B.V. | — | whitelisted |
924 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
2832 | WScript.exe | 185.158.139.173:1114 | — | Keyweb AG | DE | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
notepad-plus-plus.org |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|