File name: | Invalid swift_pdf.vbs |
Full analysis: | https://app.any.run/tasks/433847b2-ff47-4775-9e7b-f1ad5d413213 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 12:18:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | B315AA2457C2CC1DE2CB40017D981BB7 |
SHA1: | A04D5F1124F09F10260550E091BC1A71B540CAF2 |
SHA256: | F876AACF39D44F86748BAC0C0DDCAAEC27DC5CB095CA1037E16E0A0F104702B5 |
SSDEEP: | 1536:ejT4iF7BAAOe65McfV0NAHV0bKG8tC1z3/V0BF7BQF7BQF7BVWF7BQF7B7:ejT4i1BAAOe65hfV0NAHV0bKhCF/V0BL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1212 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Invalid swift_pdf.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2256 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\Invalid swift_pdf.vbs" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
(PID) Process: | (1212) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Invalid swift_pdf |
Operation: | write | Name: | |
Value: false - 5/15/2019 | |||
(PID) Process: | (1212) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Invalid swift_pdf |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\Invalid swift_pdf.vbs" | |||
(PID) Process: | (1212) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Invalid swift_pdf |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\Invalid swift_pdf.vbs" | |||
(PID) Process: | (1212) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1212) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2256) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Invalid swift_pdf |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\Invalid swift_pdf.vbs" | |||
(PID) Process: | (2256) wscript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Invalid swift_pdf |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\Invalid swift_pdf.vbs" | |||
(PID) Process: | (2256) wscript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2256) wscript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2256) wscript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1212 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invalid swift_pdf.vbs | text | |
MD5:B315AA2457C2CC1DE2CB40017D981BB7 | SHA256:F876AACF39D44F86748BAC0C0DDCAAEC27DC5CB095CA1037E16E0A0F104702B5 | |||
2256 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invalid swift_pdf.vbs | text | |
MD5:B315AA2457C2CC1DE2CB40017D981BB7 | SHA256:F876AACF39D44F86748BAC0C0DDCAAEC27DC5CB095CA1037E16E0A0F104702B5 | |||
1212 | WScript.exe | C:\Users\admin\AppData\Roaming\Invalid swift_pdf.vbs | text | |
MD5:B315AA2457C2CC1DE2CB40017D981BB7 | SHA256:F876AACF39D44F86748BAC0C0DDCAAEC27DC5CB095CA1037E16E0A0F104702B5 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2256 | wscript.exe | 194.5.99.53:5732 | — | — | FR | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |