File name: | 1.bat |
Full analysis: | https://app.any.run/tasks/6b2eba81-92b8-41b9-a272-7109b3cdfd07 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 16:21:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ISO-8859 text, with CRLF line terminators |
MD5: | F65D2D9F5063DF04193D11182C21D53B |
SHA1: | BB93F26FC4ECDE755F68FFDB12959ABF4EC72B80 |
SHA256: | FAB0F8423BB4B64DB0526E9B4D356CB705AE84DAA2428C714FCE877DAF43FB53 |
SSDEEP: | 48:dJZk7y4GaDvK9TweGaTweGOveCBrTJWeG5TJe+NGjxyfviocf/jJZOkpoVVYDNvC:dwZGajKZkykOvX8llsjxACHoAJC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3088 | cmd /c ""C:\Users\admin\Desktop\1.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3820 | mshta vbscript:createobject("wscript.shell").run("""1.bat"" h",0)(window.close) | C:\Windows\system32\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2928 | cmd /c ""C:\Users\admin\Desktop\1.bat" h" | C:\Windows\system32\cmd.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4044 | more +103 0.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3964 | more +125 0.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2628 | C:\Windows\system32\cmd.exe /c dir h /a-d /b /s *.exe *.jpg | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2984 | C:\Windows\system32\cmd.exe /c "dir /a/s/b/on *.exe *.jpg" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3272 | rar.exe a -hp8npwhhfezlvlltuvflsssqmo7wbsnvkvicgagt4w ╜Γ├▄lucknum-ftjgdp.rar 4.txt 0.bat rar.exe | C:\Users\admin\Desktop\Rar.exe | — | cmd.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 5.60.0 | ||||
2608 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\1.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2756 | more +1 5.txt | C:\Windows\system32\more.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3820) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3820) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2928) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2928) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2688) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosX |
Value: 66 | |||
(PID) Process: | (2688) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosY |
Value: 66 | |||
(PID) Process: | (2688) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosDX |
Value: 960 | |||
(PID) Process: | (2688) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
Operation: | write | Name: | iWindowPosDY |
Value: 501 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2928 | cmd.exe | C:\Users\admin\Desktop\a.tmp | — | |
MD5:— | SHA256:— | |||
2928 | cmd.exe | C:\Users\admin\Desktop\1.vbs | text | |
MD5:F3D33E78CC6B8A13AADCB802D9A05B0E | SHA256:339BDC6EE550CE9A8E05008068DDC1903CDE79AF4956DC1615BFF57289E9C194 | |||
2928 | cmd.exe | C:\Users\admin\Desktop\0.txt | text | |
MD5:C007864E27067DA8595F2CF68651E840 | SHA256:60C476F0CE9B0FA6BA40BC2A36D15ED205A06DF725697FE736654C30329C68C2 | |||
2928 | cmd.exe | C:\Users\admin\Desktop\2.txt | text | |
MD5:E421D285D7FC286F5129630527F71920 | SHA256:AC69C835D475752CC19CE31342B24A1D548E5590AE4C91254B556C5AF87912CF | |||
2928 | cmd.exe | C:\Users\admin\Desktop\0.bat | text | |
MD5:C007864E27067DA8595F2CF68651E840 | SHA256:60C476F0CE9B0FA6BA40BC2A36D15ED205A06DF725697FE736654C30329C68C2 | |||
2928 | cmd.exe | C:\Users\admin\Desktop\4.txt | text | |
MD5:27C774A56038A46141B5DDD6CB06D395 | SHA256:C2281BCEC1FE84C756263DC17B2EADFDD110BDFB4AAC7816290C0D0D89111D8A | |||
2928 | cmd.exe | C:\Users\admin\Desktop\3.txt | text | |
MD5:5163D32B7C71E117BE13F5C351792C63 | SHA256:0594A1306E98DBCA0EF8993CAD3348B45056B1A2F17E61DCB14B43380E0FF5D3 | |||
2928 | cmd.exe | C:\Users\admin\Desktop\1.txt | text | |
MD5:A014C0C0D28C66D122006EE410A8CABA | SHA256:448DBFEE9876C65D4B8DDC5C5C8DD8CB9CC37A09ED4B55A8B9A656CD8C9EC030 | |||
2928 | cmd.exe | C:\Users\admin\Desktop\5.txt | text | |
MD5:640AFFFC0B7DBC05B53837755F064E9E | SHA256:E3A197ACCDB99EEC4AC2FC659C71B8930929DA26798049E890E413E28D0E6C39 | |||
2928 | cmd.exe | C:\Users\admin\Desktop\╜Γ╤╣lucknum╘╦╨╨0bat╜Γ├▄.txt | text | |
MD5:E5455CCC46B9A25506A2834E41CE60C4 | SHA256:74CA8E139277F8C11125B7C39AB978B9CACF97232BBD8E431E4421A41A4A5575 |