Malware analysis en-us_windows_11_consumer_editions_version_23h2_updated_jan_2025_x64_dvd_f078c50e.iso.cmd Malicious activity

Add for printing

File name:	en-us_windows_11_consumer_editions_version_23h2_updated_jan_2025_x64_dvd_f078c50e.iso.cmd
Full analysis:	https://app.any.run/tasks/7152ee55-e864-4366-8ea1-ab1df2892ef5
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 10:41:00
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text
MD5:	C3506B665EF2C2664CD2277EC8C8AAFE
SHA1:	0213E8602BF8E7D901914B0ADC5EB1E1E93D3E93
SHA256:	002BB776120A094252EEF3C73F1FAD207EDFF754D8155EEDF3AB5D2B38222981
SSDEEP:	48:z/sWwWfC0Uymve1bIJOepRSY0y1Wg7rwekEny3fRvbuLL8Ui:z7wWfpukleSY06Xwe/yvluLIUi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Downloads files via BITSADMIN.EXE
  - cmd.exe (PID: 5972)
SUSPICIOUS
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 7184)
- Application launched itself
  - cmd.exe (PID: 5972)
- Drops 7-zip archiver for unpacking
  - expand.exe (PID: 8120)
- The executable file from the user directory is run by the CMD process
  - aria2c.exe (PID: 4608)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 5972)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 5972)
- Executable content was dropped or overwritten
  - expand.exe (PID: 8120)
INFO
- Uses BITSADMIN.EXE
  - cmd.exe (PID: 7184)
- Checks supported languages
  - expand.exe (PID: 8120)
- Reads the machine GUID from the registry
  - expand.exe (PID: 8120)
- Create files in a temporary directory
  - expand.exe (PID: 8120)
  - aria2c.exe (PID: 4608)
- The sample compiled with english language support
  - expand.exe (PID: 8120)
- Creates files or folders in the user directory
  - BackgroundTransferHost.exe (PID: 1532)
- Reads security settings of Internet Explorer
  - BackgroundTransferHost.exe (PID: 1532)
  - BackgroundTransferHost.exe (PID: 4944)
- Checks operating system version
  - cmd.exe (PID: 5972)
- Checks proxy server information
  - BackgroundTransferHost.exe (PID: 1532)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

156

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

920

C:\WINDOWS\system32\cmd.exe /c type "C:\Users\admin\AppData\Local\Temp\16212\list.txt"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

1532

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

2340

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4608

"C:\Users\admin\AppData\Local\Temp\bin\aria2c.exe" -x1 -s1 -d"C:\Users\admin\AppData\Local\Temp\16212" -o"list.txt" "https://files.rg-adguard.net/file/5bdd7dfb-55d0-930c-dc3d-296b106a9aa1/list" --disable-ipv6

C:\Users\admin\AppData\Local\Temp\bin\aria2c.exe

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\bin\aria2c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4724

C:\WINDOWS\system32\cmd.exe /c type "C:\Users\admin\AppData\Local\Temp\16212\list.txt"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

4944

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

5392

CHOICE /c fs /n /m "Save all or just the requested file?"

C:\Windows\System32\choice.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Offers the user a choice

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

5972

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\en-us_windows_11_consumer_editions_version_23h2_updated_jan_2025_x64_dvd_f078c50e.iso.cmd.bat" "

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

7184

C:\WINDOWS\system32\cmd.exe /c bitsadmin.exe /CREATE /DOWNLOAD "Download Tools" | findstr "Created job"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

7200

bitsadmin.exe /CREATE /DOWNLOAD "Download Tools"

C:\Windows\System32\bitsadmin.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

BITS administration utility

Exit code:

Version:

7.8.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\bitsadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll

Add for printing

Total events

2 163

Read events

2 148

Write events

Delete events

Modification events


(PID) Process:	(4944) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4944) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4944) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1532) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1532) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1532) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7780) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7780) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7780) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(8060) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1532	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0e32f44c-2922-41b2-830d-bec97aaee1db.down_data		—
		MD5:—	SHA256:—
4608	aria2c.exe	C:\Users\admin\AppData\Local\Temp\16212\list.txt		text
		MD5:D5BBFE263DB73512322AE3700C6C817A	SHA256:5E86909D401809A2FB79A67B926B61E84CA899B81BF12EC27CC767680507E330
8120	expand.exe	C:\Users\admin\AppData\Local\Temp\bin\aria2c.exe		executable
		MD5:8C71B86BF407C05BAF11E8D296B9C8B8	SHA256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
8120	expand.exe	C:\Users\admin\AppData\Local\Temp\bin\smv.exe		executable
		MD5:F3C45AE821B803E521B9E14B4B87EB1A	SHA256:93FBA2D50921565BCF283075BB3B8195F2B9B10719EC5123FBF06EA596A782B4
8120	expand.exe	C:\Users\admin\AppData\Local\Temp\bin\7z.dll		executable
		MD5:4E35A902CA8ED1C3D4551B1A470C4655	SHA256:77222E81CB7004E8C3E077AADA02B555A3D38FB05B50C64AFD36CA230A8FD5B9
8120	expand.exe	C:\Users\admin\AppData\Local\Temp\bin\7z.exe		executable
		MD5:9A1DD1D96481D61934DCC2D568971D06	SHA256:8CEBB25E240DB3B6986FCAED6BC0B900FA09DAD763A56FB71273529266C5C525
1532	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0e32f44c-2922-41b2-830d-bec97aaee1db.1222ec27-d900-4b58-81e8-5ad53c88ea68.down_meta		binary
		MD5:536D3E94AF5D28EC82476BDCE92CCB98	SHA256:FADECE6E49FD9DA9ADBA81509FE3645AEE42757511E10F642FD0FCCBA71BC128
1532	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:4872BABAF39AA62B8D32695EBB7E9173	SHA256:2EE85DF86EE29BBEB3DCA81AA29B6DE204F605A2769B84C728A329178A2D0999
1532	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:ED43BC5747817645AC7B39D87F1C3EF4	SHA256:F90E8B06011505AE3C0C16884410170C7AF734B40127F9998BF27E2C47F2F312
1532	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\58cea788-3e3d-4281-a91f-c94af544c4f6.up_meta_secure		binary
		MD5:703A0750007178F1493ABB34138DACE7	SHA256:033CC6871082231F58C481F83A184A3C35D19F92CD799D67989B1E2F9EFFD09C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.53.41.90:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.53.41.90:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
756	lsass.exe	GET	200	216.58.206.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
756	lsass.exe	GET	200	216.58.206.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
1532	BackgroundTransferHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7620	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5344	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5344	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	23.53.41.90:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	23.53.41.90:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3812	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	40.126.31.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.53.41.90 23.53.40.176	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	40.126.31.130 20.190.159.130 40.126.31.67 40.126.31.3 20.190.159.0 40.126.31.0 40.126.31.69 20.190.159.128	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
files.rg-adguard.net	104.21.96.1 104.21.48.1 104.21.112.1 104.21.32.1 104.21.16.1 104.21.80.1 104.21.64.1	whitelisted
arc.msn.com	20.31.169.57	whitelisted
c.pki.goog	216.58.206.35	whitelisted
www.bing.com	2.23.227.208 2.23.227.221 2.23.227.215	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

en-us_windows_11_consumer_editions_version_23h2_updated_jan_2025_x64_dvd_f078c50e.iso.cmd

C3506B665EF2C2664CD2277EC8C8AAFE

0213E8602BF8E7D901914B0ADC5EB1E1E93D3E93

002BB776120A094252EEF3C73F1FAD207EDFF754D8155EEDF3AB5D2B38222981

48:z/sWwWfC0Uymve1bIJOepRSY0y1Wg7rwekEny3fRvbuLL8Ui:z7wWfpukleSY06Xwe/yvluLIUi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Downloads files via BITSADMIN.EXE

SUSPICIOUS

Using 'findstr.exe' to search for text patterns in files and output

Application launched itself

Drops 7-zip archiver for unpacking

The executable file from the user directory is run by the CMD process

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Executable content was dropped or overwritten

INFO

Uses BITSADMIN.EXE

Checks supported languages

Reads the machine GUID from the registry

Create files in a temporary directory

The sample compiled with english language support

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Checks operating system version

Checks proxy server information

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings