File name:

extract-1707085645.958221-HTTP-FzgWuG2tF2TWaM4yo9

Full analysis: https://app.any.run/tasks/7605a489-6cb0-452b-8024-99bc0dde45a7
Verdict: Malicious activity
Analysis date: February 05, 2024, 05:59:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

1B5468F0B49CAD9BF4FD403FB60CB905

SHA1:

AF35D451E0B58D952CCC1C92ACA3EE2A45492B48

SHA256:

037C0392711AA7F2E537613B1C63697370508CE190A4E3AD9B283F1B9B7327DA

SSDEEP:

192:JPePWaCc/z8ogJ6Ji2Jt9J9u8vwH3u879MTHlGYGlGSGfGDG3GXG3GAGeGBY:JPePgc/z8ogqtjJ9/vs3/7qTFLWHuiO7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 2620)
      • wscript.exe (PID: 2996)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1188)
      • powershell.exe (PID: 1684)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 2692)

  • SUSPICIOUS

    • Powershell scripting: start process

      • cmd.exe (PID: 684)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 684)
      • wscript.exe (PID: 2620)
      • wscript.exe (PID: 2996)

    • Application launched itself

      • cmd.exe (PID: 684)

    • Reads the Internet Settings

      • powershell.exe (PID: 3028)
      • wscript.exe (PID: 2620)
      • wscript.exe (PID: 2996)
      • powershell.exe (PID: 1684)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 684)
      • cmd.exe (PID: 336)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 684)
      • powershell.exe (PID: 3028)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 336)

    • The process executes VB scripts

      • cmd.exe (PID: 336)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 3028)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 2996)
      • wscript.exe (PID: 2620)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2620)
      • wscript.exe (PID: 2996)

    • Checks for external IP

      • powershell.exe (PID: 1684)

    • Unusual connection from system programs

      • powershell.exe (PID: 1684)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 2692)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 1684)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 684)
      • WINWORD.EXE (PID: 2788)

    • Create files in a temporary directory

      • csc.exe (PID: 2692)
      • cvtres.exe (PID: 2628)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 2692)
      • cvtres.exe (PID: 2628)

    • Checks supported languages

      • cvtres.exe (PID: 2628)
      • csc.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
45
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start rundll32.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs powershell.exe no specs cmd.exe taskkill.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs timeout.exe no specs wscript.exe no specs wscript.exe no specs taskkill.exe no specs powershell.exe no specs powershell.exe csc.exe cvtres.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\system32\cmd.exe /S /D /c" echo N "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
284schtasks /create /sc minute /mo 10 /tn "MyTasks\8" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\codrun.vbs\"" /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
308SCHTASKS /Create /SC DAILY /TN "MyTasks\3" /TR "cmd.exe /C \"C:\Users\admin\AppData\Local\webs\backups.bat\"" /ST 16:34 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
312SCHTASKS /Create /SC DAILY /TN "MyTasks\9" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\codrun.vbs\"" /ST 12:34 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
336"C:\Windows\system32\cmd.exe" /K C:\Users\admin\AppData\Local\webs\win_updt.bat C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
668SCHTASKS /Create /SC DAILY /TN "MyTasks\7" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\scr.vbs\"" /ST 21:33 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
684C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\extract-1707085645.958221-HTTP-FzgWuG2tF2TWaM4yo9a1.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
892SCHTASKS /Create /SC DAILY /TN "MyTasks\7" /TR "wscript.exe \"C:\Users\admin\AppData\Local\webs\codrun.vbs\"" /ST 09:01 /RU "admin"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
896SCHTASKS /Create /SC DAILY /TN "MyTasks\10" /tr "wscript.exe \"C:\Users\admin\AppData\Local\webs\codrun.vbs\"" /ST 15:34 /RL HIGHEST /F C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1188"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content -Path 'C:\Users\admin\AppData\Local\webs\dats'))))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
7 201
Read events
6 696
Write events
365
Delete events
140

Modification events

(PID) Process:(3028) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3028) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3028) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3028) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2620) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2620) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2620) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2620) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2996) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2996) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
1
Suspicious files
13
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
684cmd.exeC:\Users\admin\AppData\Local\webs\dattext
MD5:9C10FA567C95933E5ED222067DCC8174
SHA256:9B0BC997AD5B880CB42B76AD88A49BFF671A876018116CB639FADF5CAD35A696
1188powershell.exeC:\Users\admin\AppData\Local\Temp\t0guplye.xkg.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1188powershell.exeC:\Users\admin\AppData\Local\Temp\pxlxf2j5.uhk.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1188powershell.exeC:\Users\admin\AppData\Local\webs\cp.dattext
MD5:6ACDCBE082D626D5E9857E706D3F7CF9
SHA256:05568B1A258BB942AA6A4DFE31A2C93AF5906D52FC4709C2E7135DD146F0C6A6
1684powershell.exeC:\Users\admin\AppData\Local\Temp\4rywwvnu.3qq.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2788WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB016.tmp.cvr
MD5:
SHA256:
3028powershell.exeC:\Users\admin\AppData\Local\Temp\3di2b31a.tfn.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2692csc.exeC:\Users\admin\AppData\Local\Temp\1ki2lbzs\1ki2lbzs.dllexecutable
MD5:BE7D537E5C65DD5F6228B2B72548265F
SHA256:A7B3ACBEB30EAD036AA2AEFA4255331D27297B11479DCD40068D53894E305717
1684powershell.exeC:\Users\admin\AppData\Local\Temp\o1fmtv5s.skx.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1188powershell.exeC:\Users\admin\AppData\Local\Temp\1ki2lbzs\1ki2lbzs.cmdlinetext
MD5:966129242E31F862B86FFA110338E35D
SHA256:B66147AE5C504B4E381E912EF91449DE17F30399D0703238002786E1BA75D7DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
7
DNS requests
2
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
1684
powershell.exe
POST
200
172.67.200.221:80
http://dll.lat//in.php
unknown
text
6.12 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
352
svchost.exe
224.0.0.252:5355
unknown
1220
svchost.exe
239.255.255.250:3702
unknown
1684
powershell.exe
34.117.186.192:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
unknown
1684
powershell.exe
172.67.200.221:80
dll.lat
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
ipinfo.io
  • 34.117.186.192
shared
dll.lat
  • 172.67.200.221
  • 104.21.13.172
unknown

Threats

PID
Process
Class
Message
1684
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1684
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
1684
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
extract-1707085645.958221-HTTP-FzgWuG2tF2TWaM4yo9