File name:

EXM Free Tweaking Utility V8.0.cmd

Full analysis: https://app.any.run/tasks/060b46bb-8128-40e3-8ba1-385be19c356f
Verdict: Malicious activity
Analysis date: February 28, 2025, 13:12:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, Unicode text, UTF-8 (with BOM) text, with very long lines (317), with CRLF line terminators, with escape sequences
MD5:

E17E2F80F64E47C3768C6C75D524CFF7

SHA1:

C17B4F40AF3A174A25FACB868484FF74703F6DCF

SHA256:

2235BE0F8A32639BD03BEBD845C810C7FE49AD6A4AF9D86C319B2CE8DFFCBC36

SSDEEP:

3072:CdWMAw74qzKs4R3RWMF3bCXCs7sJNgKVs49VFx:CW3bCXCs7sJNgKVsWVv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 5332)
      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 8180)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5332)
      • cmd.exe (PID: 4424)
      • powershell.exe (PID: 7948)
      • cmd.exe (PID: 8180)
      • cmd.exe (PID: 8096)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 8180)

    • Uses WMIC.EXE to obtain user accounts information

      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 5164)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 8180)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 8180)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 5332)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 5164)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 5332)
      • powershell.exe (PID: 7948)
      • cmd.exe (PID: 8096)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 8180)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 4424)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 8180)

  • INFO

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1276)
      • WMIC.exe (PID: 1272)

    • Checks supported languages

      • chcp.com (PID: 7256)
      • chcp.com (PID: 7832)
      • chcp.com (PID: 7924)
      • chcp.com (PID: 8152)
      • curl.exe (PID: 7500)
      • chcp.com (PID: 5008)
      • chcp.com (PID: 7588)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7284)

    • Changes the display of characters in the console

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 8180)

    • Create files in a temporary directory

      • curl.exe (PID: 7500)

    • Execution of CURL command

      • cmd.exe (PID: 8180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
43
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs chcp.com no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs chcp.com no specs timeout.exe no specs timeout.exe no specs chcp.com no specs powershell.exe no specs cmd.exe conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs chcp.com no specs powershell.exe no specs SPPSurrogate no specs reg.exe no specs reg.exe no specs reg.exe no specs chcp.com no specs timeout.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs chcp.com no specs curl.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1088Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1164powershell -NoProfile Enable-ComputerRestore -Drive 'C:\' C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1272wmic path Win32_UserAccount where name="admin" get sid C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1276wmic path Win32_UserAccount where name="admin" get sid C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2320C:\WINDOWS\system32\cmd.exe /c wmic path Win32_UserAccount where name="admin" get sid | findstr "S-"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3240C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3304Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
4040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4424cmd /c "C:\Users\admin\Desktop\EXM Free Tweaking Utility V8.0.cmd.bat" max C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
21 201
Read events
21 194
Write events
4
Delete events
3

Modification events

(PID) Process:(7948) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(7948) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(3240) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients
Operation:writeName:{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value:
\\?\Volume{2f5c5e72-85a9-11eb-90a8-9a9b76358421}\:(C%3A)
(PID) Process:(3240) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Leases
Operation:delete valueName:{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value:
(PID) Process:(3304) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:delete valueName:RPSessionInterval
Value:

(PID) Process:(5376) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:SystemRestorePointCreationFrequency
Value:
0
(PID) Process:(1088) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:delete valueName:DisableConfig
Value:
Executable files
0
Suspicious files
1
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_miiazcyn.a5w.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7948powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_icpl3k1u.32o.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7284powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D20C49761CEDEA2CC3DA0089F4D573E1
SHA256:C6B8489223D210F76D38FE7FAE6FACD33F7D0F96A3063BC18FF9D651C8B9B9DD
7284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eo0a1svx.noj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7568powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3nhjtarp.0ko.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ubgpftjg.r1z.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7948powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_msv3olbo.pcc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rshakdn5.5gs.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7500curl.exeC:\Users\admin\AppData\Local\Temp\exm.zipxml
MD5:1EC31972EC65A65470D3B5D790C1F401
SHA256:664F2B1654C363A6348B688D5D475ED9EC0E7EF3C72F6F315F37FE97A2FE63EB
7568powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vfcl2cmw.sod.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
26
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7500
curl.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
github.com
  • 140.82.121.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EXM Free Tweaking Utility V8.0.cmd