File name:

WACT_AIO.bat

Full analysis: https://app.any.run/tasks/d983a259-2dbe-4c6a-804f-19fad72e9ab8
Verdict: Malicious activity
Analysis date: May 17, 2025, 21:00:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

79D81FFE01D8D526736E58C9D48324B3

SHA1:

450BCA55C673A17B9B8FD69799842755D0E2E2E0

SHA256:

30217AC7B9C113AEE33DAEFFB5B7ACA9C62F9F0A75E5636B2ECBB1F6ADCBD941

SSDEEP:

6144:I96cEqR1F6sCKKztZlKoi1PpNpNxUXE+v+5Ur:YVDVCKH1hNq0+W5Ur

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process executes VB scripts

      • cmd.exe (PID: 5072)
      • cmd.exe (PID: 7352)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7224)
      • cmd.exe (PID: 7352)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7224)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7224)

    • Manipulates environment variables

      • powershell.exe (PID: 7548)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7352)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7352)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7352)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 7352)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7908)

    • Unpacks CAB file

      • expand.exe (PID: 7992)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 7908)
      • expand.exe (PID: 7992)
      • cmd.exe (PID: 7352)

    • Process drops legitimate windows executable

      • expand.exe (PID: 7992)
      • cmd.exe (PID: 7352)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7352)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7548)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 7516)
      • cscript.exe (PID: 920)
      • cscript.exe (PID: 7836)

    • Application launched itself

      • cmd.exe (PID: 7352)
      • ClipUp.exe (PID: 5244)

    • Hides command output

      • cmd.exe (PID: 516)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 7516)
      • cscript.exe (PID: 920)
      • cscript.exe (PID: 7836)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 7516)
      • cscript.exe (PID: 920)
      • cscript.exe (PID: 7836)

  • INFO

    • Checks supported languages

      • mode.com (PID: 1116)
      • mode.com (PID: 7432)
      • mode.com (PID: 7504)
      • chcp.com (PID: 7528)
      • cvtres.exe (PID: 7944)
      • expand.exe (PID: 7992)
      • csc.exe (PID: 7908)
      • gatherosstatemodified.exe (PID: 1628)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 1116)
      • mode.com (PID: 7504)
      • mode.com (PID: 7432)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7352)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 7908)
      • expand.exe (PID: 7992)
      • gatherosstatemodified.exe (PID: 1628)

    • Create files in a temporary directory

      • cvtres.exe (PID: 7944)
      • csc.exe (PID: 7908)
      • ClipUp.exe (PID: 7448)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 920)
      • cscript.exe (PID: 7516)
      • cscript.exe (PID: 7836)

    • The sample compiled with english language support

      • expand.exe (PID: 7992)
      • cmd.exe (PID: 7352)

    • Reads the computer name

      • gatherosstatemodified.exe (PID: 1628)

    • Creates files in the program directory

      • ClipUp.exe (PID: 7448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
33
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs mode.com no specs chcp.com no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe no specs csc.exe cvtres.exe no specs expand.exe powershell.exe no specs powershell.exe no specs cscript.exe no specs cmd.exe no specs reg.exe no specs gatherosstatemodified.exe no specs clipup.exe no specs clipup.exe no specs conhost.exe no specs cscript.exe no specs cscript.exe no specs slui.exe no specs rundll32.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516C:\WINDOWS\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
920cscript //nologo C:\WINDOWS\system32\slmgr.vbs -ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116mode 76, 30C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1196C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1628C:\WACTFILES\gatherosstatemodified.exe Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;DownlevelGenuineState=1C:\WACTFILES\gatherosstatemodified.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Gather Downlevel OS Activation State
Exit code:
0
Version:
10.0.14393.0 (rs1_release.160715-1616)
Modules
Images
c:\wactfiles\gatherosstatemodified.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
2284\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5072C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\WACT_AIO.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5244clipup -v -o -altto C:\WACTFILESC:\Windows\System32\ClipUp.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Client License Platform migration tool
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\clipup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
7176NET FILE C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wkscli.dll
Total events
20 578
Read events
20 576
Write events
2
Delete events
0

Modification events

(PID) Process:(7224) wscript.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(7224) wscript.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
Executable files
4
Suspicious files
5
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
7548powershell.exeC:\Users\admin\AppData\Local\Temp\z5yens0q\z5yens0q.cmdlinetext
MD5:C838EA70E5C42BD2AFD42F7E01B98369
SHA256:9A344602573BAFC9EB576FFDE662E621D10553148EA5396B912CA54315215348
7548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0dbvmgjk.qjt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7944cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC9BA.tmpbinary
MD5:BEF304E58B2F3E6BAD2A3C29D3DEC55C
SHA256:8D6B012853C6CF55DF84ED5D5F007987DE9D5812A904DE585D3951F6F16CE3CC
7548powershell.exeC:\Users\admin\AppData\Local\Temp\z5yens0q\z5yens0q.0.cstext
MD5:047F0CF592670E8FCA358F12E4CD5A89
SHA256:32E77D9085AD9EA0FD1EB5A9556E29CB42F5D3016CCF9853F3C39D358F479978
7320powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5dscbpw2.irn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_55fgodtx.b0w.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7992expand.exeC:\Windows\Logs\DPX\setupact.logcsv
MD5:18B0CCDD9A5FF40D96C2DBAE599BEABC
SHA256:B0296D916DC62D298863DAAF75896DC2B82A6010FFC81B02569BFDC16FEB301C
7548powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:2CA2E3744FD3F876415520ECB5C5F5E2
SHA256:227E3AE2A8DEADCDCCFEA9132E48898B32253CDC479DC517ABBFCBB6C2702A28
1628gatherosstatemodified.exeC:\WACTFILES\GenuineTicket.xmlxml
MD5:2B535781DCE7F9BD70E5DB54054BCFA3
SHA256:3DFDCC51DA56C0BC0528DA539986D8BB3F81219981B2B486E66209ACEE0C15FC
7352cmd.exeC:\WACTFILES\gatherosstatemodified.exeexecutable
MD5:892FAE48577E46EABD9FBBC4107D924C
SHA256:4A6EBF681B69C0D28EBF51E6E6DA05974DC1166502B174293BC6585B0814DA7B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5156
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5156
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.12
  • 23.216.77.21
  • 23.216.77.11
  • 23.216.77.15
  • 23.216.77.18
  • 23.216.77.16
  • 23.216.77.7
  • 23.216.77.20
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.68
  • 40.126.31.128
  • 20.190.159.130
  • 40.126.31.1
  • 40.126.31.130
  • 40.126.31.67
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WACT_AIO.bat