File name:

sample.bat

Full analysis: https://app.any.run/tasks/683a3905-643e-49f9-bbbb-c76c975956e4
Verdict: Malicious activity
Analysis date: March 24, 2025, 09:30:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (5983), with CRLF line terminators
MD5:

609A40F86E297B5B59844FF46F8897E3

SHA1:

4D726885DC0AA632D305E997F43B8C68D97E0915

SHA256:

357BB41D66E8F2F8E16B122267E240A31DC9BA787FD4C6EA2B66A065B44769F1

SSDEEP:

49152:/0/6pZ0TiwwcUUgUM+CRLZdQryYyIEHPJd5biVcoiihsYkYMuryej/OySaG3MUYF:2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6264)
      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 7924)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

    • Application was injected by another process

      • winlogon.exe (PID: 6648)

    • Runs injected code in another process

      • powershell.exe (PID: 7924)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6264)
      • cmd.exe (PID: 7772)
      • Taskmgr.exe (PID: 7840)
      • powershell.exe (PID: 1128)
      • cmd.exe (PID: 644)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2504)
      • cmd.exe (PID: 7772)
      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 644)

    • Starts process via Powershell

      • powershell.exe (PID: 6264)
      • powershell.exe (PID: 1128)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 7900)
      • powershell.exe (PID: 5256)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 6264)
      • cmd.exe (PID: 7772)
      • Taskmgr.exe (PID: 7840)
      • cmd.exe (PID: 644)
      • powershell.exe (PID: 1128)

    • Using 'findstr.exe' to search for text patterns in files and output

      • powershell.exe (PID: 7364)
      • powershell.exe (PID: 7900)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 6712)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 1532)
      • powershell.exe (PID: 7456)
      • powershell.exe (PID: 8072)
      • powershell.exe (PID: 7500)
      • powershell.exe (PID: 7532)
      • powershell.exe (PID: 7236)
      • powershell.exe (PID: 4756)
      • powershell.exe (PID: 5256)

    • Application launched itself

      • cmd.exe (PID: 7772)
      • cmd.exe (PID: 644)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7772)
      • cmd.exe (PID: 644)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7772)
      • cmd.exe (PID: 644)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

  • INFO

    • Returns all items recursively from all subfolders (POWERSHELL)

      • powershell.exe (PID: 7900)
      • powershell.exe (PID: 5256)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7840)

    • Returns hidden items found within a container (POWERSHELL)

      • cmd.exe (PID: 7520)
      • conhost.exe (PID: 7872)
      • conhost.exe (PID: 6184)
      • cmd.exe (PID: 5548)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5024)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5024)
      • powershell.exe (PID: 7924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
187
Monitored processes
54
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs backgroundtransferhost.exe no specs findstr.exe no specs powershell.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs findstr.exe no specs backgroundtransferhost.exe no specs powershell.exe no specs backgroundtransferhost.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs more.com no specs notepad.exe no specs taskmgr.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs powershell.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs more.com no specs winlogon.exe

Process information

PID
CMD
Path
Indicators
Parent process
644C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\sample.bat" AQEriJFTZQtfLuDCn "C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
660"C:\WINDOWS\system32\findstr.exe" /i QEMUC:\Windows\System32\findstr.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1128powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\admin\AppData\Local\Temp\sample.bat' -ArgumentList 'AQEriJFTZQtfLuDCn' -WindowStyle Hidden" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1532powershell.exe "if (Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'DADY') {exit 900} else {exit 1}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\WINDOWS\system32\findstr.exe" /i QEMUC:\Windows\System32\findstr.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1852"C:\WINDOWS\system32\findstr.exe" /i BOCHS_C:\Windows\System32\findstr.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2136"C:\WINDOWS\system32\notepad.exe"C:\Windows\System32\notepad.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
2236powershell.exe "if (Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'VirtualBox') {exit 900} else {exit 1}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2504C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\sample.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4740"C:\WINDOWS\system32\findstr.exe" /i QEMUC:\Windows\System32\findstr.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
82 603
Read events
82 579
Write events
24
Delete events
0

Modification events

(PID) Process:(7472) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7472) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7472) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7840) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7840) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7840) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6736) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6632) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
0
Suspicious files
7
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
7840BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\38a294bc-bb54-437b-9e10-1e22ba1c35e3.down_data
MD5:
SHA256:
7900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v3qn3dls.dgn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6264powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bc45ko5b.1s3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6264powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bjm5pfih.coz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6264powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:4328F6CC2C71ACFF55AFA2C2DBDFBA6E
SHA256:17F8AE1370F61B4914705B3EB8A29BFEAE6B0378646FD5A7F46C728BE8B10591
7900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xpcbsbun.35t.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7840BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\c6b133a4-0660-46fd-a209-08e00c4a804a.5f0c49d5-98d5-4466-81c8-e99115b36659.down_metabinary
MD5:E5D59726C38C871CCB3CA363854E6466
SHA256:011A0F30E014F3ED02A6C1B3D65E20078BAD24ACE564C7AB18B2CC8F323D2B79
7200powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_app022yk.b0u.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6712powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_emqkrr0d.u0s.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7364powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dvsw2mo2.1vt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
7840
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
7564
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
unknown
7968
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
7968
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
unknown
7564
backgroundTaskHost.exe
20.74.19.45:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
unknown
google.com
  • 142.250.185.174
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
unknown
client.wns.windows.com
  • 40.113.103.199
unknown
login.live.com
  • 20.190.160.14
  • 20.190.160.4
  • 20.190.160.3
  • 40.126.32.134
  • 20.190.160.130
  • 20.190.160.2
  • 20.190.160.131
  • 20.190.160.64
unknown
ocsp.digicert.com
  • 184.30.131.245
unknown
arc.msn.com
  • 20.74.19.45
unknown
www.bing.com
  • 2.16.204.156
  • 2.16.204.136
  • 2.16.204.157
  • 2.16.204.134
  • 2.16.204.159
  • 2.16.204.160
  • 2.16.204.132
  • 2.16.204.158
  • 2.16.204.161
unknown
slscr.update.microsoft.com
  • 52.149.20.212
unknown
www.microsoft.com
  • 2.23.181.156
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.bat