File name: | MAIN.bat |
Full analysis: | https://app.any.run/tasks/1fa3d9ad-e128-4fc9-8a5b-39268e1c25bf |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 16:19:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, ASCII text, with CRLF line terminators |
MD5: | BCCDEBAFFFFB72CE037931CC15C4B03E |
SHA1: | AF4E46CB7F9F996ECC02789FFEC45ABAA2DC4970 |
SHA256: | 4102061962FA58A93E48125842229F003187096BA3876028FF925FC872B190DF |
SSDEEP: | 96:SW268KuZ6NTxgBZSNHv3rEX8VA7VgtgpTUcWiCP9YCQawBprEX8VA7VgRgpTUcW+:ztgBZwv+IiqUFEz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2684 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\MAIN.bat" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3192 | C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq windanr.exe" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3640 | tasklist /NH /FI "IMAGENAME eq windanr.exe" | C:\Windows\system32\tasklist.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
848 | net session | C:\Windows\system32\net.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3852 | C:\Windows\system32\net1 session | C:\Windows\system32\net1.exe | — | net.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3032 | "C:\Program Files\Internet Explorer\iexplore.exe" https://www.thewindowsclub.com/wp-content/uploads/2019/03/run-as-administrator-not-working.jpg | C:\Program Files\Internet Explorer\iexplore.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3548 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3032 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3548 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:899FA813CEB526C9FF69B45ADF220513 | SHA256:2D2E7A27D1A352B04A9611BCA9D34DA7D76750E72A6E0573F6AB749FF82CFFF8 | |||
3032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1 | SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05 | |||
3548 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:41FBBFEF77C9E15DF36E1CB541503D98 | SHA256:1C596FD0B7231E43E672CB027BE6117200830DD98929F060C3A97F8EFC4EAE17 | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{C81181F8-D858-11EC-B7B7-12A9866C77DE}.dat | binary | |
MD5:4F953DF8A76515A09CE85E71D74FB127 | SHA256:DB31018EA00B5C7B6617800A852A720031E8442FE2182179266BB991DEF38F39 | |||
3032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:FE3539D30EFF9D3C17C3936B45F298CB | SHA256:A71ED3922287D1C2BB0BA2F6185C0BDE4919760A96C1CDE80C7E2D1E9B13E1A9 | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42C873D0-1D90-11EB-BA2C-12A9866C77DE}.dat | binary | |
MD5:C4E2084817A5A0DDC19DCF40141E3263 | SHA256:00F7C27FB076410CC22B1655215E756F598135C19C4E2C7EBBF49791C46D846D | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8AAA14E066D164E9.TMP | gmc | |
MD5:BA5F08F67A35A87CDDEC1C0EE3FE9061 | SHA256:B259A9BEBC3CB36E103A246D7A94774BF72FDCD9B4B953BC0C0720A75C70945B | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{C81181F9-D858-11EC-B7B7-12A9866C77DE}.dat | binary | |
MD5:423BF52BD0BA588FDF2E30ADC8936B84 | SHA256:485EC2973DB31337A9C228F730CE33D23FEDDEE88EE8DFBEBC2A9930CF04C46C | |||
3032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:80FC2D0B80DE3730DB2563DA6C447411 | SHA256:3FC3644532D120A36FC640D21054043A122BD36F7356F6C90E4753115DCBB8FF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3548 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
3032 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3032 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3032 | iexplore.exe | GET | 200 | 8.248.131.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f30d613c74ce4631 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3032 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3548 | iexplore.exe | 104.26.10.55:443 | www.thewindowsclub.com | Cloudflare Inc | US | unknown |
3032 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3032 | iexplore.exe | 8.248.131.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3548 | iexplore.exe | 8.248.131.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3032 | iexplore.exe | 13.107.21.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3548 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.thewindowsclub.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |