| File name: | rat.bat |
| Full analysis: | https://app.any.run/tasks/6ad370e8-e57a-4925-a2c3-04dd02fa405a |
| Verdict: | Malicious activity |
| Analysis date: | May 17, 2025, 09:40:27 |
| OS: | Windows 11 Professional (build: 22000, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators |
| MD5: | C3A3589E8015D77C7CD7C592DCD60EAA |
| SHA1: | 0FFA66F44762C63FCA0BA539FDEE422A4E57CF79 |
| SHA256: | 419323629F572E3BDD839F5C58888A1B0FF728FCD51D1FF419D766A71EF8983B |
| SSDEEP: | 48:MS6FnMUYjUEj4q12XmNqh4vw5x3emZ266do6Aqe1RSAngka15:MS6U2Wi4y3ekkdTA/10Agks5 |
MALICIOUS
Starts NET.EXE to view/add/change user profiles
- cmd.exe (PID: 3404)
- net.exe (PID: 1856)
SUSPICIOUS
Get information on the list of running processes
- cmd.exe (PID: 3404)
Uses SYSTEMINFO.EXE to read the environment
- cmd.exe (PID: 3404)
Uses DRIVERQUERY.EXE to obtain a list of installed device drivers
- cmd.exe (PID: 3404)
Data upload via CURL
- curl.exe (PID: 3944)
Possible usage of Discord/Telegram API has been detected (YARA)
- cmd.exe (PID: 3404)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 3404)
INFO
Displays MAC addresses of computer network adapters
- getmac.exe (PID: 4044)
Execution of CURL command
- cmd.exe (PID: 3404)
Checks supported languages
- curl.exe (PID: 3944)
Reads the computer name
- curl.exe (PID: 3944)
Reads the machine GUID from the registry
- curl.exe (PID: 3944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(3404) cmd.exe
Discord-Webhook-Tokens (1)1373211791299186801/mYAuy0IiZ9JHhyCLhNepcvG8FMVxc1v0fRN52gmalag88NKVlBoSZVNxbLpy1u4kxKDD
Discord-Info-Links
1373211791299186801/mYAuy0IiZ9JHhyCLhNepcvG8FMVxc1v0fRN52gmalag88NKVlBoSZVNxbLpy1u4kxKDD
Get Webhook Infohttps://discord.com/api/webhooks/1373211791299186801/mYAuy0IiZ9JHhyCLhNepcvG8FMVxc1v0fRN52gmalag88NKVlBoSZVNxbLpy1u4kxKDD
Total processes
116
Monitored processes
16
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1492 | netstat -ano | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1856 | net user | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1876 | C:\Windows\system32\net1 user | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 10.0.22000.434 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1952 | powershell -Command "Get-CimInstance Win32_VideoController | Select-Object Name" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2268 | powershell -Command "Get-CimInstance Win32_LogicalDisk | Select-Object DeviceID, VolumeName, @{Name='Size(GB)';Expression={[math]::Round($_.Size / 1GB)}}, @{Name='Free(GB)';Expression={[math]::Round($_.FreeSpace / 1GB)}}" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2376 | driverquery | C:\Windows\System32\driverquery.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Queries the drivers on a system Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2664 | powershell -Command "Get-CimInstance Win32_Processor | Select-Object -ExpandProperty Name" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3016 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) | |||||||||||||||
| 3404 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\rat.bat" " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9059 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
ims-api(PID) Process(3404) cmd.exe Discord-Webhook-Tokens (1)1373211791299186801/mYAuy0IiZ9JHhyCLhNepcvG8FMVxc1v0fRN52gmalag88NKVlBoSZVNxbLpy1u4kxKDD Discord-Info-Links 1373211791299186801/mYAuy0IiZ9JHhyCLhNepcvG8FMVxc1v0fRN52gmalag88NKVlBoSZVNxbLpy1u4kxKDD Get Webhook Infohttps://discord.com/api/webhooks/1373211791299186801/mYAuy0IiZ9JHhyCLhNepcvG8FMVxc1v0fRN52gmalag88NKVlBoSZVNxbLpy1u4kxKDD | |||||||||||||||
| 3604 | powershell -Command "Get-CimInstance Win32_BaseBoard | Format-List Product,Manufacturer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
49 633
Read events
49 630
Write events
3
Delete events
0
Modification events
| (PID) Process: | (5928) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31180559 | |||
| (PID) Process: | (5928) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdLow |
Value: | |||
| (PID) Process: | (3404) cmd.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\System32\ndfapi.dll,-40001 |
Value: Windows Network Diagnostics | |||
Executable files
0
Suspicious files
1
Text files
13
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2664 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tcr2jklw.f1x.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2664 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g5gfrrfv.tl4.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5928 | TiWorker.exe | C:\Windows\Logs\CBS\CBS.log | text | |
MD5:E1B1B0CB91B6BCCD381F410CE012CBC8 | SHA256:E6813E469077EF55CEFE7EAFEE02045AC58EB60852378E95A3409A92CC4294E3 | |||
| 1952 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1voyfyge.aga.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3820 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zbgnxtdf.50f.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2268 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lyfwvx1z.gxh.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3820 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xgwptvai.eft.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2664 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:1C6405E12E4CCE677CC92E0D6535E803 | SHA256:7189E138E149BC9524000ABE11A38511F1B76C789616BA475F22EF0022D39582 | |||
| 2664 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | text | |
MD5:5DAC16E6CB902C485FF416826EAD721D | SHA256:0E1EA26EE7D3D71774D8CDF71766CA6E832765036E556F46416E904AF2B0EFF3 | |||
| 3604 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n5hqht2v.1hv.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
16
DNS requests
9
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 88.221.110.147:80 | http://www.msftconnecttest.com/connecttest.txt | unknown | — | — | whitelisted |
3640 | svchost.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dd53f59396d373d1 | unknown | — | — | whitelisted |
— | — | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bd03cf048e05c76f | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 2.16.168.117:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1e10e7c7692de370 | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 2.16.168.117:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e8295883656f7dad | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 2.16.168.117:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3e4d47703098faed | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 2.16.168.117:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?4ad3cddf9f0eee59 | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 88.221.110.147:80 | — | Akamai International B.V. | DE | unknown |
4432 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3640 | svchost.exe | 20.190.160.130:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3640 | svchost.exe | 199.232.210.172:80 | ctldl.windowsupdate.com | FASTLY | US | whitelisted |
— | — | 199.232.210.172:80 | ctldl.windowsupdate.com | FASTLY | US | whitelisted |
— | — | 20.190.160.130:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4172 | smartscreen.exe | 4.175.223.124:443 | checkappexec.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3952 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3944 | curl.exe | 162.159.138.232:443 | discord.com | CLOUDFLARENET | — | whitelisted |
5580 | svchost.exe | 2.16.185.191:443 | fs.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
checkappexec.microsoft.com |
| whitelisted |
discord.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET INFO Microsoft Connection Test |
— | — | Generic Protocol Command Decode | SURICATA HTTP Request unrecognized authorization method |
1664 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
3944 | curl.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
1664 | svchost.exe | Misc activity | ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) |
3944 | curl.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
Process | Message |
|---|---|
TiWorker.exe | Populating UpdatePolicy AllowList |
TiWorker.exe | AboveLock|Accounts|ActiveXControls|ADMXIngest|AllowMessageSync|AppHVSI|ApplicationDefaults|AllowAllTrustedApps|AllowAppStoreAutoUpdate|AllowAutomaticAppArchiving|AllowDeveloperUnlock|AllowGameDVR|AllowSharedUserAppData|ApplicationRestrictions|Audit|ConfigureChatIcon|LaunchAppAfterLogOn|MSIAllowUserControlOverInstall|MSIAlwaysInstallWithElevatedPrivileges|RestrictAppDataToSystemVolume|RestrictAppToSystemVolume|AppRuntime|AttachmentManager|Authentication|Autoplay|BitLocker|BITS|Bluetooth|Browser|Camera|Cellular|Connectivity|ControlPolicyConflict|CredentialProviders|CredentialsDelegation|CredentialsUI|Cryptography|DataProtection|DataUsage|Defender|DeliveryOptimization|Desktop|ConfigureSystemGuardLaunch|EnableVirtualizationBasedSecurity|DeviceHealthMonitoring|DeviceInstallation|DeviceLock|Display|DmaGuard|ErrorReporting|Eap|Education|EnterpriseCloudPrint|EventLogService|AllowClipboardHistory|AllowCopyPaste|AllowCortana|AllowDeviceDiscovery|AllowManualMDMUnenrollment|AllowSaveAsOfOfficeFiles|AllowScreenCapture|AllowSharingOfOfficeFiles|AllowSIMErrorDialogPromptWhenNoSIM|AllowSyncMySettings|AllowTailoredExperiencesWithDiagnosticData|AllowTaskSwitcher|AllowThirdPartySuggestionsInWindowsSpotlight|AllowVoiceRecording|DoNotShowFeedbackNotifications|DoNotSyncBrowserSettings|AllowFindMyDevice|ExploitGuard|Feeds|FileExplorer|Games|Handwriting|HumanPresence|InternetExplorer|Kerberos|KioskBrowser|Knobs|LanmanWorkstation|Licensing|LocalPoliciesSecurityOptions|LocalUsersAndGroups|Lockdown|Maps|MemoryDump|MSSecurityGuide|MSSLegacy|Multitasking|NetworkIsolation|NetworkListManager|NewsAndInterests|Notifications|OneDrive|Power|Printers|Privacy|RemoteAssistance|RemoteDesktopServices|RemoteDesktop|RemoteManagement|RemoteProcedureCall|RemoteShell|RestrictedGroups|Search|Security|Settings|SmartScreen|Speech|Start|Storage|System|SystemServices|TaskManager|TaskScheduler|TenantRestrictions|TextInput|TimeLanguageSettings|Troubleshooting|Update|UserRights|VirtualizationBasedTechnology|WiFi|WindowsLogon|WirelessDisplay|Location|WindowsAutopilot|WindowsConnectionManager|WindowsDefenderSecurityCenter|WindowsInkWorkspace|WindowsPowerShell|WindowsSandbox|WiredNetwork|ADMX_ |
TiWorker.exe | All policies are allowed
|
TiWorker.exe | SKU MDM licensing allow list string from SLAPI:
|
TiWorker.exe |