File name:

oppsrearm.bat

Full analysis: https://app.any.run/tasks/a1379aba-f7c6-46af-997c-05fc81ebab79
Verdict: Malicious activity
Analysis date: May 16, 2025, 01:27:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

D9E30B6BAB33590A13AE8ACDB1609CDE

SHA1:

24ADCC1184D45C47F6896480701E151F79FB98CF

SHA256:

59DF9F5434B182C6F56CAD461BB9194FA323769F1D18374AF7B58476A2FF8497

SSDEEP:

6:C2g+Y0ED+9m5oeY0ER5oegoEVCFseZcV3mpMLWFiHHmpMLSNhBgt8SmpWrompEGA:u+Q+Yz+zMCFsMIhi4HhujBo8SHopGA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 6700)
      • cscript.exe (PID: 5892)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4776)

    • Application launched itself

      • cmd.exe (PID: 4776)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 5892)
      • cscript.exe (PID: 6700)

    • The process executes VB scripts

      • cmd.exe (PID: 4776)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 5892)
      • cscript.exe (PID: 6700)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 5892)
      • cscript.exe (PID: 6700)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 6700)
      • cscript.exe (PID: 5892)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 6700)
      • cscript.exe (PID: 5892)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 8028)

    • Executes application which crashes

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 8028)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 7624)
      • WerFault.exe (PID: 7984)
      • WerFault.exe (PID: 8108)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 3176)

  • INFO

    • Creates files or folders in the user directory

      • cscript.exe (PID: 7244)
      • WerFault.exe (PID: 7624)
      • WerFault.exe (PID: 7984)
      • WerFault.exe (PID: 8108)

    • Reads the software policy settings

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 5892)
      • cscript.exe (PID: 6700)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 7244)
      • cscript.exe (PID: 8028)
      • cscript.exe (PID: 7768)
      • cscript.exe (PID: 3176)
      • cscript.exe (PID: 6700)
      • cscript.exe (PID: 5892)

    • Checks proxy server information

      • cscript.exe (PID: 7244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.669 | Composer 669 module (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
14
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs cscript.exe sppextcomobj.exe no specs slui.exe werfault.exe no specs cscript.exe werfault.exe no specs cscript.exe werfault.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3176cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7THC:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4776C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\oppsrearm.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5892cscript ospp.vbs /actC:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6700cscript ospp.vbs /sethst:kms.msgang.comC:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7220C:\WINDOWS\system32\cmd.exe /c dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-msC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7244cscript ospp.vbs /inslic:"..\root\Licenses16\ProPlus2021VL_KMS_Client_AE-ppd.xrm-ms"C:\Windows\System32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7320C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7356"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7624C:\WINDOWS\system32\WerFault.exe -u -p 7244 -s 1680C:\Windows\System32\WerFault.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
25 251
Read events
25 251
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7624WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cscript.exe_62b6f5ddb4f9b32f9faaaa562a56d6d8f11b6a_d25c8a3a_945c82eb-86bf-4340-b998-9cebbb95f1b1\Report.wer
MD5:
SHA256:
7984WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cscript.exe_62b6f5ddb4f9b32f9faaaa562a56d6d8f11b6a_d25c8a3a_e6e42e9d-8e5d-46d8-8bd7-ad7288dc4f66\Report.wer
MD5:
SHA256:
8108WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cscript.exe_62b6f5ddb4f9b32f9faaaa562a56d6d8f11b6a_d25c8a3a_dad87844-24ea-4069-87e6-e4f6f71ca0a9\Report.wer
MD5:
SHA256:
7244cscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:C2504675610849F509E2FAB6B132C2DB
SHA256:3F2C0AEBA3B47A68B8711B94DF0ABDE08D3E475E8BB64B842831BA34E9837379
7244cscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
7244cscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:54C3285B2A0ACDCFB6EAC75CC3100632
SHA256:F3F8638B8E77B38A53F4761B9AE823FB83A34EA9B776909FB4D97DA05820CB5D
7624WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC064.tmp.dmpbinary
MD5:6E870CEAD910B2765850A5BE33CECC67
SHA256:E8607D876DC58DB4F9692E2B364F124AB03AB25E4CDEB21A8CC9B1062D46E568
7624WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC20C.tmp.xmlxml
MD5:B98F6D24BB7C6777C5CF7C1E4AFA7748
SHA256:580E95E4668F44E9D6A32855A06AEBD8E0694D9FC5278D6E1532A30ED1245A41
7984WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\cscript.exe.7768.dmpbinary
MD5:1019B9553DC50345DB393ACFAF838C36
SHA256:2DCBD49FB9F0B0C5900DA1B4F04BB80CBA51DFF99D19687C0BE200C138630C1F
7984WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCC1C.tmp.dmpbinary
MD5:62653423EFA29A84331D1CD98CA9B182
SHA256:E48D9F2D5EEE8DF95EA21710AF2EF8E86B45D36683586A54C54FCAF9338F5281
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7244
cscript.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7244
cscript.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
6040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
976
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7244
cscript.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.69
  • 40.126.31.129
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.1
  • 20.190.159.129
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
activation.sls.microsoft.com
  • 40.91.76.224
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
oppsrearm.bat