Malware analysis 1.bat Malicious activity | ANY.RUN

Add for printing

File name:	1.bat
Full analysis:	https://app.any.run/tasks/c52cb607-67e3-4754-bab7-553e21254463
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 19:59:28
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (4390), with no line terminators
MD5:	9A931262E36A189DDD1EAE57DC581AAE
SHA1:	2C58C73C892E71C5CE5FF389A78728E491FF9423
SHA256:	5E09EF8E9532ACE2D9641E7F63B84DD6027A548C23D5C0D6097B7C8884DAFBBF
SSDEEP:	96:nBCXPOqfX2/dmPyDBpCroKOlT1AlTTwWppAekbC7YY:nWOqfIGyDBKoK0uqWp4b/Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Bypass execution policy to execute commands
  - powershell.exe (PID: 5112)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 4108)
SUSPICIOUS
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 5112)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 6240)
  - cmd.exe (PID: 3272)
  - powershell.exe (PID: 7388)
- The process bypasses the loading of PowerShell profile settings
  - powershell.exe (PID: 7388)
- Application launched itself
  - powershell.exe (PID: 7388)
- Connects to unusual port
  - powershell.exe (PID: 4108)
- Executes application which crashes
  - powershell.exe (PID: 4108)
- The process hide an interactive prompt from the user
  - powershell.exe (PID: 7388)
- Executes script without checking the security policy
  - powershell.exe (PID: 4108)
INFO
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 5112)
- Process checks computer location settings
  - SearchApp.exe (PID: 2924)
- Reads the machine GUID from the registry
  - SearchApp.exe (PID: 2924)
- Checks supported languages
  - SearchApp.exe (PID: 2924)
  - identity_helper.exe (PID: 6652)
- Reads the software policy settings
  - SearchApp.exe (PID: 2924)
  - slui.exe (PID: 7248)
- Manual execution by a user
  - cmd.exe (PID: 6240)
  - msedge.exe (PID: 7508)
  - notepad.exe (PID: 4648)
  - cmd.exe (PID: 3272)
- Application launched itself
  - msedge.exe (PID: 7508)
- Reads Environment values
  - identity_helper.exe (PID: 6652)
- Reads the computer name
  - identity_helper.exe (PID: 6652)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 4284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

201

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

496

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4352 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

668

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1884 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

672

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6012 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

680

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

736

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4092 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

924

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6060 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1088

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1196

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x2f8,0x310,0x7ffc88995fd8,0x7ffc88995fe4,0x7ffc88995ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1452

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5332 --field-trial-handle=2140,i,8271939350998523395,5792535567015055537,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2136

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

35 313

Read events

35 172

Write events

138

Delete events

Modification events


(PID) Process:	(2924) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	IsAADCloudSearchEnabled
Value: 0
(PID) Process:	(2924) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	IsMSACloudSearchEnabled
Value: 0
(PID) Process:	(2924) SearchApp.exe	Key:	\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_USEREMAIL
Value: 00003D54A0E9D3C5DB01
(PID) Process:	(2924) SearchApp.exe	Key:	\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPETEXT
Value: 000094EEA0E9D3C5DB01
(PID) Process:	(2924) SearchApp.exe	Key:	\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPE
Value: 000094EEA0E9D3C5DB01
(PID) Process:	(2924) SearchApp.exe	Key:	\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPE
Value: 4E006F006E006500000094EEA0E9D3C5DB01
(PID) Process:	(2924) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:	delete value	Name:	CachedFeatureString
Value:
(PID) Process:	(2924) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	SafeSearchMode
Value: 1
(PID) Process:	(2924) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:	write	Name:	CachedFeatureString
Value:
(PID) Process:	(2924) SearchApp.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:	write	Name:	Total
Value: 949

Add for printing

Executable files

Suspicious files

571

Text files

228

Unknown types

Dropped files

PID	Process	Filename		Type
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:A5216D68F7B67852D46940E0C9CFF5F3	SHA256:D4DDEE633660395ED2D8ED525DA0F1C2374B44CE4E80ACF37FE558D07D125C1B
5112	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_idxqajsa.f3l.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:BC9E58CD7AB64C3C4D6F6F058DFAA101	SHA256:9C072B6556C51FF9C6292D93B0E99BF54B46EC3AFF5017534D190B3BEE88E967
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\-M-8YWX0KlEtdAHVrkTvKQHOghs[1].js		binary
		MD5:32EE4742328DFB725F3A96641B93B344	SHA256:061E63AF37D22CCEF7FB5BB9BEABA0DF2F36B64F985BB8A408638846C895D0A7
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xml		text
		MD5:F600A381B526DE7B0907C7C39BF77795	SHA256:8B27BCD2754D5455E50A869EA8AA9A96B557C0152E19B734844A05245DA4DE70
5112	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zuosl5rq.a4m.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\-ftd1z5tHxKQWsm_2QHFqn1lSEk.br[1].js		binary
		MD5:F307FFD57D71E3CF4010EF8729F9F893	SHA256:EEF98A98295DC3659D0D898F328675E0F02B751D3FA674B39B3CC28F7E3689FD
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\AptopUBu7_oVDubJxwvaIprW-lI[1].css		text
		MD5:29DE55D0A7A581B230CC2D70686CD03A	SHA256:D9F161C1FE8751953E4F3819993C16C2A61A0121B527E09862C34C89E7B6C677
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\NajusmjIqB4kdLn9FmVxeS4xi2o[1].css		text
		MD5:73D1CEBD8E3B6C7246F422D624EDF803	SHA256:0674786CF9978A1F9065F57D98E986070C7CBB5177F154F40E8A924C0E0C13F2
2924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css		text
		MD5:77373397A17BD1987DFCA2E68D022ECF	SHA256:A319AF2E953E7AFDA681B85A62F629A5C37344AF47D2FCD23AB45E1D99497F13

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

163

DNS requests

116

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8092	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
8092	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
540	svchost.exe	GET	206	2.16.10.182:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/241074c3-f448-482a-8c90-855c388ea76a?P1=1747702776&P2=404&P3=2&P4=a6CNLtZVnUimx5Zk%2b5h5XPdOvvKvX5K05TzqsIYaxw04Kaf%2b3Gv%2b9NJ55L1MIaHX0SsLqDdIdEcJ0dx3Hk8dfw%3d%3d	unknown	—	—	whitelisted
540	svchost.exe	GET	206	2.16.10.182:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/241074c3-f448-482a-8c90-855c388ea76a?P1=1747702776&P2=404&P3=2&P4=a6CNLtZVnUimx5Zk%2b5h5XPdOvvKvX5K05TzqsIYaxw04Kaf%2b3Gv%2b9NJ55L1MIaHX0SsLqDdIdEcJ0dx3Hk8dfw%3d%3d	unknown	—	—	whitelisted
540	svchost.exe	GET	206	2.16.10.182:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/241074c3-f448-482a-8c90-855c388ea76a?P1=1747702776&P2=404&P3=2&P4=a6CNLtZVnUimx5Zk%2b5h5XPdOvvKvX5K05TzqsIYaxw04Kaf%2b3Gv%2b9NJ55L1MIaHX0SsLqDdIdEcJ0dx3Hk8dfw%3d%3d	unknown	—	—	whitelisted
540	svchost.exe	GET	206	2.16.10.182:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/241074c3-f448-482a-8c90-855c388ea76a?P1=1747702776&P2=404&P3=2&P4=a6CNLtZVnUimx5Zk%2b5h5XPdOvvKvX5K05TzqsIYaxw04Kaf%2b3Gv%2b9NJ55L1MIaHX0SsLqDdIdEcJ0dx3Hk8dfw%3d%3d	unknown	—	—	whitelisted
540	svchost.exe	GET	206	2.16.10.182:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/241074c3-f448-482a-8c90-855c388ea76a?P1=1747702776&P2=404&P3=2&P4=a6CNLtZVnUimx5Zk%2b5h5XPdOvvKvX5K05TzqsIYaxw04Kaf%2b3Gv%2b9NJ55L1MIaHX0SsLqDdIdEcJ0dx3Hk8dfw%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146 40.127.240.158	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	95.101.149.131 69.192.161.161	whitelisted
google.com	142.250.186.78	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
login.live.com	20.190.160.22 40.126.32.140 20.190.160.4 40.126.32.68 20.190.160.17 20.190.160.14 20.190.160.2 20.190.160.65	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
www.bing.com	2.23.227.215 2.23.227.208 92.123.104.26 92.123.104.33 92.123.104.37 92.123.104.28 92.123.104.29 92.123.104.38 92.123.104.30 92.123.104.36 92.123.104.41 92.123.104.12 92.123.104.21 92.123.104.16 92.123.104.22 92.123.104.14 92.123.104.7 92.123.104.8 92.123.104.9 92.123.104.13 92.123.104.47 92.123.104.50 92.123.104.49 92.123.104.46 92.123.104.53 23.15.178.200 23.15.178.226	whitelisted
fp.msedge.net	204.79.197.222	whitelisted
th.bing.com	92.123.104.9 92.123.104.26 92.123.104.18 92.123.104.12 92.123.104.13 92.123.104.22 92.123.104.11 92.123.104.28 92.123.104.21 92.123.104.16 92.123.104.14 92.123.104.7 92.123.104.8	whitelisted

Threats

PID	Process	Class	Message
2392	msedge.exe	Misc activity	ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392	msedge.exe	Misc activity	ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392	msedge.exe	Misc activity	ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392	msedge.exe	Misc activity	ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392	msedge.exe	Misc activity	ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392	msedge.exe	Misc activity	ET FILE_SHARING Public File Sharing Service Domain in DNS Lookup (bashupload .com)
2392	msedge.exe	Misc activity	ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392	msedge.exe	Misc activity	ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)
2392	msedge.exe	Misc activity	ET FILE_SHARING Observed Public File Sharing Service Domain (bashupload .com in TLS SNI)

Add for printing

No debug info

General Info

1.bat

9A931262E36A189DDD1EAE57DC581AAE

2C58C73C892E71C5CE5FF389A78728E491FF9423

5E09EF8E9532ACE2D9641E7F63B84DD6027A548C23D5C0D6097B7C8884DAFBBF

96:nBCXPOqfX2/dmPyDBpCroKOlT1AlTTwWppAekbC7YY:nWOqfIGyDBKoK0uqWp4b/Y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Run PowerShell with an invisible window

SUSPICIOUS

Uses base64 encoding (POWERSHELL)

Starts POWERSHELL.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Application launched itself

Connects to unusual port

Executes application which crashes

The process hide an interactive prompt from the user

Executes script without checking the security policy

INFO

Script raised an exception (POWERSHELL)

Process checks computer location settings

Reads the machine GUID from the registry

Checks supported languages

Reads the software policy settings

Manual execution by a user

Application launched itself

Reads Environment values

Reads the computer name

Executable content was dropped or overwritten

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings