File name:

Free Exm Tweaking Utility 2.2.bat

Full analysis: https://app.any.run/tasks/32aa53dc-d6b3-4b7e-956e-24b90e8fe1d4
Verdict: Malicious activity
Analysis date: January 27, 2024, 17:17:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, UTF-8 Unicode text, with very long lines, with CRLF line terminators, with escape sequences
MD5:

BF7CB2306FD90460E2E31E6C6C2E575A

SHA1:

4E248D3565AE99D8E6E664AF500C051410F329BA

SHA256:

61703295DBDFCF01C617B21FA71655A950F6F3E481DE04B3AFEA81C261E4FC40

SSDEEP:

768:33rEb6K/v9zqsaIZz+Q+FW5/PJzUhNVAC51qpfUqPqoYXpM:U/v5rzUhNVn1qypM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 2176)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 2176)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 2176)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 2176)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 2176)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 2176)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 2640)

    • Reads the Internet Settings

      • powershell.exe (PID: 1824)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1824)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 1824)

  • INFO

    • Checks supported languages

      • chcp.com (PID: 2316)
      • chcp.com (PID: 2728)
      • chcp.com (PID: 3076)
      • chcp.com (PID: 2784)
      • chcp.com (PID: 2380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
22
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs chcp.com no specs timeout.exe no specs timeout.exe no specs chcp.com no specs powershell.exe no specs cmd.exe powershell.exe no specs chcp.com no specs SPPSurrogate no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs chcp.com no specs timeout.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
884powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1268Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1556Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1824powershell -NoProfile -NonInteractive -Command start -verb runas "'C:\Users\admin\AppData\Local\Temp\FREEEX~1.BAT'" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2060timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2176"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\FREEEX~1.BAT" C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2240Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2316chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2376Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2380chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 464
Read events
2 452
Write events
11
Delete events
1

Modification events

(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1824) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3040) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients
Operation:writeName:{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value:
\\?\Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}\:(C%3A)
(PID) Process:(2376) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:delete valueName:RPSessionInterval
Value:
1
(PID) Process:(2508) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:SystemRestorePointCreationFrequency
Value:
0
(PID) Process:(3136) reg.exeKey:HKEY_CURRENT_USER\Console
Operation:writeName:VirtualTerminalLevel
Value:
1
Executable files
0
Suspicious files
7
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
884powershell.exeC:\Users\admin\AppData\Local\Temp\qancyieq.bbb.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2396powershell.exeC:\Users\admin\AppData\Local\Temp\b1fhstok.nka.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2396powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
884powershell.exeC:\Users\admin\AppData\Local\Temp\gvmlstbu.fhn.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1824powershell.exeC:\Users\admin\AppData\Local\Temp\j4eq3vzh.hr0.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2396powershell.exeC:\Users\admin\AppData\Local\Temp\kndtmgri.3ov.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1824powershell.exeC:\Users\admin\AppData\Local\Temp\t5wvuxxk.uzq.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Free Exm Tweaking Utility 2.2.bat