File name:

ffabcdef-2015-0630-1821-aaa040384214.vbs

Full analysis: https://app.any.run/tasks/cfb322a7-cde0-492a-8638-2fd7f99a5725
Verdict: Malicious activity
Analysis date: October 14, 2019, 03:22:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ISO-8859 text, with very long lines
MD5:

C07CC77EF2C07594542F77069E12702E

SHA1:

C0B53A9288F51C89AA14DD052AA2472E856E29DC

SHA256:

64C6959B89FE7A76815026DD592081FCBBE328CB61CCDF427F6B0C429CEAB860

SSDEEP:

768:+j2uG5pYwaKkLLVE1X2XixekYdk8r0tu/xgYM471iWXWM1i2XqHnV:+j2w8V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE to view/change shared resources

      • cmd.exe (PID: 1160)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2136)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 1784)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 1536)
      • cmd.exe (PID: 2588)
      • cmd.exe (PID: 928)
      • cmd.exe (PID: 1400)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 2308)
      • cmd.exe (PID: 1484)
      • cmd.exe (PID: 4092)
      • cmd.exe (PID: 1428)
      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 3876)
      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 2104)
      • cmd.exe (PID: 1028)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 2200)
      • cmd.exe (PID: 3620)

    • Executes scripts

      • cmd.exe (PID: 2924)
      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 3308)
      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 3300)
      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 2104)
      • cmd.exe (PID: 3372)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3344)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3412)
      • cmd.exe (PID: 1732)
      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 1252)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 3776)
      • cmd.exe (PID: 3624)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 1772)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1160)
      • cmd.exe (PID: 1888)
      • cmd.exe (PID: 2436)
      • WScript.exe (PID: 2108)
      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 3900)
      • cmd.exe (PID: 1712)
      • cmd.exe (PID: 3800)
      • cmd.exe (PID: 3044)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 2608)
      • cmd.exe (PID: 3044)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 3924)
      • cmd.exe (PID: 1484)
      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 1532)
      • cmd.exe (PID: 3308)
      • cmd.exe (PID: 4040)
      • cmd.exe (PID: 2068)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 2256)
      • cmd.exe (PID: 912)
      • cmd.exe (PID: 3132)
      • cmd.exe (PID: 2760)
      • cmd.exe (PID: 2916)
      • cmd.exe (PID: 3148)

    • Application launched itself

      • cmd.exe (PID: 3044)
      • cmd.exe (PID: 1532)
      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 3308)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 3980)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 3300)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
539
Monitored processes
318
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs secedit.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs sc.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs net.exe no specs find.exe no specs net1.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs net.exe no specs find.exe no specs net1.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs find.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs find.exe no specs wmic.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cmd.exe no specs find.exe no specs cscript.exe no specs cscript.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cscript.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs netstat.exe no specs cscript.exe no specs cmd.exe no specs tasklist.exe no specs cscript.exe no specs cmd.exe no specs hostname.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cscript.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cscript.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cscript.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\admin\AppData\Local\Temp\sec.log "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
252"C:\Windows\System32\cmd.exe" /c echo Next >> C:\Users\admin\AppData\Local\Temp\nameav.vbsC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
272find /i "Everyone"C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vbscript.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wininet.dll
272wmic process where "name = 'kvwsc.exe' or name = 'kvmonxp.exe' or name = 'ashserv.exe' or name = 'aswupdsv.exe' or name = 'ashdisp.exe' or name = 'ashwebsv.exe' or name = 'UpdaterUI.exe' or name = 'shstat.exe' or name = 'Tbmon.exe' or name = 'ccproxy.exe' or name = 'NTRtscan.exe'" get name C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
292"C:\Windows\System32\cmd.exe" /c echo For i = 0 To UBound(allKeys) >> C:\Users\admin\AppData\Local\Temp\nameav.vbsC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
292"C:\Windows\System32\cmd.exe" /c echo Else>>C:\Users\admin\AppData\Local\Temp\checkfirewall.vbsC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
320wmic os get caption,csdversion,version C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
328"C:\Windows\System32\cmd.exe" /c echo Else >> C:\Users\admin\AppData\Local\Temp\wmiav.vbsC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
332reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
388C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\admin\AppData\Local\Temp\sec.log "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 138
Read events
2 134
Write events
4
Delete events
0

Modification events

(PID) Process:(2108) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2108) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
0
Text files
124
Unknown types
0

Dropped files

PID
Process
Filename
Type
2760find.exeC:\Users\admin\AppData\Local\Temp\domainrole.txttext
MD5:
SHA256:
1024cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
3132cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
1708cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
1012cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
3172cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
3408cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
2880cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
2132cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
940cmd.exeC:\Users\admin\AppData\Local\Temp\wmiav.vbstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ffabcdef-2015-0630-1821-aaa040384214.vbs