File name:

office.msguides.bat

Full analysis: https://app.any.run/tasks/4ab1cf50-0f52-4e62-8858-ac5e70ba3ceb
Verdict: Malicious activity
Analysis date: April 23, 2025, 18:16:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (1197), with CRLF line terminators
MD5:

AABCFB044A85D94A2D0E691893A66BFD

SHA1:

5CD918570D4AC1B52370E326A3926C88CFE70EA0

SHA256:

7E7A9EF2F02F5D48E0F0F6DB478974921B7CA555A3ABC44CBB25E4415D94129C

SSDEEP:

48:Wimr63WuzcqoXucXuu7hsJBzozcPUwfufmcbZ/T/8ZxGSq3v:jmr633zcqKumuc6+cPUDzZ/A36

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7352)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 904)
      • cscript.exe (PID: 6184)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 904)
      • cscript.exe (PID: 6184)

    • Application launched itself

      • cmd.exe (PID: 7352)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 904)
      • cscript.exe (PID: 6184)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 904)
      • cscript.exe (PID: 6184)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 904)
      • cscript.exe (PID: 6184)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 904)
      • cscript.exe (PID: 6184)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)

    • Executes application which crashes

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)

    • The process executes VB scripts

      • cmd.exe (PID: 7352)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 8176)
      • WerFault.exe (PID: 5228)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 7820)

  • INFO

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 6184)
      • cscript.exe (PID: 904)

    • Reads the software policy settings

      • cscript.exe (PID: 7452)
      • cscript.exe (PID: 8088)
      • cscript.exe (PID: 6512)
      • cscript.exe (PID: 5680)
      • cscript.exe (PID: 5084)
      • cscript.exe (PID: 7820)
      • cscript.exe (PID: 904)
      • cscript.exe (PID: 6184)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
19
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs cscript.exe sppextcomobj.exe no specs slui.exe no specs werfault.exe no specs cscript.exe werfault.exe no specs cscript.exe werfault.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs find.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
904cscript //nologo ospp.vbs /sethst:kms7.MSGuides.com C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1052find /i "successful" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
5084cscript //nologo ospp.vbs /unpkey:6F7TH C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5228C:\WINDOWS\system32\WerFault.exe -u -p 6512 -s 1520C:\Windows\System32\WerFault.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5680cscript //nologo ospp.vbs /setprt:1688 C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6184cscript //nologo ospp.vbs /act C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6512cscript ospp.vbs /inslic:"..\root\Licenses16\ProPlus2021VL_KMS_Client_AE-ul.xrm-ms" C:\Windows\System32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6668choice /n /c YN /m "Would you like to visit my blog [Y,N]?" C:\Windows\System32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7352C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\office.msguides.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7360\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
31 422
Read events
31 422
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cscript.exe_62b6f5ddb4f9b32f9faaaa562a56d6d8f11b6a_d25c8a3a_a7282696-2603-4cd3-826c-a4e95ef2e6d4\Report.wer
MD5:
SHA256:
8176WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cscript.exe_62b6f5ddb4f9b32f9faaaa562a56d6d8f11b6a_d25c8a3a_13c4f6f4-3028-4a06-8e57-b3fd018a4694\Report.wer
MD5:
SHA256:
5228WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cscript.exe_62b6f5ddb4f9b32f9faaaa562a56d6d8f11b6a_d25c8a3a_d64b6974-4ac1-4ee6-810f-3d9ef1949828\Report.wer
MD5:
SHA256:
7452cscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEbinary
MD5:411D4C6D9068F0593E05D0F67B46BF77
SHA256:743747DD59C21B0ECD5328A93F31A5D89A9765AFC6740C4963EBA797AA383043
5228WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2D29.tmp.xmlxml
MD5:17962D4F8224CE9A8C5BB70ACE67E0C5
SHA256:14F094B994A82B665A692BA679D1ADA018DB9C9958D0EE762799AD6B7232D509
7452cscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
7452cscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:F0E540327DA48B9AAB6D1B434807435A
SHA256:650D83E9933E87D00605B2954E2B8A110B2B228BEEE5E02ED4518FE5E87D434E
5228WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\cscript.exe.6512.dmpbinary
MD5:A33BE0EC9FAB0223D1E857AD0EFC0659
SHA256:70E76B60AB0B4883B9ED872E5F05C78F4250F5D34BE3B4875648581E1DC48BCB
5228WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2C2D.tmp.dmpbinary
MD5:27344F6B9A6165F2957A9D86156669F4
SHA256:E6191F1C3AE9C7CCA783B1D855EB099DEEF3D212BCC7D3ABBB00C97540637E87
7944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1869.tmp.xmlxml
MD5:503962A1786DCB7535B37AD9F5025ED4
SHA256:82B388D5A8B9CD5E3874127031EF988DC9594A5CE9BBE1815767FAA93B0C1ED5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7452
cscript.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2568
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2568
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7452
cscript.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7452
cscript.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
google.com
  • 142.250.181.238
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.64
  • 20.190.160.65
  • 20.190.160.3
  • 20.190.160.130
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.4
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
office.msguides.bat