| File name: | Haha.bat |
| Full analysis: | https://app.any.run/tasks/451cd751-55b7-4573-8a3e-71ce6270a9e1 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 12, 2025, 21:14:02 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, Unicode text, UTF-8 text, with very long lines (504), with CRLF line terminators |
| MD5: | B35C1219C94847D808706B5345ED2B03 |
| SHA1: | B726A7068D033CA1B126F57E835992D488B57027 |
| SHA256: | 8A1B354C6323BDE15C917C6A72FF1BA04EE95B0EC268AE7CF074B753FD9277ED |
| SSDEEP: | 12288:mJ296YRld44TT4zBz/QX0AzpCNsN0R4HXWJgCFrEZTF/j4:n96YRuZ4kEpCNsN0R43sGm |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 7536)
- powershell.exe (PID: 4428)
Bypass execution policy to execute commands
- powershell.exe (PID: 7536)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 7388)
Changes the autorun value in the registry
- payload.exe (PID: 7676)
- Client.exe (PID: 7820)
Bypass User Account Control (Modify registry)
- payload.exe (PID: 7676)
Adds path to the Windows Defender exclusion list
- payload.exe (PID: 8072)
Changes Windows Defender settings
- payload.exe (PID: 8072)
Uses Task Scheduler to autorun other applications
- payload.exe (PID: 8072)
QUASAR has been detected (YARA)
- Client.exe (PID: 7820)
SUSPICIOUS
Manipulates environment variables
- powershell.exe (PID: 7536)
- powershell.exe (PID: 4428)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 7388)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7388)
- payload.exe (PID: 8072)
Starts process via Powershell
- powershell.exe (PID: 7536)
Downloads file from URI via Powershell
- powershell.exe (PID: 7536)
Executable content was dropped or overwritten
- powershell.exe (PID: 7536)
- payload.exe (PID: 7676)
Starts CMD.EXE for commands execution
- payload.exe (PID: 7676)
Starts itself from another location
- payload.exe (PID: 7676)
Checks for external IP
- payload.exe (PID: 7676)
- svchost.exe (PID: 2196)
- Client.exe (PID: 7820)
Changes default file association
- payload.exe (PID: 7676)
Modifies hosts file to alter network resolution
- payload.exe (PID: 8072)
Reads security settings of Internet Explorer
- payload.exe (PID: 8072)
There is functionality for taking screenshot (YARA)
- Client.exe (PID: 7820)
Process uses IPCONFIG to clear DNS cache
- payload.exe (PID: 8072)
Connects to unusual port
- Client.exe (PID: 7820)
Script adds exclusion path to Windows Defender
- payload.exe (PID: 8072)
INFO
Disables trace logs
- powershell.exe (PID: 7536)
- payload.exe (PID: 7676)
- Client.exe (PID: 7820)
Checks proxy server information
- powershell.exe (PID: 7536)
- payload.exe (PID: 7676)
- Client.exe (PID: 7820)
- slui.exe (PID: 6816)
The executable file from the user directory is run by the Powershell process
- payload.exe (PID: 7676)
Checks supported languages
- payload.exe (PID: 7676)
- Client.exe (PID: 7820)
- payload.exe (PID: 8072)
Reads the computer name
- payload.exe (PID: 7676)
- Client.exe (PID: 7820)
- payload.exe (PID: 8072)
Reads the machine GUID from the registry
- payload.exe (PID: 7676)
- Client.exe (PID: 7820)
- payload.exe (PID: 8072)
Reads security settings of Internet Explorer
- ComputerDefaults.exe (PID: 7984)
Creates files or folders in the user directory
- payload.exe (PID: 7676)
Process checks computer location settings
- payload.exe (PID: 8072)
Create files in a temporary directory
- payload.exe (PID: 8072)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 4428)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 4428)
Reads the software policy settings
- slui.exe (PID: 6816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Quasar
(PID) Process(7820) Client.exe
Version3.1.5
C2 (2)go-dramatically.gl.at.ply.gg:2676
Sub_Dirtemp
Install_NameClient.exe
Mutex$Sxr-camQAVefBjk7nvL7ph
StartupDriver689
TagnEGRosis
LogDirLogs
Signature
Certificate
Total processes
147
Monitored processes
19
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 976 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | ipconfig.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1188 | "SCHTASKS.exe" /create /tn "$77payload.exe" /tr "'C:\Users\admin\AppData\Local\Temp\payload.exe'" /sc onlogon /rl HIGHEST | C:\Windows\SysWOW64\schtasks.exe | — | payload.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3268 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4428 | "powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | payload.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5112 | "C:\Windows\System32\ipconfig.exe" /flushdns | C:\Windows\SysWOW64\ipconfig.exe | — | payload.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: IP Configuration Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6272 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6816 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7388 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Haha.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7396 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
18 387
Read events
18 352
Write events
35
Delete events
0
Modification events
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7676) payload.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
2
Suspicious files
1
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hywwzjts.mty.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4428 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vjcni0s4.s3p.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4428 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hmvkqwf3.tnh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7536 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:19F1BCD21F9F905E1713446B5AC64592 | SHA256:D4C280611B6034302DAA68F3F3EE24266CB1EDEB599FF25070F497566B859CA5 | |||
| 7536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xc0ittul.vqn.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4428 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_elwmn4kz.vgq.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7676 | payload.exe | C:\Users\admin\AppData\Roaming\temp\Client.exe | executable | |
MD5:AB8861D246EB5110F8DBF6EDBAD5F5F4 | SHA256:B5A01FE6A56452B58C8C7218BCEECF7B4D0EB7C29B2D4AEE1FFDEAAADE967483 | |||
| 7536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\payload.exe | executable | |
MD5:AB8861D246EB5110F8DBF6EDBAD5F5F4 | SHA256:B5A01FE6A56452B58C8C7218BCEECF7B4D0EB7C29B2D4AEE1FFDEAAADE967483 | |||
| 8072 | payload.exe | C:\Windows\System32\drivers\etc\hosts | text | |
MD5:90B79F6B1B607C76C157E6E74C6EA685 | SHA256:3DD654137B7A34671BCA7D24F964D5902B0DD2E767641F1A8D555B9D72695CE4 | |||
| 4428 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g4r12qda.dla.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
53
DNS requests
23
Threats
17
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
7676 | payload.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | — | — | whitelisted |
7820 | Client.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | — | — | whitelisted |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
1672 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
1672 | SIHClient.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
1672 | SIHClient.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
1672 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
1672 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
1672 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4024 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.32.136:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7536 | powershell.exe | 185.199.111.133:443 | raw.githubusercontent.com | FASTLY | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
raw.githubusercontent.com |
| whitelisted |
ip-api.com |
| whitelisted |
go-dramatically.gl.at.ply.gg |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for EXE via Powershell |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET HUNTING EXE Downloaded from Github |
2196 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
2196 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
7676 | payload.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ip-api.com |
7676 | payload.exe | A Network Trojan was detected | ET MALWARE Common RAT Connectivity Check Observed |
2196 | svchost.exe | Misc activity | ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg) |