File name:

Code.bat

Full analysis: https://app.any.run/tasks/6e5e99bd-aea8-4ddf-b8cb-ea2cb76f2002
Verdict: Malicious activity
Analysis date: February 24, 2025, 05:21:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

6AB9333091BA7E49709E7A035EAA7475

SHA1:

B7CCF02E32C7CB01DBE5C71EDAA4F18C92A97E66

SHA256:

8ACD3B3BD702A773C70F7F03750091635A1C9991A41F0A8565D721EA30655723

SSDEEP:

96:lVeGI8hYOF4/dfyVMS1mpLYwwdio4Pg4cstOtAQ:lVeGIHi4/dfye9VYjn4I4csI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads files via BITSADMIN.EXE

      • cmd.exe (PID: 6696)

  • SUSPICIOUS

    • The process executes VB scripts

      • cmd.exe (PID: 6336)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 6336)
      • cmd.exe (PID: 6696)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6472)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6472)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6472)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6696)

    • Executable content was dropped or overwritten

      • 7z.exe (PID: 6448)

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHost.exe (PID: 3772)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 3772)
      • SearchApp.exe (PID: 1576)

    • Drops 7-zip archiver for unpacking

      • 7z.exe (PID: 6448)

    • Creates a software uninstall entry

      • 7z.exe (PID: 6448)
      • regedit.exe (PID: 4932)

    • Creates/Modifies COM task schedule object

      • 7z.exe (PID: 6448)

    • Process copies executable file

      • cmd.exe (PID: 6696)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6696)

    • The process executes via Task Scheduler

      • explorer.exe (PID: 5604)

  • INFO

    • Checks supported languages

      • 7z.exe (PID: 6448)
      • StartMenuExperienceHost.exe (PID: 3772)
      • TextInputHost.exe (PID: 6460)
      • SearchApp.exe (PID: 1576)

    • Reads the computer name

      • 7z.exe (PID: 6448)
      • StartMenuExperienceHost.exe (PID: 3772)
      • TextInputHost.exe (PID: 6460)
      • SearchApp.exe (PID: 1576)

    • Creates files in the program directory

      • 7z.exe (PID: 6448)

    • The sample compiled with english language support

      • 7z.exe (PID: 6448)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 3772)
      • SearchApp.exe (PID: 1576)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5604)

    • Checks proxy server information

      • explorer.exe (PID: 5604)
      • SearchApp.exe (PID: 1576)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 1576)

    • Reads Environment values

      • SearchApp.exe (PID: 1576)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 5604)

    • Reads the software policy settings

      • SearchApp.exe (PID: 1576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
26
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cacls.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs cacls.exe no specs setx.exe no specs bitsadmin.exe no specs reg.exe no specs bitsadmin.exe no specs 7z.exe bitsadmin.exe no specs bitsadmin.exe no specs bitsadmin.exe no specs regedit.exe no specs xcopy.exe no specs choice.exe no specs taskkill.exe no specs explorer.exe no specs explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1576"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\wincorlib.dll
2324xcopy "C:\Users\admin\AppData\Local\Temp\Setup.bat" "C:\DMGReader\DMG-Reader"C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ulib.dll
3772"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
4624explorerC:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
2
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
4888C:\WINDOWS\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4932"regedit.exe" "C:\DMGReader\DMG-Reader\regapp.reg"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
4944choice /c yn /n /m " "C:\Windows\System32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5604"C:\WINDOWS\explorer.exe" /NoUACCheckC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
5748taskkill /im explorer.exe /f C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6336C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Code.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
26 977
Read events
26 705
Write events
247
Delete events
25

Modification events

(PID) Process:(6336) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(6696) cmd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
18
(PID) Process:(6812) setx.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:WorkingDIRDMG
Value:
C:\DMGReader\DMG-Reader
(PID) Process:(6448) 7z.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(6448) 7z.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
(PID) Process:(6448) 7z.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(6448) 7z.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
(PID) Process:(6448) 7z.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(6448) 7z.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(6448) 7z.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{23170F69-40C1-278A-1000-000100020000}
Value:
7-Zip Shell Extension
Executable files
13
Suspicious files
56
Text files
206
Unknown types
0

Dropped files

PID
Process
Filename
Type
6336cmd.exeC:\Users\admin\AppData\Local\Temp\getadmin.vbstext
MD5:D14A6C18536B08C2D91CC10129CEC2CA
SHA256:88F0E55BE41422957E8F4FEC8CAF0F9ED4E68D1F0290171BA8F4BD26C19FA17D
64487z.exeC:\Program Files\7-Zip\descript.iontext
MD5:EB7E322BDC62614E49DED60E0FB23845
SHA256:1DA513F5A4E8018B9AE143884EB3EAF72454B606FD51F2401B7CFD9BE4DBBF4F
64487z.exeC:\Program Files\7-Zip\Lang\an.txttext
MD5:F16218139E027338A16C3199091D0600
SHA256:3AB9F7AACD38C4CDE814F86BC37EEC2B9DF8D0DDDB95FC1D09A5F5BCB11F0EEB
64487z.exeC:\Program Files\7-Zip\Lang\cy.txttext
MD5:6BDF25354B531370754506223B146600
SHA256:470EAF5E67F5EAD5B8C3ECC1B5B21B29D16C73591EB0047B681660346E25B3FB
64487z.exeC:\Program Files\7-Zip\Lang\az.txttext
MD5:3C297FBE9B1ED5582BEABFC112B55523
SHA256:055EC86AED86ABBDBD52D8E99FEC6E868D073A6DF92C60225ADD16676994C314
64487z.exeC:\Program Files\7-Zip\History.txttext
MD5:553A02739D516379833451440076F884
SHA256:83B1AE6D3486C2653766A28806AC110C9A0AFDE17020CA6AA0B7550A2F10E147
64487z.exeC:\Program Files\7-Zip\Lang\ar.txttext
MD5:5747381DC970306051432B18FB2236F2
SHA256:85A26C7B59D6D9932F71518CCD03ECEEBA42043CB1707719B72BFC348C1C1D72
64487z.exeC:\Program Files\7-Zip\Lang\af.txttext
MD5:DF216FAE5B13D3C3AFE87E405FD34B97
SHA256:9CF684EA88EA5A479F510750E4089AEE60BBB2452AA85285312BAFCC02C10A34
64487z.exeC:\Program Files\7-Zip\7-zip.chmbinary
MD5:B79894FBEE3C882C3EFC71FF3D4A21BB
SHA256:2D55CA494A8B6DCC739D84BDD112F5C50D612F8ABF409C9FB5F2B5C2C84C37A0
64487z.exeC:\Program Files\7-Zip\Lang\be.txttext
MD5:B1DD654E9D8C8C1B001F7B3A15D7B5D3
SHA256:32071222AF04465A3D98BB30E253579AA4BECEAEB6B21AC7C15B25F46620BF30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
48
DNS requests
27
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
904
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6340
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4124
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6340
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7108
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
904
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1224
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
904
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
904
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3160
svchost.exe
239.255.255.250:1900
whitelisted
904
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.23
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 23.219.150.101
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.bing.com
  • 2.16.204.135
  • 2.16.204.148
  • 2.16.204.141
  • 23.15.178.226
  • 23.15.178.200
  • 23.15.178.147
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.130
  • 40.126.31.73
  • 20.190.159.129
  • 40.126.31.130
  • 40.126.31.0
  • 20.190.159.2
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
github.com
  • 140.82.121.4
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Code.bat