File name:

Unhide Files.bat

Full analysis: https://app.any.run/tasks/59aea828-d494-4d7d-86d2-4a42628d81ad
Verdict: Malicious activity
Analysis date: January 24, 2025, 13:50:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

EB0E0C123D2EA9AF6487B8D695EB402F

SHA1:

6730F38A2CC3AF5580532DE53EA1D08E89E88E48

SHA256:

A5C4046BE14907415076E391BAFFCFBAFF7464C234359CEE3CA0A0C0B1C8F25A

SSDEEP:

12288:toCUCQOeTiqKunM9RFm6D5jKMW5tkox9P1MptUek2T1qKe6hjjZtzQ41OyR5cyEW:toCU1OeTiRunsLBD5jK1Llx9P1itxk2n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 5392)
      • eng.exe (PID: 3040)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 5392)
      • eng.exe (PID: 3040)

    • Application launched itself

      • cmd.exe (PID: 5392)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5392)

    • Starts a Microsoft application from unusual location

      • eng.exe (PID: 3040)
      • rf.exe (PID: 524)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5392)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • eng.exe (PID: 3040)

    • Reads data from a binary Stream object (SCRIPT)

      • eng.exe (PID: 3040)

    • Reads data from a file (SCRIPT)

      • eng.exe (PID: 3040)

    • Writes binary data to a Stream object (SCRIPT)

      • eng.exe (PID: 3040)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • eng.exe (PID: 3040)

    • Saves data to a binary file (SCRIPT)

      • eng.exe (PID: 3040)

    • Checks whether a specific file exists (SCRIPT)

      • eng.exe (PID: 3040)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5392)

    • Reads the date of Windows installation

      • eng.exe (PID: 3040)

    • Runs shell command (SCRIPT)

      • eng.exe (PID: 3040)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5392)

  • INFO

    • Reads Environment values

      • eng.exe (PID: 3040)

    • The sample compiled with english language support

      • cmd.exe (PID: 5392)

    • Manual execution by a user

      • cmd.exe (PID: 5392)

    • Create files in a temporary directory

      • eng.exe (PID: 3040)

    • Checks supported languages

      • eng.exe (PID: 3040)
      • rf.exe (PID: 524)

    • Process checks computer location settings

      • eng.exe (PID: 3040)

    • Reads the computer name

      • rf.exe (PID: 524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bib/bibtex/txt | BibTeX references (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
13
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start openwith.exe no specs cmd.exe conhost.exe no specs eng.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs reg.exe no specs ping.exe no specs rf.exe no specs ping.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Users\admin\AppData\Local\Temp\rlgms20287\rf.exe" rlcC:\Users\admin\AppData\Local\Temp\rlgms20287\rf.exeeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rlgms20287\rf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2136C:\WINDOWS\system32\cmd.exe /c REG QUERY HKCU\SOFTWARE\btC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2424ping 127.0.0.1 -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
2796ping 127.0.0.1 -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
3040"C:\Users\admin\AppData\Local\Temp\rlgms20287\eng.exe" "C:\Users\admin\AppData\Local\Temp\rlgms20287\sk.js"C:\Users\admin\AppData\Local\Temp\rlgms20287\eng.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\users\admin\appdata\local\temp\rlgms20287\eng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4576REG QUERY HKCU\SOFTWARE\btC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
4628attrib * -h -s /d C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
5244attrib * -s /d C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
5300reg add "HKCU\SOFTWARE\bt" /v gp /t REG_SZ /d 13:5 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
5392C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Unhide Files.bat" "C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
1 815
Read events
1 812
Write events
3
Delete events
0

Modification events

(PID) Process:(3040) eng.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000062B06A59D2B415429F74E9109B0A815342020000
(PID) Process:(3040) eng.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\eng.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
D216140000000000
(PID) Process:(5300) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\bt
Operation:writeName:gp
Value:
13:5
Executable files
2
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5392cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms20287\sk.jstext
MD5:3ABAFFE780DACFD3C83A6D79D3456CD1
SHA256:1D16BCFDCC3ACBD37D4E39E07DF2FA6F496FB4B9998D6F1D83C5E076860AFC6B
5392cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms20287\eng.exeexecutable
MD5:A69259A7C57367D07930169A86006130
SHA256:4173FC5A6864F03AB021823CD0F2F085BA85B3A9B1E37A2094798FC099507523
5392cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms20287\unrf.dllbinary
MD5:EB0E0C123D2EA9AF6487B8D695EB402F
SHA256:A5C4046BE14907415076E391BAFFCFBAFF7464C234359CEE3CA0A0C0B1C8F25A
3040eng.exeC:\Users\admin\AppData\Local\Temp\rlgms20287\rf.exeexecutable
MD5:A6C776F57B289B97DDF353C32776A4AE
SHA256:686467F75A5C0A056ABA4614AA42E404FE9535D3DE98806AD8C059C582F55716
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
26
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5472
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
DE
binary
471 b
whitelisted
6776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
6776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3508
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6776
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6776
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6776
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.75
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Unhide Files.bat