Malware analysis /downloads/advbattoexeconverter.exe Malicious activity

Add for printing

download:	/downloads/advbattoexeconverter.exe
Full analysis:	https://app.any.run/tasks/49399028-cd2c-4996-89bf-3052cae6d214
Verdict:	Malicious activity
Analysis date:	January 11, 2025, 11:01:02
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	83BB1B476C7143552853A2CF983C1142
SHA1:	8FF8ED5C533D70A7D933EC45264DD700145ACD8C
SHA256:	AF09248CB756488850F9E6F9A7A00149005BF47A9B2087B792FF6BD937297FFB
SSDEEP:	24576:mwEZo54ixhR4ox33t4rTdpdBXsuHqrACpGcaGGSL1EahRV3KCLPqTjqugyDPDTl4:mwEZoqixhR4U33t4r5pdBXsuHqrACpGY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - advbattoexeconverter.exe (PID: 6160)
  - aB2Econv.exe (PID: 7164)
- The process creates files with name similar to system file names
  - advbattoexeconverter.exe (PID: 6160)
- Process drops legitimate windows executable
  - advbattoexeconverter.exe (PID: 6160)
- Creates a software uninstall entry
  - advbattoexeconverter.exe (PID: 6160)
- Searches for installed software
  - advbattoexeconverter.exe (PID: 6160)
- Creates/Modifies COM task schedule object
  - advbattoexeconverter.exe (PID: 6160)
- Reads security settings of Internet Explorer
  - aB2Econv.exe (PID: 7164)
  - ShellExperienceHost.exe (PID: 5548)
- Starts CMD.EXE for commands execution
  - test.exe (PID: 6968)
  - cmd.exe (PID: 6268)
- Executing commands from a ".bat" file
  - test.exe (PID: 6968)
  - cmd.exe (PID: 6268)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 6640)
INFO
- Create files in a temporary directory
  - advbattoexeconverter.exe (PID: 6160)
  - setupinf.exe (PID: 6820)
  - aB2Econv.exe (PID: 7164)
  - test.exe (PID: 6968)
- Checks supported languages
  - advbattoexeconverter.exe (PID: 6160)
  - setupinf.exe (PID: 6820)
  - aB2Econv.exe (PID: 7164)
  - test.exe (PID: 6968)
  - mode.com (PID: 3840)
  - ShellExperienceHost.exe (PID: 5548)
- Creates files in the program directory
  - advbattoexeconverter.exe (PID: 6160)
- The sample compiled with english language support
  - advbattoexeconverter.exe (PID: 6160)
- Reads the computer name
  - advbattoexeconverter.exe (PID: 6160)
  - setupinf.exe (PID: 6820)
  - aB2Econv.exe (PID: 7164)
  - ShellExperienceHost.exe (PID: 5548)
- Manual execution by a user
  - aB2Econv.exe (PID: 7164)
  - firefox.exe (PID: 5548)
  - test.exe (PID: 2976)
  - test.exe (PID: 6968)
- Creates files or folders in the user directory
  - advbattoexeconverter.exe (PID: 6160)
- Application launched itself
  - firefox.exe (PID: 5548)
  - firefox.exe (PID: 3820)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 3840)
- Creates a new folder
  - cmd.exe (PID: 6388)
  - cmd.exe (PID: 6664)
- Sends debugging messages
  - ShellExperienceHost.exe (PID: 5548)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.3)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2006:04:05 08:55:39+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	3
CodeSize:	3584
InitializedDataSize:	94720
UninitializedDataSize:	-
EntryPoint:	0x1226
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

169

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1476

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 6 -isForBrowser -prefsHandle 5624 -prefMapHandle 5164 -prefsLen 31324 -prefMapSize 244583 -jsInitHandle 1256 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4474e297-3b8b-47c7-9cc8-f8a166c2b442} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2695844b850 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll

1544

C:\WINDOWS\system32\cmd.exe /c if exist "C:\Users\admin\AppData\Local\Temp\wtmpd\tmp65434.exe" del "C:\Users\admin\AppData\Local\Temp\wtmpd\tmp65434.exe"

C:\Windows\SysWOW64\cmd.exe

—

test.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1596

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 5004 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab237bb8-d10e-4a99-a5fd-04dda4475658} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 26953e12910 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll

2756

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -childID 2 -isForBrowser -prefsHandle 4316 -prefMapHandle 4312 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1256 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8b92ecc-dea0-492f-83ee-7f980f7fd3ba} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 26953c3aa10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll

2976

"C:\Users\admin\Desktop\test.exe"

C:\Users\admin\Desktop\test.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\test.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3040

attrib +h C:\Users\admin\AppData\Local\Temp\wtmpd

C:\Windows\SysWOW64\attrib.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Attribute Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3420

C:\WINDOWS\system32\cmd.exe /c title Window Title

C:\Windows\SysWOW64\cmd.exe

—

test.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3820

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3828

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 7 -isForBrowser -prefsHandle 4880 -prefMapHandle 5008 -prefsLen 31324 -prefMapSize 244583 -jsInitHandle 1256 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac074158-1d16-44be-898b-89ddfef16fac} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2695253d150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll

3840

mode con:cols=0120 lines=0030

C:\Windows\SysWOW64\mode.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

DOS Device MODE Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\mode.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

30 961

Read events

30 800

Write events

149

Delete events

Modification events


(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced BAT to EXE Converter v4.61
Operation:	write	Name:	UninstallString
Value: C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.exe
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced BAT to EXE Converter v4.61
Operation:	write	Name:	DisplayName
Value: Advanced BAT to EXE Converter v4.61
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced BAT to EXE Converter v4.61
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.exe
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Apartment
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\InprocServer32
Operation:	delete value	Name:	ThreadingModel
Value:
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\InprocServer32
Operation:	delete value	Name:	ThreadingModel
Value:
(PID) Process:	(6160) advbattoexeconverter.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib
Operation:	write	Name:	Version
Value: 1.2

Add for printing

Executable files

Suspicious files

204

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6160	advbattoexeconverter.exe	C:\Users\admin\AppData\Local\Temp\gentee00\1Default.bmp		binary
		MD5:0895D223FA59A94BED73D25D1CB5AF70	SHA256:53228A7C924889D300C7FFE9BAA1879EE94BD9B4286E84B7B29F870E9567B82D
6160	advbattoexeconverter.exe	C:\Users\admin\AppData\Local\Temp\gentee00\setup_temp.gea		bs
		MD5:3DC143330890C13033E4E3F6E0EBA0A9	SHA256:3198B133043C225DAEE8BDDD1D77CD24D846BA53D03FBBB9245DA7DD45BC465D
6160	advbattoexeconverter.exe	C:\Users\admin\AppData\Local\Temp\gentee00\gentee.dll		executable
		MD5:30439E079A3D603C461D2C2F4F8CB064	SHA256:D6D0535175FB2302E5B5A498119823C37F6BDDFF4AB24F551AA7E038C343077A
6160	advbattoexeconverter.exe	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\aB2Econv.exe		executable
		MD5:4F5F276DF265153C6C3BDA4B10C838E5	SHA256:22B70FBDFE95B036540759EA2DA2C80D43E8B332E0E600BB867BEBCE8BFBAE04
6160	advbattoexeconverter.exe	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex11.bat		text
		MD5:E07DD8911576E961B581E772255B44A9	SHA256:AD42027347C23BA936F54B6156461CE013DAF0A6C00AB0924037F69F44477EEA
6160	advbattoexeconverter.exe	C:\Users\admin\AppData\Local\Temp\gentee00\guig.dll		executable
		MD5:F78EE6369ADA1FB02B776498146CC903	SHA256:F1073319D4868D38E0AE983AD42A00CDC53BE93B31275B4B55AF676976C1AA3F
6160	advbattoexeconverter.exe	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex12.bat		text
		MD5:C80C479A65D8D67B2A7297E2DBC904A1	SHA256:BE86A962F60741B76980D354C3311264004A477151B8E1C01C653B20CF1EE261
6160	advbattoexeconverter.exe	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex13.bat		text
		MD5:DFCEF268A64779EA33D4DE7A52DB2B0B	SHA256:E822AC686AD7B9620F11F774D657136D40447929A937694CAC6034CECBB0DF8B
6160	advbattoexeconverter.exe	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex14.bat		text
		MD5:8499704988EAB25BE5A16C37D7E2D519	SHA256:9D0632CD0920E9A0263519C69B43D187664A6AB0154B0464D1AD353E6E48C3AE
6160	advbattoexeconverter.exe	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex15.bat		text
		MD5:D7FA10992A23BEC2B50D03B3160BE9C5	SHA256:8E5C9880893C77CE0AD6691E660914A29B406F0B833EE440789B210F468AFF51

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

133

DNS requests

147

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3820	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
3820	firefox.exe	POST	200	184.24.77.62:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
3820	firefox.exe	POST	200	184.24.77.62:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
3820	firefox.exe	POST	200	184.24.77.57:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
3820	firefox.exe	POST	200	184.24.77.57:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
3820	firefox.exe	POST	200	142.250.185.195:80	http://o.pki.goog/wr2	unknown	—	—	whitelisted
3820	firefox.exe	POST	200	184.24.77.57:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4300	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
1176	svchost.exe	20.190.160.17:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 52.185.211.133	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.51 2.16.164.18 2.16.164.9	whitelisted
www.microsoft.com	2.23.246.101 184.30.21.171	whitelisted
google.com	142.250.186.174	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
login.live.com	20.190.160.17 40.126.32.138 40.126.32.133 40.126.32.74 20.190.160.20 20.190.160.22 40.126.32.134 40.126.32.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	2.23.242.9	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

/downloads/advbattoexeconverter.exe

83BB1B476C7143552853A2CF983C1142

8FF8ED5C533D70A7D933EC45264DD700145ACD8C

AF09248CB756488850F9E6F9A7A00149005BF47A9B2087B792FF6BD937297FFB

24576:mwEZo54ixhR4ox33t4rTdpdBXsuHqrACpGcaGGSL1EahRV3KCLPqTjqugyDPDTl4:mwEZoqixhR4U33t4r5pdBXsuHqrACpGY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Process drops legitimate windows executable

Creates a software uninstall entry

Searches for installed software

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Uses ATTRIB.EXE to modify file attributes

INFO

Create files in a temporary directory

Checks supported languages

Creates files in the program directory

The sample compiled with english language support

Reads the computer name

Manual execution by a user

Creates files or folders in the user directory

Application launched itself

Starts MODE.COM to configure console settings

Creates a new folder

Sends debugging messages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings