File name:

HoneCtrl.bat

Full analysis: https://app.any.run/tasks/006d62bc-34f2-417f-a620-96712647f930
Verdict: Malicious activity
Analysis date: January 25, 2022, 22:14:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5:

BCDD27350330B4841AF600A1FB01772F

SHA1:

05AA9B55E12536FF3F796A4AE8FF4AF546383739

SHA256:

B746E8EAFA06ED692F69F65CD84D46AE4328E5ABAB031603B71E99E9988389A4

SSDEEP:

768:5rAvUvvvvc0vvg7HS7awsnz44IAsUZqkbJJJJJBVJJJJJU459lnkbJJJJJBVJJJl:5DvQ4VAsUZMBSx7cIU/Omf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3696)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 3696)

    • Starts CMD.EXE for commands execution

      • runas.exe (PID: 3584)
      • cmd.exe (PID: 3696)

    • Reads Environment values

      • powershell.exe (PID: 2964)
      • vssvc.exe (PID: 3732)

    • Checks supported languages

      • powershell.exe (PID: 1156)
      • cmd.exe (PID: 3696)
      • chcp.com (PID: 2972)
      • powershell.exe (PID: 1820)
      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 4048)
      • powershell.exe (PID: 2964)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3696)

    • Executed via COM

      • DllHost.exe (PID: 3964)

    • Executed as Windows Service

      • vssvc.exe (PID: 3732)

    • Searches for installed software

      • DllHost.exe (PID: 3964)

    • Reads the computer name

      • powershell.exe (PID: 1820)
      • powershell.exe (PID: 2964)
      • powershell.exe (PID: 1156)

    • Application launched itself

      • cmd.exe (PID: 3696)

    • Reads internet explorer settings

      • reg.exe (PID: 4028)
      • reg.exe (PID: 3304)

  • INFO

    • Checks supported languages

      • runas.exe (PID: 3584)
      • DllHost.exe (PID: 3964)
      • reg.exe (PID: 3340)
      • vssvc.exe (PID: 3732)
      • reg.exe (PID: 4028)
      • reg.exe (PID: 3304)
      • findstr.exe (PID: 488)
      • findstr.exe (PID: 3976)
      • findstr.exe (PID: 1396)
      • findstr.exe (PID: 2520)
      • findstr.exe (PID: 3500)
      • findstr.exe (PID: 496)
      • findstr.exe (PID: 2632)
      • findstr.exe (PID: 372)
      • findstr.exe (PID: 2916)
      • findstr.exe (PID: 2256)
      • findstr.exe (PID: 2896)
      • findstr.exe (PID: 2964)
      • findstr.exe (PID: 3340)
      • findstr.exe (PID: 3128)
      • findstr.exe (PID: 3392)
      • findstr.exe (PID: 3176)
      • findstr.exe (PID: 3536)
      • findstr.exe (PID: 832)
      • findstr.exe (PID: 3296)
      • findstr.exe (PID: 3908)
      • findstr.exe (PID: 3304)
      • findstr.exe (PID: 3068)
      • findstr.exe (PID: 4084)
      • findstr.exe (PID: 3872)
      • findstr.exe (PID: 1660)
      • findstr.exe (PID: 324)
      • findstr.exe (PID: 3348)
      • findstr.exe (PID: 488)
      • findstr.exe (PID: 3920)
      • findstr.exe (PID: 2512)
      • findstr.exe (PID: 2948)
      • findstr.exe (PID: 496)
      • findstr.exe (PID: 2680)
      • findstr.exe (PID: 2056)
      • findstr.exe (PID: 1164)
      • findstr.exe (PID: 1984)
      • findstr.exe (PID: 2952)
      • findstr.exe (PID: 3428)
      • findstr.exe (PID: 1268)
      • findstr.exe (PID: 520)
      • findstr.exe (PID: 3568)
      • findstr.exe (PID: 3276)
      • findstr.exe (PID: 3636)
      • findstr.exe (PID: 3588)
      • findstr.exe (PID: 3092)
      • findstr.exe (PID: 584)
      • findstr.exe (PID: 3972)
      • findstr.exe (PID: 3884)
      • findstr.exe (PID: 3872)
      • findstr.exe (PID: 2444)
      • findstr.exe (PID: 1252)
      • findstr.exe (PID: 960)
      • findstr.exe (PID: 3820)
      • findstr.exe (PID: 2300)
      • findstr.exe (PID: 2624)
      • findstr.exe (PID: 1244)
      • findstr.exe (PID: 2972)
      • findstr.exe (PID: 1976)
      • findstr.exe (PID: 3320)
      • findstr.exe (PID: 2212)
      • findstr.exe (PID: 2436)
      • findstr.exe (PID: 3984)
      • findstr.exe (PID: 2984)
      • findstr.exe (PID: 3164)
      • findstr.exe (PID: 1392)
      • findstr.exe (PID: 2552)
      • findstr.exe (PID: 2776)
      • findstr.exe (PID: 3028)
      • findstr.exe (PID: 1884)
      • findstr.exe (PID: 2076)

    • Reads the computer name

      • DllHost.exe (PID: 3964)
      • runas.exe (PID: 3584)
      • vssvc.exe (PID: 3732)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2964)
      • reg.exe (PID: 4028)
      • reg.exe (PID: 3304)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 1820)
      • reg.exe (PID: 4028)
      • reg.exe (PID: 3304)
      • powershell.exe (PID: 2964)
      • powershell.exe (PID: 1156)

    • Reads mouse settings

      • reg.exe (PID: 4028)
      • reg.exe (PID: 3304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
83
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start runas.exe no specs cmd.exe chcp.com no specs powershell.exe reg.exe no specs powershell.exe no specs DllHost.exe no specs powershell.exe no specs vssvc.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324findstr /v /a:F /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " 3 " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
372findstr /v /a:06 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " ] " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\findstr.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
488findstr /v /a:06 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " [ " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
488findstr /v /a:06 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " ] " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
496findstr /v /a:06 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " [ " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
496findstr /v /a:06 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " ] " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
520findstr /v /a:F /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " 7 " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
584findstr /v /a:F /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " 8 " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
832findstr /v /a:8 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " [ press X to close ]" nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
960findstr /v /a:06 /R "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; " [ " nulC:\Windows\system32\findstr.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
10 724
Read events
10 541
Write events
181
Delete events
2

Modification events

(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
0
Suspicious files
8
Text files
76
Unknown types
1

Dropped files

PID
Process
Filename
Type
3964DllHost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2964powershell.exeC:\Users\Administrator\AppData\Local\Temp\2cpn3y0n.dq3.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1156powershell.exeC:\Users\Administrator\AppData\Local\Temp\5z0zs415.dju.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2964powershell.exeC:\Users\Administrator\AppData\Local\Temp\rgdweqik.r01.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2964powershell.exeC:\Users\Administrator\AppData\Local\Temp\Updater.battext
MD5:
SHA256:
3964DllHost.exeC:\System Volume Information\SPP\OnlineMetadataCache\{d2ad2afd-e383-4443-8822-8f3a514fc37b}_OnDiskSnapshotPropbinary
MD5:
SHA256:
3964DllHost.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
3304reg.exeC:\Users\ADMINI~1\AppData\Local\Temp\REGF46A.tmptext
MD5:
SHA256:
3696cmd.exeC:\Hone\HoneRevert\ ]text
MD5:DF66FA563A2FAFDB93CC559DEB0A38C4
SHA256:3E39ED22DC63246937C4DBBF34CE4FB1CFE6B00DE7596B020CAD49AE50031351
3696cmd.exeC:\Hone\HoneRevert\ [text
MD5:DF66FA563A2FAFDB93CC559DEB0A38C4
SHA256:3E39ED22DC63246937C4DBBF34CE4FB1CFE6B00DE7596B020CAD49AE50031351
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
powershell.exe
104.23.98.190:443
pastebin.com
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.23.98.190
  • 104.23.99.190
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HoneCtrl.bat