File name: | csgo.bat |
Full analysis: | https://app.any.run/tasks/9d5f37de-f594-4f56-a84c-663b0cab0959 |
Verdict: | Malicious activity |
Analysis date: | January 28, 2024, 16:52:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/x-msdos-batch |
File info: | DOS batch file, UTF-8 Unicode text, with very long lines, with CRLF line terminators |
MD5: | F830836B6950F014B76DEC1B61A5CA55 |
SHA1: | DEC9B0FFFE9E6B3CEFDF321448DC42833E0D2272 |
SHA256: | BCC003493793575FCDE2FFAC00A4DBBD2E4C74C751E4E1854193D9B80F1D057D |
SSDEEP: | 48:9wxRXOcbpJYWR7IrBv2P9L0gY/ED2O9fRHCSlh0Wwwm:IfMWYBulgs9jM |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2632 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\csgo.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1036 | curl -o image.jpg https://lh3.googleusercontent.com/pw/ABLVV86bvjxlOuoigzzqAuY5rM2m6x4HNzPyxjk-OV73OpY7DH1Bw3UXS3jlxHME8in2_kmu7xYj2w1QLXx639CLrl6JfKVRU3beYagADK0smQSoQhAJ7W2uH6k4yt6nYbK5IvBxMn4_arcqRf_YuHxiHgRzBdPtw0CVhOVvLqmbqrSktNF07iYaWOvOuGf5twoLXaZGHkp0iDC4gzYVc7JV6mpZ0V6975gQCvpy5IABzLx9P880-c14XhP7ch8TXdh2CjLMm2lLVm-1Xpx-s2vnbL1xJd7vJBPYvvR5YrJg4y4BbO5C7P0nMndCiNUInqY1OJQAlZ_gpCi9aY6rjJUta-HVbfBmUibkVBntEpjfyYaL7Lw-7IyRLHdkUjfgvJnAlZ2xIgcTswc0ErmOF1OADV3ssU68lsJM_srzYfcelgq79xEj8gC6aHbp9xuinP9msp6vlAqgKYzgKqfOQK-GvJ74M58_cjjRLuVGlp5Hmf9eGpJKhzQXdlL4QUN09L8F34804qUbmpj1PRTjPYNreHtHX3sLXbzdYAWWPhYUQ6OMy9BDLZ-D4tnh-UDr8YGesoI29X2ZHMB7aCn0amUEYclCie2dhU2BSTTjQn7vufhj1vBjENP2WgvPmFRxrtA8MSfK_XBKcNBakmzGMNuOsLswMqH6mzCOpdkGDs_mVhmfSCvOi_agpX6oIXkxYmFi60qB9UDedD1lmAcSVOeQbzkBOWZKlhRpcYIjSh4oMhLJ1Q4sbgWkwtamD31M0luTf7lRgJjrdi6haiIRAcjliCb6akZnzIZSWAhWnMNy3tDEA6eZ1YU0J2pvysV1WSMnXqwkrVHh1Y2ZccpJQM5CQjV9E_L4x_kVVvOV4KB6fYuXhEFHJQX3oStI7IM-FYyA5FimS72SFuNk6a--1kcIq_lK=w626-h368-s-no-gm?authuser=0 | C:\Windows\System32\curl.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: MEDIUM Description: The curl executable Exit code: 0 Version: 8.5.0 Modules
| |||||||||||||||
2052 | rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,@desk.cpl,1 | C:\Windows\System32\rundll32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
876 | reg add "HKCU\Control Panel\Desktop" /v NoDesktopBackground /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2592 | reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "image.jpg" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1880 | reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_DWORD /d 2 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2484 | reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2388 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
696 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\csgo.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1112 | curl -o image.jpg https://lh3.googleusercontent.com/pw/ABLVV86bvjxlOuoigzzqAuY5rM2m6x4HNzPyxjk-OV73OpY7DH1Bw3UXS3jlxHME8in2_kmu7xYj2w1QLXx639CLrl6JfKVRU3beYagADK0smQSoQhAJ7W2uH6k4yt6nYbK5IvBxMn4_arcqRf_YuHxiHgRzBdPtw0CVhOVvLqmbqrSktNF07iYaWOvOuGf5twoLXaZGHkp0iDC4gzYVc7JV6mpZ0V6975gQCvpy5IABzLx9P880-c14XhP7ch8TXdh2CjLMm2lLVm-1Xpx-s2vnbL1xJd7vJBPYvvR5YrJg4y4BbO5C7P0nMndCiNUInqY1OJQAlZ_gpCi9aY6rjJUta-HVbfBmUibkVBntEpjfyYaL7Lw-7IyRLHdkUjfgvJnAlZ2xIgcTswc0ErmOF1OADV3ssU68lsJM_srzYfcelgq79xEj8gC6aHbp9xuinP9msp6vlAqgKYzgKqfOQK-GvJ74M58_cjjRLuVGlp5Hmf9eGpJKhzQXdlL4QUN09L8F34804qUbmpj1PRTjPYNreHtHX3sLXbzdYAWWPhYUQ6OMy9BDLZ-D4tnh-UDr8YGesoI29X2ZHMB7aCn0amUEYclCie2dhU2BSTTjQn7vufhj1vBjENP2WgvPmFRxrtA8MSfK_XBKcNBakmzGMNuOsLswMqH6mzCOpdkGDs_mVhmfSCvOi_agpX6oIXkxYmFi60qB9UDedD1lmAcSVOeQbzkBOWZKlhRpcYIjSh4oMhLJ1Q4sbgWkwtamD31M0luTf7lRgJjrdi6haiIRAcjliCb6akZnzIZSWAhWnMNy3tDEA6eZ1YU0J2pvysV1WSMnXqwkrVHh1Y2ZccpJQM5CQjV9E_L4x_kVVvOV4KB6fYuXhEFHJQX3oStI7IM-FYyA5FimS72SFuNk6a--1kcIq_lK=w626-h368-s-no-gm?authuser=0 | C:\Windows\System32\curl.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: MEDIUM Description: The curl executable Exit code: 0 Version: 8.5.0 Modules
|
(PID) Process: | (2052) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2052) rundll32.exe | Key: | HKEY_CURRENT_USER\Control Panel\Appearance |
Operation: | write | Name: | CustomColors |
Value: FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00FFFFFF00 | |||
(PID) Process: | (2592) reg.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
Operation: | write | Name: | Wallpaper |
Value: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg | |||
(PID) Process: | (1880) reg.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
Operation: | write | Name: | WallpaperStyle |
Value: 10 | |||
(PID) Process: | (2484) reg.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
Operation: | write | Name: | TileWallpaper |
Value: 0 | |||
(PID) Process: | (2388) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: Explorer.EXE | |||
(PID) Process: | (2388) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer |
Operation: | write | Name: | MainWndPos |
Value: 6000000034000000A00400008002000000000000 | |||
(PID) Process: | (2620) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2620) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes |
Operation: | write | Name: | CurrentTheme |
Value: C:\Users\admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme | |||
(PID) Process: | (2620) rundll32.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics |
Operation: | write | Name: | AppliedDPI |
Value: 96 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2620 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme | text | |
MD5:52BB0C2C84A5CD8CD1A17661929F177A | SHA256:EAA808B7C52285C0F2D0FFCA4E8A2C3EE9D6A8769457AC8DCAD903AD0B843425 | |||
1036 | curl.exe | C:\Users\admin\Desktop\image.jpg | html | |
MD5:D740A12780480CE1F2F4844AD0E8CB4C | SHA256:C92C16BB2320D2656C02B92C6082F3B34BEAC814505CA665589B98D30A49D2D8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1036 | curl.exe | 142.250.184.225:443 | lh3.googleusercontent.com | GOOGLE | US | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1112 | curl.exe | 142.250.184.225:443 | lh3.googleusercontent.com | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
lh3.googleusercontent.com |
| whitelisted |