File name:

WindowsDefenderATPLocalOnboardingScript.cmd

Full analysis: https://app.any.run/tasks/1f304083-0992-424f-9fab-1fa40c0c9a0d
Verdict: Malicious activity
Analysis date: December 21, 2023, 02:22:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

4175609A64DDD910AA2170302DB56647

SHA1:

63F8B7DC86E07669D7538F12B55F428835ED0209

SHA256:

D9116F995D9EA521F470D2CB1F00CB2B9BB4BB0C5667A19D05EDF90309959ABE

SSDEEP:

384:UQ7rqhq6uktLekASPSAHJvDZdkaKgHQmAwAHkrfhmOHu:UQ7rUuktLNrvVdkNw8kjhmOO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2808)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2292)
      • powershell.exe (PID: 3012)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2292)
      • powershell.exe (PID: 3012)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 2884)
      • csc.exe (PID: 3236)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2808)
      • net.exe (PID: 2532)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2808)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2808)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 2292)
      • powershell.exe (PID: 3012)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2808)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2808)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2808)

  • INFO

    • Manual execution by a user

      • explorer.exe (PID: 392)
      • cmd.exe (PID: 2808)

    • Checks supported languages

      • csc.exe (PID: 2884)
      • cvtres.exe (PID: 2816)
      • csc.exe (PID: 3236)
      • cvtres.exe (PID: 3144)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 2884)
      • cvtres.exe (PID: 2816)
      • csc.exe (PID: 3236)
      • cvtres.exe (PID: 3144)

    • Create files in a temporary directory

      • csc.exe (PID: 2884)
      • cvtres.exe (PID: 2816)
      • csc.exe (PID: 3236)
      • cvtres.exe (PID: 3144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
36
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs explorer.exe no specs cmd.exe reg.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs csc.exe no specs cvtres.exe no specs reg.exe no specs reg.exe no specs find.exe no specs sc.exe no specs net.exe no specs net1.exe no specs find.exe no specs sc.exe no specs timeout.exe no specs sc.exe no specs find.exe no specs timeout.exe no specs find.exe no specs sc.exe no specs timeout.exe no specs sc.exe no specs find.exe no specs timeout.exe no specs find.exe no specs sc.exe no specs powershell.exe no specs csc.exe no specs cvtres.exe no specs eventcreate.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\WindowsDefenderATPLocalOnboardingScript.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
392"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
880C:\Windows\System32\sc.exe query "SENSE" C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
884C:\Windows\System32\find.exe /i "RUNNING" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
900C:\Windows\System32\sc.exe query "SENSE" C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
952C:\Windows\System32\timeout.exe 5 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1904C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v latency /t REG_SZ /f /d "Demo" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2240C:\Windows\System32\net.exe session C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Add-Type ' using System; using System.IO; using System.Runtime.InteropServices; using Microsoft.Win32.SafeHandles; using System.ComponentModel; public static class Elam{ [DllImport(\"Kernel32\", CharSet=CharSet.Auto, SetLastError=true)] public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); public static void InstallWdBoot(string path) { Console.Out.WriteLine(\"About to call create file on {0}\", path); var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); var handle = stream.SafeFileHandle; Console.Out.WriteLine(\"About to call InstallELAMCertificateInfo on handle {0}\", handle.DangerousGetHandle()); if (!InstallELAMCertificateInfo(handle)) { Console.Out.WriteLine(\"Call failed.\"); throw new Win32Exception(Marshal.GetLastWin32Error()); } Console.Out.WriteLine(\"Call successful.\"); } } '; $driverPath = $env:SystemRoot + '\System32\Drivers\WdBoot.sys'; [Elam]::InstallWdBoot($driverPath) " C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2320C:\Windows\System32\reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security /v cb2ff72d-d4e4-585d-33f9-f3a395c40be7 /t REG_BINARY /d 0100048044000000540000000000000014000000020030000200000000001400FF0F120001010000000000051200000000001400E104120001010000000000050B0000000102000000000005200000002002000001020000000000052000000020020000 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
3 596
Read events
3 596
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
9
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
2292powershell.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\gz03qznl.cmdlinetext
MD5:AA2865FE03F81D2F67C5EE12FDEFD0E7
SHA256:D2D8CD7F2203CE52DA20E798B288C48EE9168F87BF0CC1836AF47B77F945816A
2816cvtres.exeC:\Users\admin\AppData\Local\Temp\RES7868.tmpbinary
MD5:33FF5A8D38FF2A4D6C720487B99EE4AA
SHA256:EF1DCEFE6D5E5985B5ECB30EEE588D705FE16A80EBF91F1E795B52E8D5155955
2884csc.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\gz03qznl.dllexecutable
MD5:0145965860F59371C45C5635558B8186
SHA256:3CED9E06C52B72D45A3D77EEB4D8DB03E96CDDD43BB68DE4A1AC89992F6340A2
2292powershell.exeC:\Users\admin\AppData\Local\Temp\4ucjw4k2.erc.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2884csc.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\CSCF9099B62EB0045A1962F7E370AD557.TMPbinary
MD5:7EAAC6B8651547507584729FD4E6E092
SHA256:1CCBFFF5126D9520A3410D572C7B979E055E45D09B2CF351E04DA03D30EF2E77
3012powershell.exeC:\Users\admin\AppData\Local\Temp\ywjto02d\ywjto02d.cmdlinetext
MD5:25DCA22A634DCE40F3BB2D237ED08749
SHA256:63F481C8D588588C75899F5913357457B6C1D254D9B22E48AD48EA6EE36EE32E
2292powershell.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\gz03qznl.0.cstext
MD5:6FD55E9D12CD585CEFD6D0281E8B1702
SHA256:A35C0F7E148CFDE26A37CCF1B4EA65107BC175B789AB9174A593EDA8ECE9A59F
2884csc.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\gz03qznl.outtext
MD5:A92A5031BA852AAC039D2C71C686E12D
SHA256:C21AF3D8B0B760FCBBC6D659321A549A8070CC147480DA7213AB744E2298EAA3
2292powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2808cmd.exeC:\Windows\temp\senseTmp.txttext
MD5:F8C9A563B84277F71A2DE3D8B0B4EB14
SHA256:B5AB3E2A41697D57480637D265F2CF478A06761B6BF317EABC58C35774FA6DE9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WindowsDefenderATPLocalOnboardingScript.cmd