File name:

WindowsDefenderATPLocalOnboardingScript.cmd

Full analysis: https://app.any.run/tasks/1f304083-0992-424f-9fab-1fa40c0c9a0d
Verdict: Malicious activity
Analysis date: December 21, 2023, 02:22:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

4175609A64DDD910AA2170302DB56647

SHA1:

63F8B7DC86E07669D7538F12B55F428835ED0209

SHA256:

D9116F995D9EA521F470D2CB1F00CB2B9BB4BB0C5667A19D05EDF90309959ABE

SSDEEP:

384:UQ7rqhq6uktLekASPSAHJvDZdkaKgHQmAwAHkrfhmOHu:UQ7rUuktLNrvVdkNw8kjhmOO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2808)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2292)
      • powershell.exe (PID: 3012)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2292)
      • powershell.exe (PID: 3012)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2808)
      • net.exe (PID: 2532)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 2884)
      • csc.exe (PID: 3236)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2808)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2808)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 2292)
      • powershell.exe (PID: 3012)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2808)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2808)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2808)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 2808)
      • explorer.exe (PID: 392)

    • Checks supported languages

      • csc.exe (PID: 2884)
      • csc.exe (PID: 3236)
      • cvtres.exe (PID: 2816)
      • cvtres.exe (PID: 3144)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 2884)
      • cvtres.exe (PID: 2816)
      • csc.exe (PID: 3236)
      • cvtres.exe (PID: 3144)

    • Create files in a temporary directory

      • csc.exe (PID: 2884)
      • cvtres.exe (PID: 2816)
      • csc.exe (PID: 3236)
      • cvtres.exe (PID: 3144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
36
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs explorer.exe no specs cmd.exe reg.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs csc.exe no specs cvtres.exe no specs reg.exe no specs reg.exe no specs find.exe no specs sc.exe no specs net.exe no specs net1.exe no specs find.exe no specs sc.exe no specs timeout.exe no specs sc.exe no specs find.exe no specs timeout.exe no specs find.exe no specs sc.exe no specs timeout.exe no specs sc.exe no specs find.exe no specs timeout.exe no specs find.exe no specs sc.exe no specs powershell.exe no specs csc.exe no specs cvtres.exe no specs eventcreate.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\WindowsDefenderATPLocalOnboardingScript.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
392"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
880C:\Windows\System32\sc.exe query "SENSE" C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
884C:\Windows\System32\find.exe /i "RUNNING" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
900C:\Windows\System32\sc.exe query "SENSE" C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
952C:\Windows\System32\timeout.exe 5 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1904C:\Windows\System32\reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v latency /t REG_SZ /f /d "Demo" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2240C:\Windows\System32\net.exe session C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
2292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Add-Type ' using System; using System.IO; using System.Runtime.InteropServices; using Microsoft.Win32.SafeHandles; using System.ComponentModel; public static class Elam{ [DllImport(\"Kernel32\", CharSet=CharSet.Auto, SetLastError=true)] public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); public static void InstallWdBoot(string path) { Console.Out.WriteLine(\"About to call create file on {0}\", path); var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); var handle = stream.SafeFileHandle; Console.Out.WriteLine(\"About to call InstallELAMCertificateInfo on handle {0}\", handle.DangerousGetHandle()); if (!InstallELAMCertificateInfo(handle)) { Console.Out.WriteLine(\"Call failed.\"); throw new Win32Exception(Marshal.GetLastWin32Error()); } Console.Out.WriteLine(\"Call successful.\"); } } '; $driverPath = $env:SystemRoot + '\System32\Drivers\WdBoot.sys'; [Elam]::InstallWdBoot($driverPath) " C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2320C:\Windows\System32\reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security /v cb2ff72d-d4e4-585d-33f9-f3a395c40be7 /t REG_BINARY /d 0100048044000000540000000000000014000000020030000200000000001400FF0F120001010000000000051200000000001400E104120001010000000000050B0000000102000000000005200000002002000001020000000000052000000020020000 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
3 596
Read events
3 596
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
9
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
2884csc.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\gz03qznl.outtext
MD5:A92A5031BA852AAC039D2C71C686E12D
SHA256:C21AF3D8B0B760FCBBC6D659321A549A8070CC147480DA7213AB744E2298EAA3
2884csc.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\gz03qznl.dllexecutable
MD5:0145965860F59371C45C5635558B8186
SHA256:3CED9E06C52B72D45A3D77EEB4D8DB03E96CDDD43BB68DE4A1AC89992F6340A2
2884csc.exeC:\Users\admin\AppData\Local\Temp\gz03qznl\CSCF9099B62EB0045A1962F7E370AD557.TMPbinary
MD5:7EAAC6B8651547507584729FD4E6E092
SHA256:1CCBFFF5126D9520A3410D572C7B979E055E45D09B2CF351E04DA03D30EF2E77
3236csc.exeC:\Users\admin\AppData\Local\Temp\ywjto02d\ywjto02d.dllexecutable
MD5:ABDF5AFB319DD051AEEB8C336F7DE08D
SHA256:3F2E100CDF1B98A749D8C0944F427513A141218CB325EDF13AE88D26182DA7A8
2292powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3144cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC88B.tmpbinary
MD5:8C125DFADF5B40BB4BEAF087E688CB1A
SHA256:6AC423A8437FE6F73DF3C8845305D5E74B26C86ED3BD1FA830CE3D3854403DBC
2808cmd.exeC:\Windows\temp\senseTmp.txttext
MD5:F8C9A563B84277F71A2DE3D8B0B4EB14
SHA256:B5AB3E2A41697D57480637D265F2CF478A06761B6BF317EABC58C35774FA6DE9
3236csc.exeC:\Users\admin\AppData\Local\Temp\ywjto02d\ywjto02d.outtext
MD5:C87E6562BCA2E23F441297B658E5B249
SHA256:4BD0E1404BFBDE9A72DB453A9137F67B238A1B05AFA7AD5C7C5B18C3AE70A787
3012powershell.exeC:\Users\admin\AppData\Local\Temp\ywjto02d\ywjto02d.0.cstext
MD5:84A6F651AD0A14AAED34F5F2BF2E13C3
SHA256:DF011CB6DB54787FCE0311DCC6EC0B0ECCADD07081F60CFC5C15A5F4585E046D
3012powershell.exeC:\Users\admin\AppData\Local\Temp\w4nl2gb3.cuc.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WindowsDefenderATPLocalOnboardingScript.cmd