File name:

InstallIntercept.bat

Full analysis: https://app.any.run/tasks/8eb72715-12ea-4a73-8603-4c4ae496c9cb
Verdict: Malicious activity
Analysis date: May 10, 2023, 20:02:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

D776240211AF3CE4B71E42D416D42BFC

SHA1:

AAF722D33BD50EEE766072F9B616A56E53ED2492

SHA256:

EB3962BC127C4D24E9FB0C85EDFE79529828BF851F7A9F5C66BE0EAA842388CD

SSDEEP:

48:DegE0OVQ9gE0pqAFTCGxtU9znJ4xxedKG3CByU9eEkbOhS7Y2:DegETcgESqAFWGb0znJ4x073CByhEkbj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify register

      • cmd.exe (PID: 3032)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 3032)
      • verclsid.exe (PID: 3220)

    • Create files in a temporary directory

      • reg.exe (PID: 3916)
      • reg.exe (PID: 4064)
      • reg.exe (PID: 1108)
      • reg.exe (PID: 1228)
      • reg.exe (PID: 2468)
      • reg.exe (PID: 292)
      • reg.exe (PID: 3676)
      • reg.exe (PID: 3080)
      • reg.exe (PID: 3224)
      • reg.exe (PID: 3008)
      • reg.exe (PID: 3272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
34
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs net.exe no specs net1.exe no specs verclsid.exe no specs cmd.exe net.exe no specs net1.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
292reg export "HKEY_CLASSES_ROOT\JSFile\shell\open\command" "RegBackup\JSFile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1108reg export "HKEY_CLASSES_ROOT\VBEfile\shell\open\command" "RegBackup\VBEfile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1148reg add HKEY_CLASSES_ROOT\*\shell\BatchAntivirus /t REG_SZ /v Icon /d "\"C:\Users\admin\AppData\Local\Temp\Data\icon.ico\"" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1228reg export "HKEY_CLASSES_ROOT\VBSFile\shell\open\command" "RegBackup\VBSFile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
1348C:\Windows\system32\net1 session C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\net1.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
2020reg add "HKEY_CLASSES_ROOT\exefile\shell\open\command" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Temp\ScanIntercept.bat\" \"%1\" %*" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2036reg add "HKEY_CLASSES_ROOT\WSFFile\shell\open\command" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Temp\ScanIntercept.bat\" \"%1\" %*" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2056reg add HKEY_CLASSES_ROOT\*\shell\BatchAntivirus /t REG_SZ /d "Scan with Batch Antivirus" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2280reg add "HKEY_CLASSES_ROOT\VBEfile\shell\open\command" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Temp\ScanIntercept.bat\" \"%1\" %*" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
2468reg export "HKEY_CLASSES_ROOT\JSEfile\shell\open\command" "RegBackup\JSEfile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
476
Read events
476
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
44
Unknown types
0

Dropped files

PID
Process
Filename
Type
4064reg.exeC:\Users\admin\AppData\Local\Temp\REG910B.tmptext
MD5:25B38478337951F86EB6CBDE2F30D302
SHA256:FCE55D8DC5A7E836E14E3089714D9081C99FF304CD24CC15C5484FCB4DCFE11A
3916reg.exeC:\Users\admin\AppData\Local\Temp\REG90DD.tmptext
MD5:05D49441DC196AEBD7D74A4D211A83FE
SHA256:5F0C9B546C2C62489D6AF7B96EDA2B00ED5BE04454D021453D255D6481F72CD1
3676reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\batfile_backup.regtext
MD5:B1D35F8F56B6DD662F6963A2088B412A
SHA256:A2EE9487D15EA11E469EE587F2DCF958586078C2C6A96B8307B2CFEE9E5C6BBF
4064reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\exefile_backup.regtext
MD5:25B38478337951F86EB6CBDE2F30D302
SHA256:FCE55D8DC5A7E836E14E3089714D9081C99FF304CD24CC15C5484FCB4DCFE11A
3916reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\cmdfile_backup.regtext
MD5:05D49441DC196AEBD7D74A4D211A83FE
SHA256:5F0C9B546C2C62489D6AF7B96EDA2B00ED5BE04454D021453D255D6481F72CD1
3080reg.exeC:\Users\admin\AppData\Local\Temp\REG91D7.tmptext
MD5:4A63CE5AD2195A445D09CB6AD2C5BD7D
SHA256:BDE64B95681703844296F1039C3EAC75C070BB1E326C707A6E5A4D132297C3BE
1228reg.exeC:\Users\admin\AppData\Local\Temp\REG912B.tmptext
MD5:BC3F5E50E00F035BD8ADF1BDD23F932E
SHA256:4F441C56692A5452357DAF8D3F835D75421E297B5F09A0765BA29AAC86167AD5
3080reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\comfile_backup.regtext
MD5:4A63CE5AD2195A445D09CB6AD2C5BD7D
SHA256:BDE64B95681703844296F1039C3EAC75C070BB1E326C707A6E5A4D132297C3BE
3008reg.exeC:\Users\admin\AppData\Local\Temp\REG9215.tmptext
MD5:019291BA3A7BB8B2F6C80D7391258DC5
SHA256:8134567A9B181AE137660B647ADAAE1FCB506CB595639D29604FD92205ED9BE0
3224reg.exeC:\Users\admin\AppData\Local\Temp\REG91F6.tmptext
MD5:C60F32C27B9819228D3C011A7DB7A721
SHA256:512C568B5B1B33D48340D308B102AE0F466BACA653A23A818AFBF5F30486CE07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
InstallIntercept.bat