File name:

InstallIntercept.bat

Full analysis: https://app.any.run/tasks/8eb72715-12ea-4a73-8603-4c4ae496c9cb
Verdict: Malicious activity
Analysis date: May 10, 2023, 20:02:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

D776240211AF3CE4B71E42D416D42BFC

SHA1:

AAF722D33BD50EEE766072F9B616A56E53ED2492

SHA256:

EB3962BC127C4D24E9FB0C85EDFE79529828BF851F7A9F5C66BE0EAA842388CD

SSDEEP:

48:DegE0OVQ9gE0pqAFTCGxtU9znJ4xxedKG3CByU9eEkbOhS7Y2:DegETcgESqAFWGb0znJ4x073CByhEkbj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify register

      • cmd.exe (PID: 3032)

  • INFO

    • Create files in a temporary directory

      • reg.exe (PID: 1228)
      • reg.exe (PID: 292)
      • reg.exe (PID: 3080)
      • reg.exe (PID: 3916)
      • reg.exe (PID: 3676)
      • reg.exe (PID: 4064)
      • reg.exe (PID: 2468)
      • reg.exe (PID: 3224)
      • reg.exe (PID: 1108)
      • reg.exe (PID: 3272)
      • reg.exe (PID: 3008)

    • Manual execution by a user

      • verclsid.exe (PID: 3220)
      • cmd.exe (PID: 3032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
34
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs net.exe no specs net1.exe no specs verclsid.exe no specs cmd.exe net.exe no specs net1.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
292reg export "HKEY_CLASSES_ROOT\JSFile\shell\open\command" "RegBackup\JSFile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1108reg export "HKEY_CLASSES_ROOT\VBEfile\shell\open\command" "RegBackup\VBEfile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1148reg add HKEY_CLASSES_ROOT\*\shell\BatchAntivirus /t REG_SZ /v Icon /d "\"C:\Users\admin\AppData\Local\Temp\Data\icon.ico\"" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1228reg export "HKEY_CLASSES_ROOT\VBSFile\shell\open\command" "RegBackup\VBSFile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
1348C:\Windows\system32\net1 session C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\net1.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
2020reg add "HKEY_CLASSES_ROOT\exefile\shell\open\command" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Temp\ScanIntercept.bat\" \"%1\" %*" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2036reg add "HKEY_CLASSES_ROOT\WSFFile\shell\open\command" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Temp\ScanIntercept.bat\" \"%1\" %*" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2056reg add HKEY_CLASSES_ROOT\*\shell\BatchAntivirus /t REG_SZ /d "Scan with Batch Antivirus" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2280reg add "HKEY_CLASSES_ROOT\VBEfile\shell\open\command" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Temp\ScanIntercept.bat\" \"%1\" %*" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
2468reg export "HKEY_CLASSES_ROOT\JSEfile\shell\open\command" "RegBackup\JSEfile_backup.reg" /y C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
476
Read events
476
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
44
Unknown types
0

Dropped files

PID
Process
Filename
Type
292reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\JSFile_backup.regtext
MD5:C9ECBBD78F18CBD659F006102BCBD2AD
SHA256:6103725A7E12F7B87A671BCF77313D8465779D511320B20CA433CADCF61FFBA5
4064reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\exefile_backup.regtext
MD5:25B38478337951F86EB6CBDE2F30D302
SHA256:FCE55D8DC5A7E836E14E3089714D9081C99FF304CD24CC15C5484FCB4DCFE11A
3008reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\WSFFile_backup.regtext
MD5:019291BA3A7BB8B2F6C80D7391258DC5
SHA256:8134567A9B181AE137660B647ADAAE1FCB506CB595639D29604FD92205ED9BE0
2468reg.exeC:\Users\admin\AppData\Local\Temp\REG91A8.tmptext
MD5:CDC9CB90BBB44B75356C7981688F19B6
SHA256:323E146B911904BAC5C9492CAD1283B3596B3DC2C3CA3450EA4FFA798A64ABF6
3080reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\comfile_backup.regtext
MD5:4A63CE5AD2195A445D09CB6AD2C5BD7D
SHA256:BDE64B95681703844296F1039C3EAC75C070BB1E326C707A6E5A4D132297C3BE
4064reg.exeC:\Users\admin\AppData\Local\Temp\REG910B.tmptext
MD5:25B38478337951F86EB6CBDE2F30D302
SHA256:FCE55D8DC5A7E836E14E3089714D9081C99FF304CD24CC15C5484FCB4DCFE11A
3080reg.exeC:\Users\admin\AppData\Local\Temp\REG91D7.tmptext
MD5:4A63CE5AD2195A445D09CB6AD2C5BD7D
SHA256:BDE64B95681703844296F1039C3EAC75C070BB1E326C707A6E5A4D132297C3BE
3676reg.exeC:\Users\admin\AppData\Local\Temp\RegBackup\batfile_backup.regtext
MD5:B1D35F8F56B6DD662F6963A2088B412A
SHA256:A2EE9487D15EA11E469EE587F2DCF958586078C2C6A96B8307B2CFEE9E5C6BBF
3676reg.exeC:\Users\admin\AppData\Local\Temp\REG90BD.tmptext
MD5:B1D35F8F56B6DD662F6963A2088B412A
SHA256:A2EE9487D15EA11E469EE587F2DCF958586078C2C6A96B8307B2CFEE9E5C6BBF
3916reg.exeC:\Users\admin\AppData\Local\Temp\REG90DD.tmptext
MD5:05D49441DC196AEBD7D74A4D211A83FE
SHA256:5F0C9B546C2C62489D6AF7B96EDA2B00ED5BE04454D021453D255D6481F72CD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
InstallIntercept.bat