File name:

Unhide Files.bat

Full analysis: https://app.any.run/tasks/9048e73a-d904-44ff-8e06-85f4dad38fbb
Verdict: Malicious activity
Analysis date: November 16, 2019, 21:30:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

ED321251DC3B4F175E68BE78E694474D

SHA1:

9E72DA35F476589E57754A6768E9914D7717F2E0

SHA256:

F335F7098DE9B44F3849B8ADA84FCCA1AC09ED00F8936D60CB3CF8D085EEA2E5

SSDEEP:

12288:wnVHDWx5jouKbs3wPDdI3N4Pgq9vJvSuuqngHAJ:wnc/YsgrgN45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2712)

    • Application was dropped or rewritten from another process

      • rf.exe (PID: 2232)
      • eng.exe (PID: 784)
      • svcnosts.exe (PID: 2252)
      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 1560)
      • cmd.exe (PID: 1252)
      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 2548)
      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1400)
      • cmd.exe (PID: 928)
      • cmd.exe (PID: 3196)
      • cmd.exe (PID: 2524)
      • cmd.exe (PID: 4076)
      • cmd.exe (PID: 996)
      • cmd.exe (PID: 1648)
      • svcnost.exe (PID: 3784)
      • cmd.exe (PID: 1916)
      • cmd.exe (PID: 788)
      • cmd.exe (PID: 2368)

    • Changes the autorun value in the registry

      • rf.exe (PID: 2232)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 2712)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 928)

    • Executable content was dropped or overwritten

      • eng.exe (PID: 784)
      • cmd.exe (PID: 2712)
      • rf.exe (PID: 2232)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2712)
      • rf.exe (PID: 2232)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1560)
      • cmd.exe (PID: 2712)

    • Creates executable files which already exist in Windows

      • rf.exe (PID: 2232)

    • Modifies the open verb of a shell class

      • rf.exe (PID: 2232)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • rf.exe (PID: 2232)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bib/bibtex/txt | BibTeX references (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
52
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start cmd.exe eng.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs reg.exe no specs ping.exe no specs rf.exe ping.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs reg.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs svcnosts.exe no specs svcnost.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496attrib C:\sefera\Jnt\juhoxa\..\.. +r +s +hC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
784"C:\Users\admin\AppData\Local\Temp\rlgms574\eng.exe" "C:\Users\admin\AppData\Local\Temp\rlgms574\sk.js"C:\Users\admin\AppData\Local\Temp\rlgms574\eng.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\users\admin\appdata\local\temp\rlgms574\eng.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
788"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /tC:\Windows\system32\cmd.exerf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
792attrib C:\sefera\Jnt\juhoxa\desktop.ini +s +hC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
928"C:\Windows\system32\cmd.exe" /c attrib C:\System_VoIume_lnformation\Jnt\serouuc\..\.. +r +s +hC:\Windows\system32\cmd.exerf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
996"C:\Windows\system32\cmd.exe" /c cacls C:\System_VoIume_lnformation\Jnt\serouuc\..\.. /d everyone /eC:\Windows\system32\cmd.exerf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
1252"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /tC:\Windows\system32\cmd.exerf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1400"C:\Windows\system32\cmd.exe" /c cacls C:\sefera\Jnt\juhoxa\..\.. /d everyone /eC:\Windows\system32\cmd.exerf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1532cacls n:\sefera\Jnt\null\..\.. /r administrators /e /tC:\Windows\system32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Control ACLs Program
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1560C:\Windows\system32\cmd.exe /c REG QUERY HKCU\SOFTWARE\btC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
687
Read events
653
Write events
34
Delete events
0

Modification events

(PID) Process:(784) eng.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(784) eng.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2064) reg.exeKey:HKEY_CURRENT_USER\Software\bt
Operation:writeName:gp
Value:
21:3
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Microsoft
Operation:writeName:STR
Value:
C|juhoxa|serouuc|svcnost|svcnosts
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Explorers
Value:
C:\Windows\explorer.exe /root c:\windows\system32\rundll32.exe ..\windows\system32\user32.dll.ShellExecute(%s), C:\System_VoIume_lnformation\Jnt\serouuc\bmz\explorer.exe, 0xff3leca
(PID) Process:(2232) rf.exeKey:HKEY_CLASSES_ROOT\.exe
Operation:writeName:
Value:
exefiles
(PID) Process:(2232) rf.exeKey:HKEY_CLASSES_ROOT\exefiles\shell\open\command
Operation:writeName:
Value:
"C:\System_VoIume_lnformation\Jnt\serouuc\explorers.exe" rts "%1"
(PID) Process:(2232) rf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Microsoft
Operation:writeName:SLK
Value:
0
Executable files
6
Suspicious files
2
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2712cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms574\unrf.dllbib
MD5:
SHA256:
2232rf.exeC:\sefera\Jnt\juhoxa\svcnosts.exeexecutable
MD5:
SHA256:
2232rf.exeC:\System_VoIume_lnformation\Jnt\serouuc\gotera.bmpbinary
MD5:
SHA256:
2232rf.exeC:\sefera\Jnt\juhoxa\gotera.bmpbinary
MD5:
SHA256:
784eng.exeC:\Users\admin\AppData\Local\Temp\rlgms574\rf.exeexecutable
MD5:
SHA256:
2232rf.exeC:\sefera\Jnt\juhoxa\svcnost.exeexecutable
MD5:
SHA256:
2232rf.exeC:\System_VoIume_lnformation\Jnt\serouuc\explorers.exeexecutable
MD5:
SHA256:
2712cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms574\sk.jstext
MD5:3ABAFFE780DACFD3C83A6D79D3456CD1
SHA256:1D16BCFDCC3ACBD37D4E39E07DF2FA6F496FB4B9998D6F1D83C5E076860AFC6B
2712cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms574\eng.exeexecutable
MD5:D1AB72DB2BEDD2F255D35DA3DA0D4B16
SHA256:047F3C5A7AB0EA05F35B2CA8037BF62DD4228786D07707064DBD0D46569305D0
2232rf.exeC:\System_VoIume_lnformation\Jnt\serouuc\bmz\explorer.exeexecutable
MD5:AD7B9C14083B52BC532FBA5948342B98
SHA256:17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
svcnost.exe
151.101.1.195:443
clear-march.firebaseapp.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
clear-march.firebaseapp.com
  • 151.101.1.195
  • 151.101.65.195
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Unhide Files.bat