download:

test.bat

Full analysis: https://app.any.run/tasks/38f250cf-6904-4e02-b6e6-3b0fee839705
Verdict: Malicious activity
Analysis date: August 25, 2020, 06:32:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

20DEE4B291847837312C4CA29DCBEA77

SHA1:

B02E780B2DD146E4E6F81D68CE75D484288D6DDD

SHA256:

F5E3B5C22EE23557B33996639EE23119B7427DF29229F4BB39D1D29AB6FAD28E

SSDEEP:

3:Q6AAGR9efHXV9dV/:Qk0ef3VLd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs app for hidden code execution

      • cmd.exe (PID: 2720)

    • Loads the Task Scheduler COM API

      • dfrgui.exe (PID: 2372)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 2720)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2720)

    • Executes application which crashes

      • cmd.exe (PID: 2720)

    • Low-level read access rights to disk partition

      • vds.exe (PID: 5500)

    • Executed as Windows Service

      • vds.exe (PID: 5500)
      • msdtc.exe (PID: 2080)
      • dllhost.exe (PID: 2104)

    • Creates files in the Windows directory

      • eudcedit.exe (PID: 4964)
      • dllhost.exe (PID: 2104)
      • msdtc.exe (PID: 2080)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • FXSCOVER.exe (PID: 5204)

    • Removes files from Windows directory

      • eudcedit.exe (PID: 4964)

    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 4132)
      • cmd.exe (PID: 2720)

    • Executed via COM

      • vdsldr.exe (PID: 6012)
      • DeviceDisplayObjectProvider.exe (PID: 3708)

    • Starts CHOICE.EXE (used to create a delay)

      • cmd.exe (PID: 2720)

    • Application launched itself

      • cmd.exe (PID: 2720)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 2720)

    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 2720)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
417
Monitored processes
258
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs adaptertroubleshooter.exe no specs adaptertroubleshooter.exe no specs adaptertroubleshooter.exe aitagent.exe no specs alg.exe no specs ntvdm.exe no specs appidcertstorecheck.exe no specs appidpolicyconverter.exe no specs arp.exe no specs at.exe no specs atbroker.exe no specs audiodg.exe no specs attrib.exe no specs auditpol.exe no specs autochk.exe no specs autoconv.exe no specs autofmt.exe no specs axinstui.exe no specs bcdboot.exe no specs bcdedit.exe no specs bdeuisrv.exe no specs bdeunlockwizard.exe no specs bitsadmin.exe no specs bridgeunattend.exe no specs bthudtask.exe no specs bootcfg.exe no specs bthudtask.exe no specs bthudtask.exe calc.exe no specs cacls.exe no specs certenrollctrl.exe no specs certreq.exe no specs certutil.exe no specs change.exe no specs charmap.exe no specs chglogon.exe no specs chgport.exe no specs chgusr.exe no specs chkdsk.exe no specs chkntfs.exe no specs choice.exe no specs cipher.exe no specs cleanmgr.exe cliconfg.exe no specs cliconfg.exe no specs cliconfg.exe clip.exe no specs cmd.exe no specs cmdkey.exe no specs cmdl32.exe no specs cmmon32.exe no specs cmstp.exe no specs cofire.exe no specs colorcpl.exe no specs comp.exe no specs compact.exe no specs compmgmtlauncher.exe no specs compmgmtlauncher.exe no specs compmgmtlauncher.exe computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe conhost.exe no specs consent.exe no specs control.exe no specs convert.exe no specs credwiz.exe no specs cscript.exe no specs csrss.exe no specs csrstub.exe no specs ctfmon.exe no specs cttune.exe no specs cttunesvr.exe no specs cttunesvr.exe no specs mmc.exe cttunesvr.exe dccw.exe no specs dccw.exe no specs dccw.exe dcomcnfg.exe no specs dcomcnfg.exe no specs dcomcnfg.exe ddodiag.exe no specs ntvdm.exe no specs mmc.exe defrag.exe no specs devicedisplayobjectprovider.exe no specs deviceeject.exe no specs devicedisplayobjectprovider.exe no specs deviceeject.exe no specs deviceeject.exe devicepairingwizard.exe no specs deviceproperties.exe no specs deviceproperties.exe no specs dllhost.exe no specs deviceproperties.exe dfdwiz.exe no specs dfrgui.exe no specs dialer.exe no specs diantz.exe no specs dinotify.exe no specs diskpart.exe no specs diskpart.exe no specs msdtc.exe no specs diskpart.exe diskperf.exe no specs diskraid.exe no specs diskraid.exe no specs vdsldr.exe no specs vds.exe no specs diskraid.exe dism.exe no specs dispdiag.exe no specs displayswitch.exe no specs djoin.exe no specs dllhost.exe no specs dllhst3g.exe no specs dnscacheugc.exe no specs doskey.exe no specs ntvdm.exe no specs dpapimig.exe no specs dpiscaling.exe no specs dplaysvr.exe dpnsvr.exe no specs driverquery.exe no specs drvinst.exe no specs ntvdm.exe no specs dvdplay.exe no specs dvdupgrd.exe no specs dwm.exe no specs dwwin.exe no specs dxdiag.exe no specs dxpserver.exe no specs eap3host.exe no specs ntvdm.exe no specs efsui.exe no specs ehstorauthn.exe no specs esentutl.exe no specs eudcedit.exe no specs wmplayer.exe no specs eudcedit.exe no specs setup_wm.exe no specs eudcedit.exe eventcreate.exe no specs eventvwr.exe no specs eventvwr.exe no specs eventvwr.exe ntvdm.exe no specs expand.exe no specs extrac32.exe no specs ntvdm.exe no specs fc.exe no specs find.exe no specs findstr.exe no specs finger.exe no specs fixmapi.exe no specs flashplayerapp.exe no specs fltmc.exe no specs fontview.exe no specs forfiles.exe no specs fsutil.exe no specs ftp.exe no specs fvenotify.exe no specs fveprompt.exe no specs fxscover.exe no specs fxssvc.exe no specs fxsunatd.exe no specs mmc.exe fxsunatd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs fxsunatd.exe cmd.exe no specs getmac.exe no specs gettingstarted.exe no specs gpresult.exe no specs gpscript.exe no specs gpupdate.exe no specs grpconv.exe no specs cmd.exe no specs hdwwiz.exe no specs cmd.exe no specs hdwwiz.exe no specs cmd.exe no specs control.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs hdwwiz.exe cmd.exe no specs help.exe no specs host.exe no specs hostname.exe no specs hwrcomp.exe no specs hwrreg.exe no specs icacls.exe no specs icardagt.exe no specs cmd.exe no specs icsunattend.exe no specs ie4uinit.exe no specs ieetwcollector.exe no specs ieunatt.exe no specs iexpress.exe no specs infdefaultinstall.exe no specs cmd.exe no specs infdefaultinstall.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs infdefaultinstall.exe cmd.exe no specs ipconfig.exe no specs irftp.exe no specs iscsicli.exe no specs iscsicli.exe no specs iscsicli.exe iscsicpl.exe no specs iscsicpl.exe no specs iscsicpl.exe isoburn.exe no specs klist.exe no specs ksetup.exe no specs ksetup.exe no specs ksetup.exe ktmutil.exe no specs label.exe no specs locationnotifications.exe no specs locator.exe no specs lodctr.exe no specs logagent.exe no specs logman.exe no specs logoff.exe no specs logonui.exe no specs lpksetup.exe no specs lpremove.exe no specs lsass.exe no specs lsm.exe no specs magnify.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
272"C:\Windows\System32\Defrag.exe" C:\Windows\System32\Defrag.execmd.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Disk Defragmenter Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\aitagent.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
308"C:\Windows\System32\calc.exe" C:\Windows\System32\calc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\calc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
332/c echo "test.bat"C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
532"C:\Windows\System32\AdapterTroubleshooter.exe" C:\Windows\System32\AdapterTroubleshooter.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Troubleshoot Display Adapter
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\adaptertroubleshooter.exe
c:\systemroot\system32\ntdll.dll
544"C:\Windows\System32\bthudtask.exe" C:\Windows\System32\bthudtask.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Bluetooth Uninstall Device Task
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bthudtask.exe
c:\systemroot\system32\ntdll.dll
544"C:\Windows\System32\DeviceProperties.exe" C:\Windows\System32\DeviceProperties.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Device Properties
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bthudtask.exe
c:\windows\system32\deviceproperties.exe
c:\systemroot\system32\ntdll.dll
580"C:\Windows\System32\cmdl32.exe" C:\Windows\System32\cmdl32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Auto-Download
Exit code:
1
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cmdl32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
608"C:\Windows\System32\cttune.exe" C:\Windows\System32\cttune.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClearType Tuner
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cttune.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
620"C:\Windows\System32\audiodg.exe" C:\Windows\System32\audiodg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Audio Device Graph Isolation
Exit code:
6
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\audiodg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
688/c echo "thdzwq4e.kdo"C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 442
Read events
1 992
Write events
449
Delete events
1

Modification events

(PID) Process:(3080) AdapterTroubleshooter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
AdapterTroubleshooter.exe
(PID) Process:(2720) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2720) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2244) AtBroker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Accessibility
Operation:writeName:Configuration
Value:
(PID) Process:(3596) aitagent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AIT
Operation:writeName:LastReadEntryTime
Value:
0C316296A97AD601
(PID) Process:(308) calc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Calc
Operation:writeName:Window_Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2C0000002C0000004C03000084020000
(PID) Process:(2700) cleanmgr.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\136\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2700) cleanmgr.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\136\52C64B7E
Operation:writeName:@C:\Windows\System32\occache.dll,-1070
Value:
Downloaded Program Files
(PID) Process:(2700) cleanmgr.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\136\52C64B7E
Operation:writeName:@C:\Windows\System32\occache.dll,-1071
Value:
Downloaded Program Files are ActiveX controls and Java applets downloaded automatically from the Internet when you view certain pages. They are temporarily stored in the Downloaded Program Files folder on your hard disk.
(PID) Process:(2700) cleanmgr.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\136\52C64B7E
Operation:writeName:@C:\Windows\System32\occache.dll,-1072
Value:
&View Files
Executable files
0
Suspicious files
18
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
2216ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsC7A6.tmp
MD5:
SHA256:
2216ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsC7B6.tmp
MD5:
SHA256:
2700cleanmgr.exeC:\Users\admin\AppData\Local\Temp\{6089EE43-4653-4E3F-84DD-0E26E2CC005A}
MD5:
SHA256:
1436ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF609.tmp
MD5:
SHA256:
1436ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF619.tmp
MD5:
SHA256:
3708DeviceDisplayObjectProvider.exeC:\Users\admin\AppData\Local\Microsoft\Device Metadata\dmrc.idx.0
MD5:
SHA256:
3708DeviceDisplayObjectProvider.exeC:\Users\admin\AppData\Local\Microsoft\Device Metadata\OLDCACHE.000
MD5:
SHA256:
5600ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs26ED.tmp
MD5:
SHA256:
1908DeviceDisplayObjectProvider.exeC:\Users\admin\AppData\Local\Microsoft\Device Metadata\dmrc.idx.0
MD5:
SHA256:
1908DeviceDisplayObjectProvider.exeC:\Users\admin\AppData\Local\Microsoft\Device Metadata\OLDCACHE.000
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
cleanmgr.exe
PID=2700 Failed to create. - CScavengeCleanup::Initialize(hr:0x800702e4)
mmc.exe
ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EvĜ
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerExtension
mmc.exe
ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
test.bat