File name:

lansweeper.vbs

Full analysis: https://app.any.run/tasks/7b6adfa6-484e-4848-8fc5-dbeedb34a0d8
Verdict: Suspicious activity
Analysis date: July 21, 2020, 21:22:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

F921EFEEC4C6516F22F56239AF7C6B47

SHA1:

AD21A692DD0488F9398482E9687ADF35D6C24742

SHA256:

FD1D4602536607B71689B3A28BFC3A11FB82F9ED49AFCA9D5191470B9DF1B98A

SSDEEP:

24:n0R4+wAjGpb69uy5vxpbUGipbUEzniHbxHbPdHbPVug5Fg/slOYZQPiJV1/+kjeb:9AuOhJAxAUmtTNTV95+/sMF2uIm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • WScript.exe (PID: 2148)

  • SUSPICIOUS

    • Starts SC.EXE for service management

      • WScript.exe (PID: 2148)

    • Uses NETSH.EXE for network configuration

      • WScript.exe (PID: 2148)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs net.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1696C:\Windows\system32\net1 start winmgmtC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1944"C:\Windows\System32\netsh.exe" firewall add portopening protocol=tcp port=135 name=DCOM_TCP135C:\Windows\System32\netsh.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2148"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\lansweeper.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2396"C:\Windows\System32\net.exe" start winmgmtC:\Windows\System32\net.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
2568"C:\Windows\System32\sc.exe" config winmgmt start= autoC:\Windows\System32\sc.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4088"C:\Windows\System32\netsh.exe" firewall set service RemoteAdmin enableC:\Windows\System32\netsh.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
Total events
216
Read events
87
Write events
129
Delete events
0

Modification events

(PID) Process:(2148) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Operation:writeName:EnableDCOM
Value:
Y
(PID) Process:(2148) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Operation:writeName:LegacyAuthenticationLevel
Value:
2
(PID) Process:(2148) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Operation:writeName:LegacyImpersonationLevel
Value:
3
(PID) Process:(2148) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2148) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2148) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:LocalAccountTokenFilterPolicy
Value:
1
(PID) Process:(4088) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4088) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E
Operation:writeName:@%SystemRoot%\system32\p2pcollab.dll,-8042
Value:
Peer to Peer Trust
(PID) Process:(4088) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E
Operation:writeName:@%SystemRoot%\system32\qagentrt.dll,-10
Value:
System Health Authentication
(PID) Process:(4088) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dnsapi.dll,-103
Value:
Domain Name System (DNS) Server Trust
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lansweeper.vbs