File name:	FNCLEAN.bat
Full analysis:	https://app.any.run/tasks/996459d9-339d-4583-9547-09b2b9e62ddd
Verdict:	Malicious activity
Analysis date:	August 16, 2025, 19:22:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (641), with CRLF line terminators
MD5:	23FA56443E91F334B820D583600582C8
SHA1:	9EABE29A08BD66559808A2EAA98138F611F7D4E6
SHA256:	5F7BB93F495EE6B6B2DDFC3F4D5322F24A278A32264D8887D9E93F35F7813554
SSDEEP:	49152:BTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:9


(PID) Process:	(6256) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\TypeLib
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\Version
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InProcServer32
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\TypeLib
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\Version
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7104) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both

PID	Process	Filename		Type
6256	cmd.exe	C:\Users\admin\AppData\Local\Temp\getadmin.vbs		text
		MD5:D14A6C18536B08C2D91CC10129CEC2CA	SHA256:88F0E55BE41422957E8F4FEC8CAF0F9ED4E68D1F0290171BA8F4BD26C19FA17D
2632	regsvr32.exe	C:\Windows\INF\WmiApRpl\WmiApRpl.ini		text
		MD5:A656A56B1FDA4AA28383160BA6EBEA3B	SHA256:639CF8ACD1FE25A19B9841C9262B4227FCC33BB6658919D31B10AB849253B318
2124	mofcomp.exe	C:\Windows\System32\wbem\AutoRecover\AFFA4734C9FA7C4A3BDE5528A94427A4.mof		text
		MD5:BE0F3902C0B7CAA353DAD7BA95F62FF1	SHA256:372CB783DB4ED18BD5AFD342E60AF14418AFFABDC76E3D146BA755BD22C178F4
2132	mofcomp.exe	C:\Windows\System32\wbem\AutoRecover\8C226ACD9934CF6AC0A2FED330FF195D.mof		text
		MD5:38312A00CC8883436E5E5F6F03C0748F	SHA256:CC3C31EF46DF0DA81BC2A6FDD25ED18783BF3CCE7CAA5DA4E1F51700BD361EC9
2124	mofcomp.exe	C:\Users\admin\AppData\Local\Temp\tmp13AD.tmp		binary
		MD5:42A7568B6E57C66E5E14D1C0ECAF1013	SHA256:6E4DC55EBBBBA24A1BA8E13F1E756D379446DE1F620E8A80F37C57F448103898
3540	mofcomp.exe	C:\Windows\System32\wbem\AutoRecover\8A5665C9B434838A05B96BF322560FE8.mof		text
		MD5:A6CFFDEB074C9DE9B188373A21B7E1B9	SHA256:E3008B8151C38BBE07A925A53F48D5EF5D87617DDC6A9B6BBE91C04863928BD0
2132	mofcomp.exe	C:\Users\admin\AppData\Local\Temp\tmp1469.tmp		binary
		MD5:5582CFCBF6F3A3688C43FC969E87B324	SHA256:3999FCB4DECC2043E1C46E9698F151298F5FED1DEA7479409191AF6521D6FB24
3540	mofcomp.exe	C:\Users\admin\AppData\Local\Temp\tmp14E6.tmp		binary
		MD5:6F0F95E004DC90F4D6943F317E6E7428	SHA256:90400F2ED1E4B7501307644E6E07976605671607A7D77ADE2DCA948505628CD2
2632	regsvr32.exe	C:\Windows\System32\wbem\Performance\WmiApRpl.ini		text
		MD5:A656A56B1FDA4AA28383160BA6EBEA3B	SHA256:639CF8ACD1FE25A19B9841C9262B4227FCC33BB6658919D31B10AB849253B318
2632	regsvr32.exe	C:\Windows\System32\wbem\Performance\WmiApRpl.h		text
		MD5:1CC4C3B9BB1657BE77939F0B565E315D	SHA256:9EB3CBB0F65809845890159EFDAB0FF5A910DA34252E7D5CFF2929CC2FA6AB6A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4688	RUXIMICS.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4688	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4688	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.55.110.211:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.55.110.211:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4688	RUXIMICS.exe	23.55.110.211:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.184.238	whitelisted
crl.microsoft.com	23.55.110.211	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
self.events.data.microsoft.com	20.189.173.12	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

FNCLEAN.bat

23FA56443E91F334B820D583600582C8

9EABE29A08BD66559808A2EAA98138F611F7D4E6

5F7BB93F495EE6B6B2DDFC3F4D5322F24A278A32264D8887D9E93F35F7813554

49152:BTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Creates or modifies Windows services

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Executing commands from a ".bat" file

Runs shell command (SCRIPT)

Uses ICACLS.EXE to modify access control lists

The process executes VB scripts

Starts CMD.EXE for commands execution

Stops a currently running service

Uses TASKKILL.EXE to kill process

Starts SC.EXE for service management

Windows service management via SC.EXE

Application launched itself

Creates/Modifies COM task schedule object

Sets the service to start on system boot

Uses REG/REGEDIT.EXE to modify registry

INFO

Create files in a temporary directory

Reads Windows Product ID

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings