| File name: | virus.bat |
| Full analysis: | https://app.any.run/tasks/f4e6388d-7b4f-45de-bbdc-bbafbcc649a8 |
| Verdict: | Malicious activity |
| Analysis date: | February 10, 2025, 08:17:43 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text |
| MD5: | 0AAF835B7BAB1EBDBFFB5FCD053924F6 |
| SHA1: | E96FBD911A5E76D9C67959A1A68818B1D581A35A |
| SHA256: | 9B792C1E7A1F10A79D88AC1433ED91B30FECAE539E999D7135D173311C666A2B |
| SSDEEP: | 24:qIMOZGdh166G3bG3wuclxazc/G3b6zz2dBG3MUz8G3M3NG3Mzepecru9G3IPK:qIMFf166G3bG3TQBG3b6mHG3MTG3M9Gn |
MALICIOUS
SONIC has been detected
- cmd.exe (PID: 4876)
SUSPICIOUS
Creates file in the systems drive root
- cmd.exe (PID: 4876)
Reads security settings of Internet Explorer
- StartMenuExperienceHost.exe (PID: 5912)
Reads the date of Windows installation
- StartMenuExperienceHost.exe (PID: 5912)
- SearchApp.exe (PID: 4384)
INFO
Checks supported languages
- StartMenuExperienceHost.exe (PID: 5912)
- TextInputHost.exe (PID: 4856)
- SearchApp.exe (PID: 4384)
Reads the computer name
- TextInputHost.exe (PID: 4856)
- StartMenuExperienceHost.exe (PID: 5912)
- SearchApp.exe (PID: 4384)
Process checks computer location settings
- StartMenuExperienceHost.exe (PID: 5912)
- SearchApp.exe (PID: 4384)
Reads the machine GUID from the registry
- SearchApp.exe (PID: 4384)
Checks proxy server information
- SearchApp.exe (PID: 4384)
Reads Environment values
- SearchApp.exe (PID: 4384)
Reads the software policy settings
- SearchApp.exe (PID: 4384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
130
Monitored processes
14
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1476 | tskill explorer | C:\Windows\System32\tskill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Services End Process Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3436 | tskill yahoomessenger | C:\Windows\System32\tskill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Services End Process Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3692 | tskill ccapp | C:\Windows\System32\tskill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Services End Process Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4384 | "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Search application Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4628 | tskill firefox | C:\Windows\System32\tskill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Services End Process Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4824 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4840 | tskill chrome | C:\Windows\System32\tskill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Services End Process Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4856 | "C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Version: 123.26505.0.0 Modules
| |||||||||||||||
| 4876 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\virus.bat" " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5240 | tskill iexplorer | C:\Windows\System32\tskill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Services End Process Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
13 445
Read events
13 370
Write events
72
Delete events
3
Modification events
| (PID) Process: | (5912) StartMenuExperienceHost.exe | Key: | \REGISTRY\A\{6889f4c8-e7c7-6b74-2a32-dcad51de1762}\LocalState\DataCorruptionRecovery |
| Operation: | write | Name: | InitializationAttemptCount |
Value: 0100000079E5484B947BDB01 | |||
| (PID) Process: | (5912) StartMenuExperienceHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties |
| Operation: | write | Name: | Completed |
Value: 1 | |||
| (PID) Process: | (5912) StartMenuExperienceHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_AppUsageData |
| Operation: | write | Name: | Completed |
Value: 1 | |||
| (PID) Process: | (5912) StartMenuExperienceHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_TargetedContentTiles |
| Operation: | write | Name: | Completed |
Value: 1 | |||
| (PID) Process: | (5912) StartMenuExperienceHost.exe | Key: | \REGISTRY\A\{6889f4c8-e7c7-6b74-2a32-dcad51de1762}\LocalState\DataCorruptionRecovery |
| Operation: | write | Name: | InitializationAttemptCount |
Value: 00000000E9CBB14B947BDB01 | |||
| (PID) Process: | (4384) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings |
| Operation: | write | Name: | SafeSearchMode |
Value: 1 | |||
| (PID) Process: | (4384) SearchApp.exe | Key: | \REGISTRY\A\{5fc042d1-6b7a-8246-929e-6ca933dd57ea}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_USEREMAIL |
Value: 0000EE92D54B947BDB01 | |||
| (PID) Process: | (4384) SearchApp.exe | Key: | \REGISTRY\A\{5fc042d1-6b7a-8246-929e-6ca933dd57ea}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_ACCOUNTTYPETEXT |
Value: 0000EE92D54B947BDB01 | |||
| (PID) Process: | (4384) SearchApp.exe | Key: | \REGISTRY\A\{5fc042d1-6b7a-8246-929e-6ca933dd57ea}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_ACCOUNTTYPE |
Value: 0000EE92D54B947BDB01 | |||
| (PID) Process: | (4384) SearchApp.exe | Key: | \REGISTRY\A\{5fc042d1-6b7a-8246-929e-6ca933dd57ea}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_ACCOUNTTYPE |
Value: 4E006F006E0065000000EE92D54B947BDB01 | |||
Executable files
2
Suspicious files
26
Text files
12
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres | binary | |
MD5:4D9ACA66DCD5A29813765725B9FF3837 | SHA256:A9ABFCCC359360C323149FEB46A8C2007ACA0E5B4850CE986461B726DA6436ED | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\Init[1].htm | html | |
MD5:D9755B112DB88F6771946AA5F2E9BBE0 | SHA256:60327D2EFE3E36CD85B4AECE1A9453095C0B441F8DBF45EE607EFC3E7A0768AD | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xml | text | |
MD5:CA0681973D5C2F3B3CB6814B9D70E3F5 | SHA256:7C92F90B23B67604EF319E1882ACA9AF369E584E2B68312B9555A602AF4A6100 | |||
| 4876 | cmd.exe | C:\Users\admin\Documents\virus.bat | text | |
MD5:0AAF835B7BAB1EBDBFFB5FCD053924F6 | SHA256:9B792C1E7A1F10A79D88AC1433ED91B30FECAE539E999D7135D173311C666A2B | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\vOJNaIfAXvJzmnBm845ss-M9YR8[1].css | text | |
MD5:87BBB1A289EDC24C9F06B88229765467 | SHA256:85B291C46F9D1EEEC71DB839F649D748F48B203EA836F3ACE3B9B761947D960C | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\0SrfjVbd4BJYe5wzcCR3l-BPV6c[1].js | binary | |
MD5:93C8EEB694177EFB7AFE347F5C67A9F9 | SHA256:736C9B4487EDDD28E6D8695DF77EBC8BA760F3BA0709E9CA7C151856E76D4FBB | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\AptopUBu7_oVDubJxwvaIprW-lI[1].css | text | |
MD5:4E0E75684C84C0102CED12948B95609B | SHA256:4D18E491B2DE4DA34F6C15F0574911613E902F791FE72501E4404802760D1BCA | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css | text | |
MD5:77373397A17BD1987DFCA2E68D022ECF | SHA256:A319AF2E953E7AFDA681B85A62F629A5C37344AF47D2FCD23AB45E1D99497F13 | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\0u2b9EXo8LdXut1MFm4AD0phBuM.br[1].js | binary | |
MD5:8C0F73D4C854DC52B555898FEF7EDB54 | SHA256:B652F917E744E7A4EADB5DF108D622FD18C793E80445FAA69B1BFFC97BE2529E | |||
| 4384 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133836490883720467.txt~RF13b440.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
20
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.86.251.20:443 | https://www.bing.com/manifest/threshold.appcache | unknown | text | 3.46 Kb | whitelisted |
— | — | GET | 200 | 184.86.251.20:443 | https://www.bing.com/rb/16/jnc,nj/0SrfjVbd4BJYe5wzcCR3l-BPV6c.js?bu=Dis0e4gBjwGSAYUBfoIBxwHKATS-Ac0B&or=w | unknown | binary | 21.5 Kb | whitelisted |
— | — | GET | 200 | 184.86.251.27:443 | https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init | unknown | html | 125 Kb | whitelisted |
— | — | GET | 200 | 184.86.251.10:443 | https://www.bing.com/rp/76h-lqe82bg-bnu-ApkwUALogkQ.br.js | unknown | binary | 8.78 Kb | whitelisted |
— | — | GET | 200 | 184.86.251.28:443 | https://www.bing.com/rp/5qSqWyip_grL-s7BafaqI3Mrk9M.br.js | unknown | binary | 128 Kb | whitelisted |
— | — | GET | 200 | 184.86.251.8:443 | https://www.bing.com/rp/4WxI_EMO9Il3V3PSPu01Sq7MLMc.br.js | unknown | binary | 370 Kb | whitelisted |
— | — | GET | 200 | 184.86.251.22:443 | https://www.bing.com/rp/Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br.js | unknown | binary | 1 b | whitelisted |
— | — | GET | 200 | 184.86.251.24:443 | https://www.bing.com/rp/Cm-j2OJKwOWyiyy_LY0s7IvC7Qc.br.js | unknown | binary | 2.15 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3976 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4384 | SearchApp.exe | 184.86.251.15:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |