File name:

challenge_1.bat

Full analysis: https://app.any.run/tasks/acefe38d-a62e-436a-bfb0-2f3b34c07aad
Verdict: Malicious activity
Analysis date: May 21, 2025, 07:41:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sonic
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (841), with CRLF line terminators
MD5:

39830FCB4FFB54FEAAF9A659C07ACED3

SHA1:

2A68399C0B0D229CE12642B3C1828BF5A78D8521

SHA256:

D13E2C505021D99FD969A85F1FD530066E48ABDCA9161166D38D7593C8EF275D

SSDEEP:

384:8OJWlo3yzLK+qPXPtTGcJdAbrM21q0j0L1qEzdQ8PigfwTxX8j2x:8FqPFTGcbAUAW17JQrgodXG2x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 8056)
      • reg.exe (PID: 8360)
      • reg.exe (PID: 8372)
      • reg.exe (PID: 7736)

    • SONIC has been detected

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 7184)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 7864)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7568)
      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 7784)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 8288)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 2984)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 11604)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 11296)
      • cmd.exe (PID: 11612)
      • cmd.exe (PID: 11956)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 12004)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 10580)
      • cmd.exe (PID: 12208)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 11328)
      • cmd.exe (PID: 11572)
      • cmd.exe (PID: 10724)
      • cmd.exe (PID: 13596)
      • cmd.exe (PID: 12828)
      • cmd.exe (PID: 13276)
      • cmd.exe (PID: 12704)
      • cmd.exe (PID: 14028)
      • cmd.exe (PID: 13896)
      • cmd.exe (PID: 15400)
      • cmd.exe (PID: 16472)
      • cmd.exe (PID: 14380)
      • cmd.exe (PID: 15820)
      • cmd.exe (PID: 15992)
      • cmd.exe (PID: 14588)
      • cmd.exe (PID: 14524)
      • cmd.exe (PID: 17804)
      • cmd.exe (PID: 18572)
      • cmd.exe (PID: 15260)
      • cmd.exe (PID: 17340)
      • cmd.exe (PID: 21980)
      • cmd.exe (PID: 19764)
      • cmd.exe (PID: 20648)
      • cmd.exe (PID: 21116)
      • cmd.exe (PID: 11640)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 7568)
      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 7784)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 8288)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 2984)
      • cmd.exe (PID: 11612)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 11604)
      • cmd.exe (PID: 11296)
      • cmd.exe (PID: 11328)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 11956)
      • cmd.exe (PID: 12004)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 12208)
      • cmd.exe (PID: 10580)
      • cmd.exe (PID: 10724)
      • cmd.exe (PID: 11572)
      • cmd.exe (PID: 12828)
      • cmd.exe (PID: 13596)
      • cmd.exe (PID: 13276)
      • cmd.exe (PID: 12704)
      • cmd.exe (PID: 13896)
      • cmd.exe (PID: 14028)
      • cmd.exe (PID: 15820)
      • cmd.exe (PID: 15992)
      • cmd.exe (PID: 15400)
      • cmd.exe (PID: 14380)
      • cmd.exe (PID: 16472)
      • cmd.exe (PID: 14588)
      • cmd.exe (PID: 17340)
      • cmd.exe (PID: 15260)
      • cmd.exe (PID: 18572)
      • cmd.exe (PID: 14524)
      • cmd.exe (PID: 17804)
      • cmd.exe (PID: 20648)
      • cmd.exe (PID: 21116)
      • cmd.exe (PID: 21980)
      • cmd.exe (PID: 16172)
      • cmd.exe (PID: 11640)
      • cmd.exe (PID: 19764)
      • cmd.exe (PID: 20608)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 12828)

    • Process uses IPCONFIG to discard the IP address configuration

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 10420)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 7504)

    • The executable file from the user directory is run by the CMD process

      • Tasksvc.exe (PID: 7892)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7648)

    • Application launched itself

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 12828)
      • cmd.exe (PID: 13276)
      • cmd.exe (PID: 12704)
      • cmd.exe (PID: 13596)
      • cmd.exe (PID: 13896)
      • cmd.exe (PID: 14588)
      • cmd.exe (PID: 14524)
      • cmd.exe (PID: 14380)
      • cmd.exe (PID: 15260)
      • cmd.exe (PID: 17340)
      • cmd.exe (PID: 17804)
      • cmd.exe (PID: 19764)
      • cmd.exe (PID: 20188)
      • cmd.exe (PID: 16712)
      • cmd.exe (PID: 16172)
      • cmd.exe (PID: 21580)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 13276)
      • cmd.exe (PID: 13596)
      • cmd.exe (PID: 12704)
      • cmd.exe (PID: 12828)
      • cmd.exe (PID: 13896)
      • cmd.exe (PID: 14588)
      • cmd.exe (PID: 14524)
      • cmd.exe (PID: 14380)
      • cmd.exe (PID: 15260)
      • cmd.exe (PID: 17340)
      • cmd.exe (PID: 17804)
      • cmd.exe (PID: 19764)
      • cmd.exe (PID: 20188)
      • cmd.exe (PID: 16172)
      • cmd.exe (PID: 21580)
      • cmd.exe (PID: 16712)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 13596)
      • cmd.exe (PID: 13276)
      • cmd.exe (PID: 12704)
      • cmd.exe (PID: 12828)
      • cmd.exe (PID: 13896)
      • cmd.exe (PID: 14380)
      • cmd.exe (PID: 14588)
      • cmd.exe (PID: 14524)
      • cmd.exe (PID: 17804)
      • cmd.exe (PID: 15260)
      • cmd.exe (PID: 17340)
      • cmd.exe (PID: 19764)
      • cmd.exe (PID: 20188)
      • cmd.exe (PID: 16172)
      • cmd.exe (PID: 21580)
      • cmd.exe (PID: 16712)

    • The process executes VB scripts

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 12828)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 10420)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 8988)
      • cmd.exe (PID: 9488)
      • cmd.exe (PID: 10292)
      • cmd.exe (PID: 10104)
      • cmd.exe (PID: 11032)
      • cmd.exe (PID: 9568)
      • cmd.exe (PID: 9612)
      • cmd.exe (PID: 10420)
      • cmd.exe (PID: 9864)
      • cmd.exe (PID: 11176)
      • cmd.exe (PID: 12828)
      • cmd.exe (PID: 13596)
      • cmd.exe (PID: 13276)
      • cmd.exe (PID: 12704)
      • cmd.exe (PID: 13896)
      • cmd.exe (PID: 14588)
      • cmd.exe (PID: 14380)
      • cmd.exe (PID: 14524)
      • cmd.exe (PID: 17804)
      • cmd.exe (PID: 15260)
      • cmd.exe (PID: 17340)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7504)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 5408)

  • INFO

    • Create files in a temporary directory

      • certutil.exe (PID: 7864)

    • Reads the computer name

      • Tasksvc.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • calc.exe (PID: 6816)
      • calc.exe (PID: 7232)
      • OpenWith.exe (PID: 6540)
      • calc.exe (PID: 7740)
      • OpenWith.exe (PID: 7704)
      • OpenWith.exe (PID: 5504)
      • calc.exe (PID: 8640)
      • calc.exe (PID: 8960)
      • calc.exe (PID: 8020)
      • calc.exe (PID: 9740)
      • calc.exe (PID: 10548)
      • calc.exe (PID: 9828)
      • calc.exe (PID: 10388)
      • OpenWith.exe (PID: 8328)
      • calc.exe (PID: 9224)
      • OpenWith.exe (PID: 732)
      • calc.exe (PID: 10580)

    • Checks supported languages

      • Tasksvc.exe (PID: 7892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
1 197
Monitored processes
1 070
Malicious processes
21
Suspicious processes
12

Behavior graph

Click at the process to see the details
start #SONIC cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs attrib.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs certutil.exe tasksvc.exe no specs wscript.exe no specs conhost.exe no specs rundll32.exe no specs rundll32.exe no specs ipconfig.exe no specs reg.exe attrib.exe no specs sppextcomobj.exe no specs slui.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs #SONIC cmd.exe no specs conhost.exe no specs explorer.exe no specs notepad.exe no specs calc.exe no specs mspaint.exe no specs #SONIC cmd.exe no specs explorer.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs mspaint.exe no specs #SONIC cmd.exe no specs openwith.exe no specs conhost.exe no specs explorer.exe no specs notepad.exe no specs calc.exe no specs mspaint.exe no specs reg.exe no specs openwith.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs openwith.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs takeown.exe no specs takeown.exe no specs bcdedit.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs attrib.exe no specs takeown.exe no specs takeown.exe no specs attrib.exe no specs msg.exe no specs icacls.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs takeown.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs ipconfig.exe no specs ipconfig.exe no specs attrib.exe no specs reg.exe attrib.exe no specs reg.exe attrib.exe no specs reg.exe attrib.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs explorer.exe no specs notepad.exe no specs conhost.exe no specs calc.exe no specs mspaint.exe no specs cmd.exe no specs explorer.exe no specs conhost.exe no specs wscript.exe no specs notepad.exe no specs calc.exe no specs mspaint.exe no specs wscript.exe no specs cmd.exe no specs wscript.exe no specs conhost.exe no specs explorer.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs notepad.exe no specs openwith.exe no specs wscript.exe no specs wscript.exe no specs calc.exe no specs openwith.exe no specs wscript.exe no specs mspaint.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs openwith.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs wscript.exe no specs wscript.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs calc.exe no specs notepad.exe no specs mspaint.exe no specs calc.exe no specs wscript.exe no specs mspaint.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs explorer.exe no specs wscript.exe no specs notepad.exe no specs calc.exe no specs wscript.exe no specs openwith.exe no specs mspaint.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs cmd.exe no specs notepad.exe no specs conhost.exe no specs calc.exe no specs explorer.exe no specs cmd.exe no specs notepad.exe no specs conhost.exe no specs mspaint.exe no specs explorer.exe no specs calc.exe no specs notepad.exe no specs calc.exe no specs mspaint.exe no specs openwith.exe no specs mspaint.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs notepad.exe no specs openwith.exe no specs cmd.exe no specs calc.exe no specs conhost.exe no specs openwith.exe no specs explorer.exe no specs reg.exe no specs mspaint.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs takeown.exe no specs reg.exe no specs openwith.exe no specs mspaint.exe no specs reg.exe no specs format.com no specs openwith.exe no specs reg.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs calc.exe no specs reg.exe no specs reg.exe no specs mspaint.exe no specs takeown.exe no specs takeown.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs icacls.exe no specs openwith.exe no specs icacls.exe no specs takeown.exe no specs takeown.exe no specs reg.exe no specs reg.exe no specs format.com no specs cmd.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs takeown.exe no specs reg.exe no specs icacls.exe no specs reg.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs conhost.exe no specs attrib.exe no specs reg.exe no specs icacls.exe no specs attrib.exe no specs takeown.exe no specs takeown.exe no specs attrib.exe no specs cmd.exe no specs netsh.exe no specs conhost.exe no specs format.com no specs attrib.exe no specs takeown.exe no specs reg.exe no specs takeown.exe no specs bcdedit.exe no specs attrib.exe no specs icacls.exe no specs icacls.exe no specs takeown.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs takeown.exe no specs takeown.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs format.com no specs icacls.exe no specs msg.exe no specs attrib.exe no specs attrib.exe no specs icacls.exe no specs netsh.exe no specs takeown.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs format.com no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs bcdedit.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs msg.exe no specs takeown.exe no specs attrib.exe no specs icacls.exe no specs attrib.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs msg.exe no specs attrib.exe no specs takeown.exe no specs attrib.exe no specs attrib.exe no specs bcdedit.exe no specs icacls.exe no specs attrib.exe no specs attrib.exe no specs icacls.exe no specs icacls.exe no specs msg.exe no specs takeown.exe no specs format.com no specs icacls.exe no specs attrib.exe no specs msg.exe no specs takeown.exe no specs attrib.exe no specs attrib.exe no specs icacls.exe no specs msg.exe no specs takeown.exe no specs takeown.exe no specs wscript.exe no specs takeown.exe no specs takeown.exe no specs msg.exe no specs icacls.exe no specs takeown.exe no specs takeown.exe no specs rundll32.exe no specs takeown.exe no specs cmd.exe no specs conhost.exe no specs format.com no specs takeown.exe no specs takeown.exe no specs msg.exe no specs icacls.exe no specs takeown.exe no specs attrib.exe no specs icacls.exe no specs msg.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs rundll32.exe no specs attrib.exe no specs icacls.exe no specs attrib.exe no specs icacls.exe no specs icacls.exe no specs attrib.exe no specs icacls.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs takeown.exe no specs attrib.exe no specs wscript.exe no specs rundll32.exe no specs takeown.exe no specs format.com no specs wscript.exe no specs wscript.exe no specs takeown.exe no specs rundll32.exe no specs takeown.exe no specs rundll32.exe no specs icacls.exe no specs ipconfig.exe no specs takeown.exe no specs icacls.exe no specs takeown.exe no specs wscript.exe no specs icacls.exe no specs icacls.exe no specs rundll32.exe no specs wscript.exe no specs rundll32.exe no specs rundll32.exe no specs icacls.exe no specs rundll32.exe no specs takeown.exe no specs wscript.exe no specs attrib.exe no specs format.com no specs rundll32.exe no specs attrib.exe no specs icacls.exe no specs wscript.exe no specs rundll32.exe no specs attrib.exe no specs attrib.exe no specs takeown.exe no specs takeown.exe no specs ipconfig.exe no specs rundll32.exe no specs ipconfig.exe no specs icacls.exe no specs ipconfig.exe no specs rundll32.exe no specs attrib.exe no specs rundll32.exe no specs icacls.exe no specs wscript.exe no specs icacls.exe no specs rundll32.exe no specs rundll32.exe no specs format.com no specs rundll32.exe no specs ipconfig.exe no specs ipconfig.exe no specs attrib.exe no specs wscript.exe no specs attrib.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs ipconfig.exe no specs rundll32.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs takeown.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs cmd.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs notepad.exe no specs reg.exe no specs explorer.exe no specs calc.exe no specs notepad.exe no specs wscript.exe no specs icacls.exe no specs format.com no specs calc.exe no specs mspaint.exe no specs mspaint.exe no specs rundll32.exe no specs attrib.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs wscript.exe no specs attrib.exe no specs notepad.exe no specs wscript.exe no specs wscript.exe no specs calc.exe no specs cmd.exe no specs rundll32.exe no specs conhost.exe no specs explorer.exe no specs wscript.exe no specs mspaint.exe no specs notepad.exe no specs calc.exe no specs wscript.exe no specs wscript.exe no specs reg.exe no specs openwith.exe no specs mspaint.exe no specs openwith.exe no specs format.com no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs ipconfig.exe no specs rundll32.exe no specs wscript.exe no specs notepad.exe no specs rundll32.exe no specs openwith.exe no specs cmd.exe no specs attrib.exe no specs conhost.exe no specs reg.exe no specs calc.exe no specs explorer.exe no specs cmd.exe no specs openwith.exe no specs conhost.exe no specs reg.exe no specs mspaint.exe no specs notepad.exe no specs explorer.exe no specs rundll32.exe no specs reg.exe no specs attrib.exe no specs calc.exe no specs notepad.exe no specs attrib.exe no specs rundll32.exe no specs calc.exe no specs mspaint.exe no specs mspaint.exe no specs openwith.exe no specs reg.exe no specs ipconfig.exe no specs attrib.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs openwith.exe no specs takeown.exe no specs notepad.exe no specs ipconfig.exe no specs attrib.exe no specs reg.exe no specs calc.exe no specs reg.exe no specs mspaint.exe no specs openwith.exe no specs attrib.exe no specs attrib.exe no specs icacls.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs reg.exe no specs notepad.exe no specs attrib.exe no specs openwith.exe no specs calc.exe no specs mspaint.exe no specs attrib.exe no specs format.com no specs wscript.exe no specs reg.exe no specs takeown.exe no specs wscript.exe no specs openwith.exe no specs wscript.exe no specs format.com no specs cmd.exe no specs attrib.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs wscript.exe no specs icacls.exe no specs wscript.exe no specs takeown.exe no specs wscript.exe no specs icacls.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs icacls.exe no specs format.com no specs format.com no specs takeown.exe no specs cmd.exe no specs attrib.exe no specs conhost.exe no specs attrib.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs takeown.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs notepad.exe no specs wscript.exe no specs wscript.exe no specs attrib.exe no specs reg.exe no specs wscript.exe no specs icacls.exe no specs wscript.exe no specs calc.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs mspaint.exe no specs wscript.exe no specs wscript.exe no specs icacls.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs wscript.exe no specs conhost.exe no specs attrib.exe no specs takeown.exe no specs wscript.exe no specs takeown.exe no specs wscript.exe no specs format.com no specs attrib.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs openwith.exe no specs wscript.exe no specs explorer.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs takeown.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs format.com no specs wscript.exe no specs notepad.exe no specs wscript.exe no specs attrib.exe no specs icacls.exe no specs cmd.exe no specs format.com no specs wscript.exe no specs conhost.exe no specs icacls.exe no specs wscript.exe no specs takeown.exe no specs wscript.exe no specs calc.exe no specs explorer.exe no specs wscript.exe no specs cmd.exe no specs wscript.exe no specs conhost.exe no specs wscript.exe no specs takeown.exe no specs icacls.exe no specs mspaint.exe no specs notepad.exe no specs wscript.exe no specs wscript.exe no specs takeown.exe no specs wscript.exe no specs explorer.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs wscript.exe no specs wscript.exe no specs calc.exe no specs wscript.exe no specs format.com no specs attrib.exe no specs wscript.exe no specs notepad.exe no specs explorer.exe no specs openwith.exe no specs wscript.exe no specs attrib.exe no specs icacls.exe no specs wscript.exe no specs wscript.exe no specs mspaint.exe no specs takeown.exe no specs wscript.exe no specs notepad.exe no specs calc.exe no specs wscript.exe no specs wscript.exe no specs takeown.exe no specs cmd.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs conhost.exe no specs calc.exe no specs icacls.exe no specs mspaint.exe no specs icacls.exe no specs wscript.exe no specs cmd.exe no specs takeown.exe no specs openwith.exe no specs explorer.exe no specs attrib.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs mspaint.exe no specs wscript.exe no specs icacls.exe no specs wscript.exe no specs explorer.exe no specs wscript.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs notepad.exe no specs openwith.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs notepad.exe no specs wscript.exe no specs wscript.exe no specs conhost.exe no specs calc.exe no specs format.com no specs icacls.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe no specs conhost.exe no specs conhost.exe no specs mspaint.exe no specs wscript.exe no specs format.com no specs explorer.exe no specs calc.exe no specs wscript.exe no specs icacls.exe no specs openwith.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs icacls.exe no specs wscript.exe no specs mspaint.exe no specs wscript.exe no specs takeown.exe no specs takeown.exe no specs attrib.exe no specs notepad.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs explorer.exe no specs wscript.exe no specs notepad.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs calc.exe no specs wscript.exe no specs takeown.exe no specs openwith.exe no specs notepad.exe no specs explorer.exe no specs calc.exe no specs cmd.exe no specs wscript.exe no specs format.com no specs wscript.exe no specs wscript.exe no specs conhost.exe no specs mspaint.exe no specs wscript.exe no specs calc.exe no specs notepad.exe no specs cmd.exe no specs attrib.exe no specs mspaint.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs openwith.exe no specs wscript.exe no specs wscript.exe no specs icacls.exe no specs conhost.exe no specs mspaint.exe no specs calc.exe no specs explorer.exe no specs conhost.exe no specs takeown.exe no specs icacls.exe no specs attrib.exe no specs explorer.exe no specs wscript.exe no specs wscript.exe no specs icacls.exe no specs cmd.exe no specs mspaint.exe no specs cmd.exe no specs openwith.exe no specs notepad.exe no specs reg.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs notepad.exe no specs wscript.exe no specs format.com no specs wscript.exe no specs takeown.exe no specs explorer.exe no specs calc.exe no specs openwith.exe no specs explorer.exe no specs calc.exe no specs wscript.exe no specs notepad.exe no specs mspaint.exe no specs cmd.exe no specs takeown.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs mspaint.exe no specs cmd.exe no specs attrib.exe no specs notepad.exe no specs wscript.exe no specs conhost.exe no specs cmd.exe no specs icacls.exe no specs takeown.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs format.com no specs conhost.exe no specs icacls.exe no specs explorer.exe no specs calc.exe no specs calc.exe no specs cmd.exe no specs attrib.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs openwith.exe no specs wscript.exe no specs conhost.exe no specs mspaint.exe no specs mspaint.exe no specs notepad.exe no specs icacls.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs explorer.exe no specs openwith.exe no specs takeown.exe no specs takeown.exe no specs calc.exe no specs takeown.exe no specs calc.exe no specs calc.exe no specs calc.exe no specs cmd.exe no specs notepad.exe no specs takeown.exe no specs format.com no specs cmd.exe no specs takeown.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs icacls.exe no specs icacls.exe no specs conhost.exe no specs mspaint.exe no specs mspaint.exe no specs attrib.exe no specs mspaint.exe no specs mspaint.exe no specs explorer.exe no specs openwith.exe no specs calc.exe no specs explorer.exe no specs attrib.exe no specs explorer.exe no specs notepad.exe no specs takeown.exe no specs cmd.exe no specs mspaint.exe no specs notepad.exe no specs notepad.exe no specs takeown.exe no specs cmd.exe no specs openwith.exe no specs icacls.exe no specs format.com no specs calc.exe no specs conhost.exe no specs icacls.exe no specs wscript.exe no specs calc.exe no specs explorer.exe no specs icacls.exe no specs attrib.exe no specs calc.exe no specs openwith.exe no specs wscript.exe no specs rundll32.exe no specs explorer.exe no specs mspaint.exe no specs reg.exe no specs takeown.exe no specs conhost.exe no specs mspaint.exe no specs notepad.exe no specs icacls.exe no specs icacls.exe no specs attrib.exe no specs takeown.exe no specs wscript.exe no specs mspaint.exe no specs cmd.exe no specs notepad.exe no specs cmd.exe no specs attrib.exe no specs reg.exe no specs conhost.exe no specs explorer.exe no specs openwith.exe no specs calc.exe no specs cmd.exe no specs explorer.exe no specs wscript.exe no specs calc.exe no specs reg.exe no specs takeown.exe no specs cmd.exe no specs cmd.exe no specs explorer.exe no specs icacls.exe no specs conhost.exe no specs conhost.exe no specs icacls.exe no specs explorer.exe no specs notepad.exe no specs notepad.exe no specs takeown.exe no specs mspaint.exe no specs reg.exe no specs notepad.exe no specs wscript.exe no specs conhost.exe no specs mspaint.exe no specs format.com no specs conhost.exe no specs cmd.exe no specs openwith.exe no specs attrib.exe no specs rundll32.exe no specs calc.exe no specs conhost.exe no specs takeown.exe no specs calc.exe no specs attrib.exe no specs notepad.exe no specs reg.exe no specs calc.exe no specs wscript.exe no specs reg.exe no specs wscript.exe no specs icacls.exe no specs mspaint.exe no specs calc.exe no specs mspaint.exe no specs icacls.exe no specs attrib.exe no specs format.com no specs mspaint.exe no specs takeown.exe no specs reg.exe no specs wscript.exe no specs reg.exe no specs attrib.exe no specs openwith.exe no specs mspaint.exe no specs takeown.exe no specs reg.exe no specs icacls.exe no specs icacls.exe no specs reg.exe no specs reg.exe no specs wscript.exe no specs cmd.exe no specs takeown.exe no specs takeown.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe no specs conhost.exe no specs cmd.exe no specs icacls.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
664reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
680WScript ErrorCritico.vbsC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
904ipconfig /releaseC:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
968icacls "C:\WINDOWS\System32\bdaplgin.ax" /reset /c /qC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
968WScript Advertencia.vbsC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1012takeown /f "C:\WINDOWS\System32\hal.dll"C:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Takes ownership of a file
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
1012notepad C:\Windows\System32\notepad.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1056reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
115 115
Read events
114 675
Write events
440
Delete events
0

Modification events

(PID) Process:(8056) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:EthernetKill
Value:
C:\Users\admin\AppData\Local\Temp\EthernetKiller.cmd
(PID) Process:(7740) calc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7740) calc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7740) calc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7740) calc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7336) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7232) calc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7232) calc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7232) calc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6540) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
2
Suspicious files
0
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
7504cmd.exeC:\Users\admin\AppData\Local\Temp\ErrorCritico.vbstext
MD5:08121EA7E3B2EB7EDFC85252B937AAEB
SHA256:31CD4463ECC62DC846DBAEE0A5446D4BF11100BEFF1B01AE88E234B6C29329C2
7504cmd.exeC:\Users\admin\AppData\Local\Temp\Taskse.exetext
MD5:1236D405D671B2C147ACAE2678F518A4
SHA256:614162D7FEFAC8A3AE41574B6CBECAA82D187E8EABF035371E3A6D1BACF55859
7504cmd.exeC:\Users\admin\AppData\Local\Temp\Autorun.inftext
MD5:9A9FED65AE5AECB2E2723DCCF0F0B34E
SHA256:B9EB9A01994285B8A10189321D0CF6055AD92AE659D6603F7D1FE835F39CA1D2
7504cmd.exeC:\Users\admin\AppData\Local\Temp\Taskdl.battext
MD5:9905E5A33C6EDD8EB5F59780AFBF74DE
SHA256:C134B2F85415BA5CFCE3E3FE4745688335745A9BB22152AC8F5C77F190D8AEE3
7504cmd.exeC:\Users\admin\AppData\Local\Temp\Virus.exetext
MD5:B1D3059482157DA5D773861534999EFE
SHA256:976775EFE440F019095A5F5B6ACB0E6629F46290F49CCC94A07141DFD6129142
7504cmd.exeC:\Users\admin\AppData\Local\Temp\Virus.initext
MD5:B1D915B2E57B4B290CFE020DA515A2DE
SHA256:F6A83FA5B4282EAF7CCA6DFBC7C7CA1A5F2800505D4342A5C08E95EA0A968397
7504cmd.exeC:\Users\admin\AppData\Local\Temp\Virus.comtext
MD5:FC0C3DA921E8D554E831D103E0C69FBA
SHA256:E4741D499C22934DE7B4031D66D76CA836CE68890A17DCA9743C5369EF063D76
7504cmd.exeC:\Users\admin\AppData\Local\Temp\Virus.dlltext
MD5:9E770F8B4AA1C6ECCDDC304F0DA668CF
SHA256:61393FBD57BA1A084DD0FA368AF513AC4093F97E5A8F5D608627DE14A92D7472
7864certutil.exeC:\Users\admin\AppData\Local\Temp\Tasksvc.exeexecutable
MD5:3A5168287A2BED6D6D26737DA9AF294B
SHA256:01ADE58CEB0B9442A0C5C5BB27B781E748A86347FE0708ED9DE26B337829E294
7504cmd.exeC:\Users\admin\AppData\Local\Temp\EthernetKiller.cmdtext
MD5:9905E5A33C6EDD8EB5F59780AFBF74DE
SHA256:C134B2F85415BA5CFCE3E3FE4745688335745A9BB22152AC8F5C77F190D8AEE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
18
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
13396
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
13396
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6700
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.4
  • 40.126.31.129
  • 40.126.31.71
  • 40.126.31.3
  • 40.126.31.73
  • 20.190.159.130
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
challenge_1.bat