File name:

F0EB0_P4rr0tCr4sh3r.bat

Full analysis: https://app.any.run/tasks/f7bd4ff6-b63c-4b4b-9605-5dba756788e4
Verdict: Malicious activity
Analysis date: February 17, 2025, 22:34:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
MD5:

2E5DBFF716D281FD7A15F39B4F30F819

SHA1:

A7437F71B2C11D83147850052F5785CC938400F2

SHA256:

E015AD4A3D72193DE437CA7A296E58BC6B317A858AE0B7628DA8EE4C8F389F09

SSDEEP:

12:wbYVJbOfOOOByTWtUdOoPTViypiOCaKU0F5tRWyOWk/Ws9WW7B6/Wf4od9sEXUuB:wqSOByTWWbGHnNKPL9WC8EIEXUuB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6600)

    • Reads security settings of Internet Explorer

      • wordpad.exe (PID: 5720)
      • StartMenuExperienceHost.exe (PID: 6560)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 364)
      • wordpad.exe (PID: 5864)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6600)

    • Application launched itself

      • cmd.exe (PID: 6600)

    • Sets XML DOM element text (SCRIPT)

      • wordpad.exe (PID: 5720)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 364)
      • wordpad.exe (PID: 5864)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 6560)
      • SearchApp.exe (PID: 4588)

  • INFO

    • Reads security settings of Internet Explorer

      • calc.exe (PID: 7140)
      • write.exe (PID: 6188)
      • OpenWith.exe (PID: 6404)
      • explorer.exe (PID: 2076)
      • calc.exe (PID: 3176)
      • OpenWith.exe (PID: 6720)
      • write.exe (PID: 5244)
      • explorer.exe (PID: 2356)
      • calc.exe (PID: 5600)
      • write.exe (PID: 5084)
      • write.exe (PID: 2736)
      • calc.exe (PID: 936)
      • OpenWith.exe (PID: 5216)
      • calc.exe (PID: 4076)
      • write.exe (PID: 5348)
      • OpenWith.exe (PID: 4708)
      • OpenWith.exe (PID: 5240)

    • Reads the computer name

      • wordpad.exe (PID: 5720)
      • StartMenuExperienceHost.exe (PID: 6560)
      • SearchApp.exe (PID: 4588)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 364)
      • wordpad.exe (PID: 5864)

    • Checks supported languages

      • wordpad.exe (PID: 5720)
      • StartMenuExperienceHost.exe (PID: 6560)
      • SearchApp.exe (PID: 4588)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 5864)
      • wordpad.exe (PID: 364)

    • Reads Environment values

      • wordpad.exe (PID: 5720)
      • SearchApp.exe (PID: 4588)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 364)
      • wordpad.exe (PID: 5864)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 6560)
      • SearchApp.exe (PID: 4588)

    • Checks proxy server information

      • SearchApp.exe (PID: 4588)
      • explorer.exe (PID: 2076)

    • Reads the software policy settings

      • SearchApp.exe (PID: 4588)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 2076)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 4588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
88
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs mspaint.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs rundll32.exe no specs explorer.exe no specs explorer.exe no specs taskkill.exe no specs COpenControlPanel no specs taskkill.exe no specs startmenuexperiencehost.exe no specs searchapp.exe taskkill.exe no specs mobsync.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
364"C:\Program Files\Windows NT\Accessories\wordpad.exe" C:\Program Files\Windows NT\Accessories\wordpad.exewrite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Wordpad Application
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows nt\accessories\wordpad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
396explorer C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
908mspaint C:\Windows\System32\mspaint.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
936calc C:\Windows\System32\calc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\calc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1328taskkill /f /im conhost.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
3221225794
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1448control C:\Windows\System32\control.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\control.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1576mspaint C:\Windows\System32\mspaint.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1580explorer C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
1596"C:\Program Files\Windows NT\Accessories\wordpad.exe" C:\Program Files\Windows NT\Accessories\wordpad.exewrite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Wordpad Application
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows nt\accessories\wordpad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1808taskkill /f /im dllhost.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
3221225794
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
Total events
67 425
Read events
67 046
Write events
337
Delete events
42

Modification events

(PID) Process:(7164) control.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309DF1040000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6404) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6404) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6404) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5208) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(5208) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
00000000040000000E00000003000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(5208) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(2076) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisible
Value:
0
(PID) Process:(2076) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisibleOnAnyMonitor
Value:
0
(PID) Process:(2076) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisible
Value:
1
Executable files
4
Suspicious files
35
Text files
298
Unknown types
0

Dropped files

PID
Process
Filename
Type
6600cmd.exeC:\Users\admin\Desktop\约尔1.exetext
MD5:4647B911ED41412EAC7B52057E66F6B0
SHA256:EBF81FB7A1C18EF2AE8E7B5805F0F89153793C93F9FBD289181FC9EBF25ACDCD
6600cmd.exeC:\Users\admin\Desktop\约尔4.exetext
MD5:B232BBCAE4D9B70C035BA57B9A5E9F8B
SHA256:821EE57C0A7A634333B0BE61F118419B82FFE560F4D2B9356D5479AED7FCF153
6600cmd.exeC:\Users\admin\Desktop\约尔5.exetext
MD5:458C23E77F658D35A2AB50F261EFF309
SHA256:E2355C8CD8CDD2E374EC6F32B91A6798EF379C6649A5242A7930F789CFE8E809
6600cmd.exeC:\Users\admin\Desktop\约尔2.exetext
MD5:CE2BA10CD13A6419D451F8F29ED92DD0
SHA256:4AD6CAE48322B9326E354D8DA8104B30331834E8E605487EBB13810ABD60FD80
6600cmd.exeC:\Users\admin\Desktop\约尔6.exetext
MD5:9CA0F6E00B34E89331CEAE8818B066CD
SHA256:CC1A19754F2590B8FF369809D515D25DC9A37EBE29C0DEDB546577B27BEFEBC9
6600cmd.exeC:\Users\admin\Desktop\约尔8.exetext
MD5:71FF5ACA95779907300C2FA33098CA43
SHA256:ADE3BDDA02650306B6AD86BAB1DDCFEEC5DE5E2DAB45A5474D8FDED812B357C5
6600cmd.exeC:\Users\admin\Desktop\约尔3.exetext
MD5:846F6BFA6220EF2A838E19498089048D
SHA256:FBA8090C27B17C41DA6C11D1C1B6B995B95A78453238E6304AA3593524251899
6600cmd.exeC:\Users\admin\Desktop\约尔16.exetext
MD5:247D39CBCD5B44696072C33E3A4B0ECE
SHA256:8E1C0A8BD039D2307D7EB61BF83687A8D180E6A6101001841312D849A5A37280
6600cmd.exeC:\Users\admin\Desktop\约尔15.exetext
MD5:5425FFE5D89FF0C705E1A6FBA12662A5
SHA256:8F4F907835082BEE4EBCEA0CDDE474E16FF1C31A524E9C1E9C13A5B35D99F050
6600cmd.exeC:\Users\admin\Desktop\约尔19.exetext
MD5:8852A2BCB49577A6DF57FCEAACDEDADD
SHA256:182A30AC2C029744144BC0CA048046DC53198204B8EC1C41ABA6F98F1A824D42
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
204
104.126.37.154:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
104.126.37.176:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
unknown
html
125 Kb
whitelisted
GET
200
104.126.37.128:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.46 Kb
whitelisted
GET
200
104.126.37.154:443
https://www.bing.com/rb/19/cir3,ortl,cc,nc/FgBbpIj0thGWZOh_xFnM9i4O7ek.css?bu=C9oJ6wPsBLYKmwmFCY0HbW1tbQ&or=w
unknown
text
19.8 Kb
whitelisted
GET
200
104.126.37.128:443
https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w
unknown
binary
21.3 Kb
whitelisted
GET
200
104.126.37.136:443
https://www.bing.com/rb/19/cir3,ortl,cc,nc/vOJNaIfAXvJzmnBm845ss-M9YR8.css?bu=B4EDWe8C1wFtbYwD&or=w
unknown
text
5.97 Kb
whitelisted
GET
200
104.126.37.128:443
https://www.bing.com/rb/16/jnc,nj/0SrfjVbd4BJYe5wzcCR3l-BPV6c.js?bu=Dis0e4gBjwGSAYUBfoIBxwHKATS-Ac0B&or=w
unknown
binary
21.5 Kb
whitelisted
GET
200
104.126.37.123:443
https://www.bing.com/rb/3D/ortl,cc,nc/VbCw90KbfciOAAXUwrx6Ers36VI.css?bu=A4gCjAKPAg&or=w
unknown
text
15.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4588
SearchApp.exe
104.126.37.163:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.162
  • 23.48.23.143
  • 23.48.23.193
  • 23.48.23.169
  • 23.48.23.173
  • 23.48.23.158
  • 23.48.23.194
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.163
  • 104.126.37.154
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.176
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.144
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
F0EB0_P4rr0tCr4sh3r.bat