File name:

4326FBEEBAE11A1AFF499F7CB10911B0

Full analysis: https://app.any.run/tasks/baeeb0de-ecd5-4269-ac2a-93639a0fe597
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 16, 2024, 09:02:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
ransomware
alphacrypt
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

4326FBEEBAE11A1AFF499F7CB10911B0

SHA1:

37F5531D343C0E07D59B24A84287A994FA5C110C

SHA256:

6FE2B30BEC8888670337DD9BA623F9E81DB9272F8BC315AA3E2EFDB4938FDEC7

SSDEEP:

12288:Fa9+4jQRvxcVwK0E8RdkX4EV+FzRoU78lflpTiFZSZU:FaQ4jQRvxcVwK0xRdkX4EV+FS08lfvTG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • vcwlhq.exe (PID: 6100)

    • Deletes shadow copies

      • vcwlhq.exe (PID: 6100)

    • Connects to the CnC server

      • vcwlhq.exe (PID: 6100)

    • ALPHACRYPT has been detected (SURICATA)

      • vcwlhq.exe (PID: 6100)
      • svchost.exe (PID: 2172)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)
      • vcwlhq.exe (PID: 6100)

    • Executable content was dropped or overwritten

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)

    • Starts itself from another location

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)

    • Starts CMD.EXE for commands execution

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)

    • Hides command output

      • cmd.exe (PID: 6768)

    • Checks for external IP

      • vcwlhq.exe (PID: 6100)
      • svchost.exe (PID: 2172)

    • Contacting a server suspected of hosting an CnC

      • vcwlhq.exe (PID: 6100)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1396)

    • Checks Windows Trust Settings

      • vcwlhq.exe (PID: 6100)

  • INFO

    • The process uses the downloaded file

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)
      • vcwlhq.exe (PID: 6100)

    • Checks supported languages

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)
      • vcwlhq.exe (PID: 6100)

    • Process checks computer location settings

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)
      • vcwlhq.exe (PID: 6100)

    • Creates files or folders in the user directory

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)
      • vcwlhq.exe (PID: 6100)

    • Reads the computer name

      • 4326FBEEBAE11A1AFF499F7CB10911B0.exe (PID: 5100)
      • vcwlhq.exe (PID: 6100)

    • Checks proxy server information

      • vcwlhq.exe (PID: 6100)

    • Reads the software policy settings

      • vcwlhq.exe (PID: 6100)

    • Reads the machine GUID from the registry

      • vcwlhq.exe (PID: 6100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:09:23 09:45:31+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 98304
InitializedDataSize: 4173824
UninitializedDataSize: -
EntryPoint: 0x1885a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.98.189.65
ProductVersionNumber: 0.59.162.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: SANYO Electric Co., Ltd.
FileDescription: Ditched
FileVersion: 1, 219, 0, 111
InternalName: Fantastic
LegalCopyright: Configured © 2053
OriginalFileName: Culture.exe
ProductName: Citrons Consultancy
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 4326fbeebae11a1aff499f7cb10911b0.exe #ALPHACRYPT vcwlhq.exe cmd.exe no specs conhost.exe no specs vssadmin.exe conhost.exe no specs vssvc.exe no specs #ALPHACRYPT svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1396C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4508"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet C:\Windows\System32\vssadmin.exe
vcwlhq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5100"C:\Users\admin\AppData\Local\Temp\4326FBEEBAE11A1AFF499F7CB10911B0.exe" C:\Users\admin\AppData\Local\Temp\4326FBEEBAE11A1AFF499F7CB10911B0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\4326fbeebae11a1aff499f7cb10911b0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5264\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevssadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6100C:\Users\admin\AppData\Roaming\vcwlhq.exeC:\Users\admin\AppData\Roaming\vcwlhq.exe
4326FBEEBAE11A1AFF499F7CB10911B0.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\vcwlhq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6768"C:\WINDOWS\system32\cmd.exe" /c del C:\Users\admin\AppData\Local\Temp\4326FB~1.EXE >> NULC:\Windows\SysWOW64\cmd.exe4326FBEEBAE11A1AFF499F7CB10911B0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
7 388
Read events
7 382
Write events
6
Delete events
0

Modification events

(PID) Process:(6100) vcwlhq.exeKey:HKEY_CURRENT_USER\SOFTWARE\msys
Operation:writeName:ID
Value:
23EE2053319A2624
(PID) Process:(6100) vcwlhq.exeKey:HKEY_CURRENT_USER\SOFTWARE\23EE2053319A2624
Operation:writeName:data
Value:
31464E414A6D42454A62535237516F506B634377574647526650556D376E47774348000000000000000000000000000004B012EACBAC2DE164D0E06E119BBAAB26BD75AB4696C3CF7CFD9B99E7651A89A77232A0DD05E90E372194BEB7FC256E8C5FC63BCF9A0A26D080CE53BAD0818601323837383731373836363634433644463935353036413838393433443042464339424134334246453641314436303136373739393444324436373142434442334138424238303530464230334237413032313035443233313445393137373034333836373244343135323330423337304546443446453443383543463643373400000000000000925F3867000000000000000000000000
(PID) Process:(6100) vcwlhq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:vsadmin
Value:
C:\Users\admin\AppData\Roaming\vcwlhq.exe
(PID) Process:(6100) vcwlhq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6100) vcwlhq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6100) vcwlhq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
226
Text files
1 057
Unknown types
0

Dropped files

PID
Process
Filename
Type
51004326FBEEBAE11A1AFF499F7CB10911B0.exeC:\Users\admin\AppData\Roaming\vcwlhq.exeexecutable
MD5:4326FBEEBAE11A1AFF499F7CB10911B0
SHA256:6FE2B30BEC8888670337DD9BA623F9E81DB9272F8BC315AA3E2EFDB4938FDEC7
6100vcwlhq.exeC:\Users\admin\Documents\Recovery_File_uqmhxefgj.txttext
MD5:2E58EB526FE420B8E63757EE7E815387
SHA256:4FD851443D39369A9EBF64BB79B5E7E1A1BC4E77B48573C13FEFCFA78ACE092C
6100vcwlhq.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\restore_files_moycy.htmlhtml
MD5:F3EF45F1B5790D770D73B05F89C4ED97
SHA256:E98695A4DDC151A3D7DAABA67207EEE2E7CA2A909ACF28A667ADFD0BD354B3EA
6100vcwlhq.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBbinary
MD5:F8466C113E109BC810C07899954CF85F
SHA256:40CDE5431E4D93D0DBC7ABAA747DB1CB45B2223178FD899EE14A03DDA882142C
6100vcwlhq.exeC:\Users\admin\.ms-ad\restore_files_moycy.txttext
MD5:9FF793A046CEEE88F4917C6EFBEB7AF4
SHA256:DF2A664E2B6846C4B975DBA14F29FB9F8537EDDCE6AF6B76F2579F7BEE9DA6CC
6100vcwlhq.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_272D3926BB6251E021EE54C7F2493AC3binary
MD5:CC4B006F5BE61DDD3E117F3EC0DF0976
SHA256:F86F7730E12524E2147C005E2ADC9253819976675211D0B7819930708E64502E
6100vcwlhq.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_272D3926BB6251E021EE54C7F2493AC3binary
MD5:758C2FE5505E4711808D58CC89AE142B
SHA256:EA143E18FA46D564D83F7FAC09C8123715F56ACD14CDCA2DD633EBACA29DCD86
6100vcwlhq.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_42E656068F4C5FF031DE2BF150B87DDDbinary
MD5:937FA719887523FF17326588B4102F22
SHA256:27420E0D71219C525062C6A42AA0005923484679C583F5D2AA25ACC92EDEF1E8
6100vcwlhq.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\restore_files_moycy.htmlhtml
MD5:F3EF45F1B5790D770D73B05F89C4ED97
SHA256:E98695A4DDC151A3D7DAABA67207EEE2E7CA2A909ACF28A667ADFD0BD354B3EA
6100vcwlhq.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:98B8835838B89B47AED5179B1ED418EF
SHA256:6D8FEC54DFB2CB922441E199593A6DBD98498CEE70D4D23D3F69EE5E1486E67B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
46
DNS requests
31
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6100
vcwlhq.exe
GET
79.96.158.60:80
http://light-tech.pl/wp-content/plugins/gallery-slider/misc.php?D0B1745184D4B19325F8CA239D78E804CD61EFB81950FA0C2FC045C8E5180451B9B3D962A8D84751654B0D909676452BFA778ACA6A4EC4E2C780888786126CE4576BC27C99834EF6D93C5DBD00B0A3857C89F9AB8F8AE4BA3DFD9DCD8CD808EC4D7CC8E5FC2567F3648F3F9C5DC64B2C60AD6376F223C22E06A3895E0EDFCC978CE5782AE2E06E6DB303889B25689E121BFCC03C3DF0D4A12E04024601C3D2C3E43679FB4B204F63352CE4E849433139C692066A5B41F59FF69165F8215FA70D362A82196F6D0EEE1220AC2089D68EFFB8AFCD0C4740AD6B258DC2023AB1DA67
unknown
malicious
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6100
vcwlhq.exe
GET
200
34.117.59.81:80
http://ipinfo.io/ip
unknown
shared
6100
vcwlhq.exe
GET
404
68.183.44.1:80
http://alexsinden.co.uk/wp-content/plugins/wp-handy-lightbox/misc.php?D0B1745184D4B19325F8CA239D78E804CD61EFB81950FA0C2FC045C8E5180451B9B3D962A8D84751654B0D909676452BFA778ACA6A4EC4E2C780888786126CE4576BC27C99834EF6D93C5DBD00B0A3857C89F9AB8F8AE4BA3DFD9DCD8CD808EC4D7CC8E5FC2567F3648F3F9C5DC64B2C60AD6376F223C22E06A3895E0EDFCC978CE5782AE2E06E6DB303889B25689E121BFCC03C3DF0D4A12E04024601C3D2C3987750EB114839B55F91C2FB3A3167A4EAAEC03835C4A6C02C96ACD4FD83FEC85E29306D5CAC5BA9A73673417501053E7F8461FDC2861758CA23147902534C53
unknown
malicious
6100
vcwlhq.exe
GET
301
91.90.146.100:80
http://ghostwriter-24.de/wp-content/plugins/google-site-verification-using-meta-tag/misc.php?D0B1745184D4B19325F8CA239D78E804CD61EFB81950FA0C2FC045C8E5180451B9B3D962A8D84751654B0D909676452BFA778ACA6A4EC4E2C780888786126CE4576BC27C99834EF6D93C5DBD00B0A3857C89F9AB8F8AE4BA3DFD9DCD8CD808EC4D7CC8E5FC2567F3648F3F9C5DC64B2C60AD6376F223C22E06A3895E0EDFCC978CE5782AE2E06E6DB303889B25689E121BFCC03C3DF0D4A12E04024601C3D2C376DED93A83F4EB81150B7FA4E6036BFEE7CC98D79B97C1E87DF472ECF84227BC7DDF5317DD1D9976E44D1866010BC835C494AA8E5E8BF4F55AD5C69B166712CF
unknown
malicious
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6100
vcwlhq.exe
GET
302
185.253.212.22:80
http://rzal.pl/wp-content/themes/suevafree/misc.php?D0B1745184D4B19325F8CA239D78E804CD61EFB81950FA0C2FC045C8E5180451B9B3D962A8D84751654B0D909676452BFA778ACA6A4EC4E2C780888786126CE4576BC27C99834EF6D93C5DBD00B0A3857C89F9AB8F8AE4BA3DFD9DCD8CD808EC4D7CC8E5FC2567F3648F3F9C5DC64B2C60AD6376F223C22E06A3895E0EDFCC978CE5782AE2E06E6DB303889B25689E121BFCC03C3DF0D4A12E04024601C3D2C36B64DCD7E627EC70B77CFD2D44B04164CC414985948D3D1B93FF547A90460ED5C5B3FAF55B68E50DA8C80242FFF0EF714D0FAB42EC3928DB5D57D06054614049
unknown
malicious
6100
vcwlhq.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
6100
vcwlhq.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQCTi7COYph7T3X5jLalBFyW
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2660
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4360
SearchApp.exe
92.123.104.33:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6100
vcwlhq.exe
34.117.59.81:80
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.167
  • 23.48.23.194
  • 23.48.23.166
  • 23.48.23.147
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.145
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.bing.com
  • 92.123.104.33
  • 92.123.104.24
  • 92.123.104.26
  • 92.123.104.35
  • 92.123.104.34
  • 92.123.104.37
  • 92.123.104.29
  • 92.123.104.31
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ipinfo.io
  • 34.117.59.81
shared
light-tech.pl
  • 79.96.158.60
malicious
mustdecor.com.br
unknown
ghostwriter-24.de
  • 91.90.146.100
malicious

Threats

PID
Process
Class
Message
6100
vcwlhq.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ipinfo.io
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6100
vcwlhq.exe
Malware Command and Control Activity Detected
ET MALWARE AlphaCrypt CnC Beacon 5
6100
vcwlhq.exe
Malware Command and Control Activity Detected
ET MALWARE AlphaCrypt CnC Beacon 5
6100
vcwlhq.exe
Malware Command and Control Activity Detected
ET MALWARE AlphaCrypt CnC Beacon 5
6100
vcwlhq.exe
Malware Command and Control Activity Detected
ET MALWARE AlphaCrypt CnC Beacon 5
2172
svchost.exe
A Network Trojan was detected
ET MALWARE AlphaCrypt .onion Proxy Domain (djdkduep62kz4nzx)
2172
svchost.exe
A Network Trojan was detected
ET MALWARE AlphaCrypt .onion Proxy Domain (djdkduep62kz4nzx)
2172
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to .onion proxy Domain (onion.to)
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4326FBEEBAE11A1AFF499F7CB10911B0