File name:

LCrypt0rX.vbs

Full analysis: https://app.any.run/tasks/031685cd-ad1b-49ad-9e73-359617b835a7
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 26, 2025, 08:09:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lcryptx
ransomware
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (376), with CRLF line terminators
MD5:

CE03D8554A2BAD706AC9DAFDDD149E23

SHA1:

D414AF7B30105B7845FCFE4360A4AE3B67A8E883

SHA256:

7BDE840C7E8C36DCE4C3BAC937BCF39F36A6F118001B406BFBBC25451CE44FB4

SSDEEP:

384:y8en+HbpBStxYUQHSH7l+iyDbKUzbGvP9Sy+y3vh01phlUuW6:in2fDRbg73vg1Uc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables the Run the Start menu

      • wscript.exe (PID: 7768)

    • Disables the Command Prompt (cmd)

      • wscript.exe (PID: 7768)

    • Changes the login/logoff helper path in the registry

      • wscript.exe (PID: 7768)

    • Disables task manager

      • wscript.exe (PID: 7768)

    • UAC/LUA settings modification

      • wscript.exe (PID: 7768)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 7768)

    • Changes image file execution options

      • wscript.exe (PID: 7768)

    • Changes Windows Defender settings

      • wscript.exe (PID: 7768)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7864)

    • Deletes shadow copies

      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 7580)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7768)
      • wscript.exe (PID: 5640)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 5640)
      • wscript.exe (PID: 7768)

    • LCRYPTX has been detected

      • notepad.exe (PID: 7852)
      • wscript.exe (PID: 7768)
      • notepad.exe (PID: 4756)
      • notepad.exe (PID: 4300)
      • notepad.exe (PID: 7428)
      • wscript.exe (PID: 7768)
      • notepad.exe (PID: 7356)
      • notepad.exe (PID: 3180)
      • notepad.exe (PID: 4068)
      • notepad.exe (PID: 7680)
      • notepad.exe (PID: 6372)
      • notepad.exe (PID: 6512)
      • notepad.exe (PID: 5936)
      • notepad.exe (PID: 2772)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7768)
      • wscript.exe (PID: 5640)

    • Modifies registry startup key (SCRIPT)

      • wscript.exe (PID: 7768)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 7768)

    • Create files in the Startup directory

      • wscript.exe (PID: 7768)

    • Uses TASKKILL.EXE to kill antiviruses

      • wscript.exe (PID: 4336)

    • Antivirus name has been found in the command line (generic signature)

      • taskkill.exe (PID: 6872)
      • taskkill.exe (PID: 7760)
      • taskkill.exe (PID: 7644)
      • taskkill.exe (PID: 6252)
      • taskkill.exe (PID: 7668)
      • taskkill.exe (PID: 2908)
      • taskkill.exe (PID: 1512)
      • taskkill.exe (PID: 7368)
      • taskkill.exe (PID: 8152)
      • taskkill.exe (PID: 4376)
      • taskkill.exe (PID: 7180)
      • taskkill.exe (PID: 7396)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 8016)

  • SUSPICIOUS

    • Application launched itself

      • wscript.exe (PID: 7680)
      • wscript.exe (PID: 7768)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7680)
      • wscript.exe (PID: 7768)
      • wscript.exe (PID: 4336)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 7680)
      • wscript.exe (PID: 7768)
      • wscript.exe (PID: 5960)

    • The process executes VB scripts

      • wscript.exe (PID: 7680)
      • wscript.exe (PID: 7768)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 7768)
      • wscript.exe (PID: 5640)
      • wscript.exe (PID: 5960)
      • wscript.exe (PID: 8016)

    • Script disables Windows Defender's real-time protection

      • wscript.exe (PID: 7768)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7768)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7768)
      • wscript.exe (PID: 5960)

    • Executes as Windows Service

      • wbengine.exe (PID: 1568)
      • VSSVC.exe (PID: 7600)
      • vds.exe (PID: 7732)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7768)

    • The process verifies whether the antivirus software is installed

      • cmd.exe (PID: 4920)
      • cmd.exe (PID: 4300)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 7940)

    • Found strings related to reading or modifying Windows Defender settings

      • wscript.exe (PID: 7768)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 7232)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7768)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 7768)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 7768)

    • Changes the desktop background image

      • wscript.exe (PID: 7768)

    • Uses RUNDLL32.EXE to load library

      • wscript.exe (PID: 7768)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7768)

    • Modifies hosts file to alter network resolution

      • wscript.exe (PID: 7768)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7768)

    • Uses TASKKILL.EXE to kill process

      • wscript.exe (PID: 4336)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 5640)

  • INFO

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5308)

    • Manual execution by a user

      • wscript.exe (PID: 7680)
      • cmd.exe (PID: 7624)
      • cmd.exe (PID: 7568)
      • regedit.exe (PID: 7344)
      • regedit.exe (PID: 8188)

    • Checks supported languages

      • ShellExperienceHost.exe (PID: 7940)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7864)

    • Reads the computer name

      • ShellExperienceHost.exe (PID: 7940)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7864)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7852)
      • notepad.exe (PID: 4300)
      • notepad.exe (PID: 7428)
      • notepad.exe (PID: 4756)
      • notepad.exe (PID: 7680)
      • notepad.exe (PID: 7356)
      • notepad.exe (PID: 4068)
      • notepad.exe (PID: 6372)
      • notepad.exe (PID: 3180)
      • notepad.exe (PID: 5936)
      • notepad.exe (PID: 2772)
      • notepad.exe (PID: 6512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
310
Monitored processes
176
Malicious processes
20
Suspicious processes
1

Behavior graph

Click at the process to see the details
start openwith.exe no specs sppextcomobj.exe no specs slui.exe no specs wscript.exe no specs #LCRYPTX wscript.exe powershell.exe no specs conhost.exe no specs shellexperiencehost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs #LCRYPTX notepad.exe no specs svchost.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs ping.exe no specs #LCRYPTX notepad.exe no specs taskkill.exe no specs conhost.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs taskkill.exe no specs conhost.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs #LCRYPTX notepad.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs notepad.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs regedit.exe no specs regedit.exe taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
720"C:\Windows\System32\notepad.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.lcryxC:\Windows\System32\notepad.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
872\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1004\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /FC:\Windows\System32\taskkill.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1244"C:\Windows\System32\taskkill.exe" /IM control.exe /FC:\Windows\System32\taskkill.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244"C:\Windows\System32\taskkill.exe" /IM powershell.exe /FC:\Windows\System32\taskkill.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1328"C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /FC:\Windows\System32\taskkill.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1328"C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /FC:\Windows\System32\taskkill.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
24 811
Read events
24 765
Write events
46
Delete events
0

Modification events

(PID) Process:(7768) wscript.exeKey:HKEY_CURRENT_USER\Control Panel\Mouse
Operation:writeName:SwapMouseButtons
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableCMD
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:DisableCMD
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:DisableCMD
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
1
(PID) Process:(7768) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
1
Executable files
0
Suspicious files
15
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
7864powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:8E9DE5B27EFB8AEF93E826B274AFA1AF
SHA256:77EF4C4A3B90D4FE1CC20E58FFCA65818031C7854E9244E04E32A3F8BCFFF1A2
7864powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hokpkzwm.yzd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7768wscript.exeC:\Windows\System32\systemconfig.exe.vbstext
MD5:AFC08003B6E3F51789348665CC14C4B1
SHA256:B13B88DD0FD5FA33C6297D3D4E389FBBBDEDD33C4DE94260A634856C4A31416E
7768wscript.exeC:\Users\admin\Desktop\READMEPLEASE.txttext
MD5:4B32F47F77E3647FB4FEF7686EB58595
SHA256:3B2E2C921ECC76ECFF7F2AB34D7B6DC21168E6E2F9462DFF666F4F981EF5B645
7768wscript.exeC:\Users\admin\Desktop\gcrybground.pngbinary
MD5:325D51F0420A417DFCD0EB5AB0792346
SHA256:98C91E8656C9E86E0C3019FDF35E5FC63E753BA75DE1BAD11A739D52BD9A561D
7768wscript.exeC:\Windows\advapi32_ext.vbstext
MD5:12FAB7544912DA13A25635C1C2C40044
SHA256:82CDAF326F78C9EF5F6B5FD7C1307CA53EFB80EA76775097CBA45BFAD276FA8D
7768wscript.exeC:\Windows\System32\USB_bridge.vbstext
MD5:625E128D8ACF4EF3783E61CD6AEFE9B4
SHA256:11CD9F05133D162BC7C0F45F599927374BF56803D740C50EBA115E813FF7777F
7768wscript.exeC:\Windows\CDConnector.vbstext
MD5:E3BF7E7BBB5F1F51E29E86DFCE0D391B
SHA256:A16481BE755FF5AE8D7457A696E9DFE33FA2A7B9B31246A6C3EB98CB0C852C1E
7768wscript.exeC:\Users\admin\Desktop\ensurediet.jpg.lcryxbinary
MD5:AD579C20CD29EB1D2E7DC73ABF9847D4
SHA256:3F4881D00A075B76F76A45A4A54D3C3BA727D07C98EF74397D7C639B884DF706
7768wscript.exeC:\Users\admin\Desktop\openreader.rtf.lcryxbinary
MD5:7E9906F5BD0B25FB4A27DD6539891DA2
SHA256:0DD0487F8E586C62E627CFC999C965AECB5D2C63614DF4F350BD72B1EC725287
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
44
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.10.249.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.67.160.244:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.67.160.244:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7768
wscript.exe
GET
200
142.250.186.100:80
http://www.google.com/
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.67.160.244:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.67.160.244:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
23.67.160.244:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.10.249.24:80
crl.microsoft.com
Akamai International B.V.
CH
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2924
SearchApp.exe
2.16.241.218:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.10.249.24
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.16.241.218
whitelisted
ocsp.digicert.com
  • 23.67.160.244
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
www.google.com
  • 142.250.186.100
whitelisted
www.mediafire.com
  • 104.17.150.117
whitelisted
dual-s-ring.msedge.net
  • 52.123.128.254
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LCrypt0rX.vbs