File name:

protected.zip

Full analysis: https://app.any.run/tasks/b6cba3d1-3ede-4f15-9d71-5a6368ff2839
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: October 03, 2025, 17:46:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
auto
lcryx
ransomware
anti-evasion
miner
qrcode
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

5B817BE38B26D645BB0ECBC87479591D

SHA1:

1430782472093EFB901C5716BE5973C69654F20B

SHA256:

E21A0EC582CA7E37F07EADD499811EEE45130E6F18CF870C252BB2F9EEB3E7A1

SSDEEP:

192:vw2ReTEsShesh+1toWW7m4du8tZKYePWUIxA8m90sbAbOE5HjCjJxJ3ywV:lwTxSheq8m37jnKYD08ATbAHyT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LCRYX has been found (auto)

      • WinRAR.exe (PID: 4928)
      • WinRAR.exe (PID: 2868)

    • Disables the Run the Start menu

      • wscript.exe (PID: 7472)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 7472)

    • UAC/LUA settings modification

      • wscript.exe (PID: 7472)

    • Changes image file execution options

      • wscript.exe (PID: 7472)

    • Changes the login/logoff helper path in the registry

      • wscript.exe (PID: 7472)

    • Changes settings for real-time protection

      • powershell.exe (PID: 5180)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 7472)

    • Changes Windows Defender settings

      • wscript.exe (PID: 7472)

    • Disables task manager

      • wscript.exe (PID: 7472)

    • Gets %windir% folder path (SCRIPT)

      • wscript.exe (PID: 7472)

    • Gets %appdata% folder path (SCRIPT)

      • wscript.exe (PID: 7472)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 7472)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 8108)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 7472)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 8108)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 8108)

    • Gets startup folder path (SCRIPT)

      • wscript.exe (PID: 7472)

    • Modifies registry startup key (SCRIPT)

      • wscript.exe (PID: 7472)

    • Opens a text file (SCRIPT)

      • wscript.exe (PID: 7472)

    • Checks whether a specified folder exists (SCRIPT)

      • wscript.exe (PID: 7472)

    • Queries network adapter information (Win32_NetworkAdapter) (SCRIPT)

      • wscript.exe (PID: 8108)

    • Antivirus name has been found in the command line (generic signature)

      • taskkill.exe (PID: 8916)
      • taskkill.exe (PID: 9004)
      • taskkill.exe (PID: 8812)
      • taskkill.exe (PID: 8612)
      • taskkill.exe (PID: 8416)
      • taskkill.exe (PID: 8780)

    • Uses TASKKILL.EXE to kill antiviruses

      • wscript.exe (PID: 2144)

    • XMRig has been detected

      • WindowsUpdateService.exe (PID: 8868)

    • Deletes shadow copies

      • cmd.exe (PID: 8936)
      • cmd.exe (PID: 9100)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2332)
      • wscript.exe (PID: 2144)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 8348)
      • cmd.exe (PID: 8528)

    • Deleting the backup catalog via wbadmin

      • cmd.exe (PID: 9100)

    • LCRYPTORX has been detected

      • notepad.exe (PID: 8740)
      • wscript.exe (PID: 7472)
      • notepad.exe (PID: 8804)
      • notepad.exe (PID: 8696)
      • notepad.exe (PID: 9012)
      • notepad.exe (PID: 8976)
      • notepad.exe (PID: 9104)
      • notepad.exe (PID: 384)
      • notepad.exe (PID: 8892)
      • notepad.exe (PID: 8848)
      • notepad.exe (PID: 8840)
      • notepad.exe (PID: 8924)
      • notepad.exe (PID: 9016)
      • notepad.exe (PID: 9124)
      • notepad.exe (PID: 9108)
      • notepad.exe (PID: 9096)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 7472)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4928)
      • WinRAR.exe (PID: 2868)

    • Application launched itself

      • WinRAR.exe (PID: 4928)
      • wscript.exe (PID: 6536)
      • wscript.exe (PID: 7472)

    • The process executes VB scripts

      • WinRAR.exe (PID: 2868)
      • wscript.exe (PID: 6536)
      • wscript.exe (PID: 7472)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6536)
      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 6788)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6536)
      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 2144)
      • wscript.exe (PID: 8108)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 6788)
      • wscript.exe (PID: 8108)
      • wscript.exe (PID: 2332)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 8108)
      • wscript.exe (PID: 2332)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7472)
      • wscript.exe (PID: 6788)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7472)

    • Script disables Windows Defender's real-time protection

      • wscript.exe (PID: 7472)

    • Found strings related to reading or modifying Windows Defender settings

      • wscript.exe (PID: 7472)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 4180)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 7472)

    • Creates file in the systems drive root

      • wscript.exe (PID: 7472)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7472)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7472)

    • The process verifies whether the antivirus software is installed

      • cmd.exe (PID: 4288)
      • cmd.exe (PID: 4016)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7472)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7472)

    • Modifies hosts file to alter network resolution

      • wscript.exe (PID: 7472)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 7472)

    • Uses RUNDLL32.EXE to load library

      • wscript.exe (PID: 7472)

    • Changes the desktop background image

      • wscript.exe (PID: 7472)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 7472)

    • Accesses default IP gateways via WMI (SCRIPT)

      • wscript.exe (PID: 8108)

    • Hides command output

      • PING.EXE (PID: 8328)
      • PING.EXE (PID: 8336)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 8108)

    • Uses TASKKILL.EXE to kill process

      • wscript.exe (PID: 2144)

    • Potential Corporate Privacy Violation

      • wscript.exe (PID: 7472)

    • Crypto Currency Mining Activity Detected

      • wscript.exe (PID: 7472)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 7472)

    • Executes as Windows Service

      • wbengine.exe (PID: 5940)
      • vds.exe (PID: 8380)

    • System recovery suppression via bcdedit.exe

      • wscript.exe (PID: 7472)
      • cmd.exe (PID: 8528)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8584)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 7472)

  • INFO

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 6500)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 3240)
      • BackgroundTransferHost.exe (PID: 2360)
      • BackgroundTransferHost.exe (PID: 4364)
      • BackgroundTransferHost.exe (PID: 6384)
      • BackgroundTransferHost.exe (PID: 6500)
      • notepad.exe (PID: 6660)
      • notepad.exe (PID: 8740)
      • notepad.exe (PID: 8804)
      • notepad.exe (PID: 8696)
      • notepad.exe (PID: 8924)
      • notepad.exe (PID: 8976)
      • notepad.exe (PID: 9012)
      • notepad.exe (PID: 9016)
      • notepad.exe (PID: 9104)
      • notepad.exe (PID: 384)
      • notepad.exe (PID: 8892)
      • notepad.exe (PID: 8848)
      • notepad.exe (PID: 8840)
      • notepad.exe (PID: 9096)
      • notepad.exe (PID: 9124)
      • notepad.exe (PID: 9108)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 6500)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 6500)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 2868)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5180)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5180)

    • Checks supported languages

      • WindowsUpdateService.exe (PID: 8868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x1ebe6ead
ZipCompressedSize: 6976
ZipUncompressedSize: 7013
ZipFileName: e8cafd32f61d2f4dc1775b3b491c2ae67dc99eafab5e65d82228fc1d9cabbb9e.zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
302
Monitored processes
131
Malicious processes
26
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #LCRYX winrar.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs #LCRYX winrar.exe no specs wscript.exe no specs #LCRYPTORX wscript.exe shellexperiencehost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs notepad.exe no specs slui.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs ping.exe no specs taskkill.exe no specs conhost.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs #XMRIG windowsupdateservice.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs cmd.exe no specs conhost.exe no specs wbadmin.exe wbengine.exe no specs vdsldr.exe no specs vds.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs #LCRYPTORX notepad.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
384"C:\Windows\System32\notepad.exe" "C:\Users\admin\Desktop\passwordblood.rtf.lcryptx"C:\Windows\System32\notepad.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
708C:\WINDOWS\system32\cmd.exe /c ""C:\Windows\SysWOW64\msvcr80.dll.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Windows\System32\wscript.exe" C:\Windows\advapi32_ext.vbsC:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2332"C:\Windows\System32\wscript.exe" C:\Windows\CDConnector.vbsC:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2360"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2868"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb4928.26821\e8cafd32f61d2f4dc1775b3b491c2ae67dc99eafab5e65d82228fc1d9cabbb9e.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3160\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3240"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
3340\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
30 369
Read events
30 221
Write events
127
Delete events
21

Modification events

(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\protected.zip
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4928) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
22
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
6500BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\91df12fd-85b7-483a-b195-ce5613a237db.down_data
MD5:
SHA256:
6500BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\758d3dc1-1807-45ff-ac31-f39288849edb.cedd7901-e920-4b1b-9366-a460f4f28545.down_metabinary
MD5:487F6B3C5E4F19A1396830BED0474644
SHA256:A0C6F871A72A0C4CC92FC64FF1748EC93F993CB58E9170C176AE09E060CCA8C7
6500BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:7455F22E33900D676421E119DAC2D49D
SHA256:0F9E148DAEEA4E7400643CB44840DCA40AF9D0DDDC74907206807770C22E38E4
7472wscript.exeC:\PLEASEREADME.txttext
MD5:BDB08C40728C362E252ED25FD3A24F2B
SHA256:FE86632850D4A90FA22A0B1682D2923E3108049704063E827BC0ADC4F603614A
7472wscript.exeC:\Users\admin\Desktop\gcrybground.pngimage
MD5:929BDA26083CA8E10CE5DBCD34C8D43D
SHA256:4A3FED3D76DDB7257D9FC985FE2B4C5FFD5B0F7D0808B5D8A054DF053F40FC56
6500BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\91df12fd-85b7-483a-b195-ce5613a237db.cedd7901-e920-4b1b-9366-a460f4f28545.down_metabinary
MD5:487F6B3C5E4F19A1396830BED0474644
SHA256:A0C6F871A72A0C4CC92FC64FF1748EC93F993CB58E9170C176AE09E060CCA8C7
6500BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:A2459D8C15651BB81784468BC907C939
SHA256:E6360479BE8038E7443DA1855F01EC552F1B602A656A2BF713C1CD760B7CB6C8
6500BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\758d3dc1-1807-45ff-ac31-f39288849edb.up_meta_securebinary
MD5:1439D846C2E96240BC45FD4737C2FC19
SHA256:74AF72D5DBE957CE2ABD07C11235A571A6FB4C229692B8789ED5830B4B644A22
5180powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bx5sev4c.bkk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4928WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb4928.26821\e8cafd32f61d2f4dc1775b3b491c2ae67dc99eafab5e65d82228fc1d9cabbb9e.zipcompressed
MD5:0384ED49668C0E156CB228EDDD8C0686
SHA256:653071EDF14D02288D6E9FFAC3B498D8A99DF0E0A276724BC31C2972FB0526B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
44
DNS requests
19
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6500
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
7472
wscript.exe
GET
200
172.217.18.4:80
http://www.google.com/
US
html
30.9 Kb
whitelisted
1644
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
6844
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
3000
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
7472
wscript.exe
GET
200
172.217.18.4:80
http://www.google.com/
US
html
30.9 Kb
whitelisted
3000
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
1524
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
7472
wscript.exe
GET
200
172.217.18.4:80
http://www.google.com/
US
html
30.9 Kb
whitelisted
7472
wscript.exe
GET
200
78.153.140.66:80
http://78.153.140.66/xmrig.exe
RU
executable
4.37 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6016
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
8012
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5224
SearchApp.exe
2.16.241.218:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3000
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3000
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1524
backgroundTaskHost.exe
2.16.241.218:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1524
backgroundTaskHost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
3464
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
  • 2.16.241.205
  • 2.16.241.207
whitelisted
google.com
  • 142.250.184.206
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.134
  • 20.190.160.5
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.64
  • 20.190.160.128
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7472
wscript.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
7472
wscript.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7472
wscript.exe
Potentially Bad Traffic
ET HUNTING Request for EXE via WinHTTP M1
7472
wscript.exe
Misc activity
ET INFO WinHttpRequest Downloading EXE
7472
wscript.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
7472
wscript.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7472
wscript.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7472
wscript.exe
Crypto Currency Mining Activity Detected
MINER [ANY.RUN] Request Coinminer Xmrig
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
protected.zip