File name:

script.vbs

Full analysis: https://app.any.run/tasks/d1da4202-f2dc-47b8-aea6-4a38725b2ac2
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 14:14:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (357), with CRLF line terminators
MD5:

B4A4D52B1434DE5F395855770D57964D

SHA1:

DEA23F14FBB3B6E72FAA43C44101478051381C29

SHA256:

E306C4231B9DADF2A7A331A2B116C4BE2E37D0F5BF81058AF1CE817B27B85AB7

SSDEEP:

48:A6FvjeFFmMknUUjP2IwxuO/fYTVhAG4ceF6+zWFzXjzHJbzKvsHQA7bJRbJEbJ9a:wFCUbG4XFDeT1zCsHQaT0FFz2in4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • wscript.exe (PID: 4788)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 4788)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 6224)

    • Uses REG/REGEDIT.EXE to modify registry

      • wscript.exe (PID: 4788)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 4788)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 4788)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4788)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4788)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 4788)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 528)

    • Checks proxy server information

      • slui.exe (PID: 528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
21
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs slui.exe cmd.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs takeown.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
528C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
704\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\textshaping.dll
1128"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /fC:\Windows\System32\reg.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1596"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /fC:\Windows\System32\reg.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1704"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /fC:\Windows\System32\reg.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
2508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\textshaping.dll
3332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\textshaping.dll
3864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 851
Read events
18 843
Write events
8
Delete events
0

Modification events

(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
30
Text files
322
Unknown types
201

Dropped files

PID
Process
Filename
Type
4788wscript.exeC:\Users\admin\Desktop\desktop.ini.vbstext
MD5:9E36CC3537EE9EE1E3B10FA4E761045B
SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
4788wscript.exeC:\Users\admin\Desktop\greatmillion.jpg.vbsimage
MD5:AC8DACBA3F27D772E2E6CE3C136DE98D
SHA256:43993FB910D032D4057A294510026EB9816CE9A9EC63F40C6E85898350EF658D
4788wscript.exeC:\Users\admin\Desktop\billlesbian.jpg.vbsimage
MD5:581B5957FF4687D447C53534F10AA836
SHA256:536ACD95170B272B694BB91F2481097B877702FB7B0D22D03A7F6FA1E052FD1C
4788wscript.exeC:\Users\admin\Desktop\monthregional.rtf.vbstext
MD5:F5846B174594AA24653DAF210897AF95
SHA256:6DA61C3A8D711F6D398EF877AB6C88212DAD24B9B74AF6EFDC8D8C3F5CD36271
4788wscript.exeC:\Users\admin\Desktop\highpresented.png.vbsimage
MD5:10CE9490A5E74E531C4C1B97AD9A9FD0
SHA256:46A827679065F485C0F8A2071A9AB6BB5CB7BB0DE5FDDD551BA7DE159B66584F
4788wscript.exeC:\Users\admin\Desktop\editorbill.jpg.vbsimage
MD5:C04D4812CD821E6C2E573EB894E5BB9D
SHA256:C18147C879B4B114BD34EBD810A431E61C6437DB3D6D25CDBADDB865E03E1B28
4788wscript.exeC:\Users\admin\Desktop\seriescancer.jpg.vbsimage
MD5:A19EA7060EFCE06950F9A8B0F6B94A0D
SHA256:5F0916346E71FB0E5332E46B1BFD5B55E048C8FDD6141889962AA6ED51787446
4788wscript.exeC:\Users\admin\Desktop\ownervia.png.vbsimage
MD5:A975530AE05ED923FE402ADC65404D4A
SHA256:10E8A05BA87E800F090D5726C50E9776C558CC72F6A95F223AEEE2C86C2712E6
4788wscript.exeC:\Users\admin\Downloads\classsettings.jpg.vbsimage
MD5:5657A3BA6959294BF5A6410A1698DE67
SHA256:BAF352ADAC759F022871E61C535AC7ADF017C822AB2F6237BB0B6D7D1E4B2B1D
4788wscript.exeC:\Users\admin\Desktop\requiredrates.png.vbsimage
MD5:0F0487931CE0E18A294C9D8B7CF5CBE7
SHA256:FDC00AF58B127D9A54B728323AEE2204E80B0408C635BF47831AADB1C52C3A81
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
POST
200
20.42.73.25:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
GET
200
13.107.246.45:443
https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?5d4a2dcba33e699653c21a0699ed0e8d
unknown
image
43 b
unknown
POST
200
52.168.117.169:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
POST
204
104.126.37.139:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
GET
200
13.107.246.45:443
https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?34199e0c36eeb8c91d4d36e327e75045
unknown
image
43 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6220
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6012
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
unknown
3940
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3332
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.153
  • 104.126.37.170
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.147
  • 104.126.37.154
whitelisted
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
script.vbs