File name:

script.vbs

Full analysis: https://app.any.run/tasks/d1da4202-f2dc-47b8-aea6-4a38725b2ac2
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 14:14:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (357), with CRLF line terminators
MD5:

B4A4D52B1434DE5F395855770D57964D

SHA1:

DEA23F14FBB3B6E72FAA43C44101478051381C29

SHA256:

E306C4231B9DADF2A7A331A2B116C4BE2E37D0F5BF81058AF1CE817B27B85AB7

SSDEEP:

48:A6FvjeFFmMknUUjP2IwxuO/fYTVhAG4ceF6+zWFzXjzHJbzKvsHQA7bJRbJEbJ9a:wFCUbG4XFDeT1zCsHQaT0FFz2in4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • wscript.exe (PID: 4788)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4788)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 4788)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 4788)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 6224)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 4788)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 4788)

    • Uses REG/REGEDIT.EXE to modify registry

      • wscript.exe (PID: 4788)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4788)

  • INFO

    • Checks proxy server information

      • slui.exe (PID: 528)

    • Reads the software policy settings

      • slui.exe (PID: 528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
21
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs slui.exe cmd.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs takeown.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
528C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
704\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\textshaping.dll
1128"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /fC:\Windows\System32\reg.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1596"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /fC:\Windows\System32\reg.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1704"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /fC:\Windows\System32\reg.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
2508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\textshaping.dll
3332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\textshaping.dll
3864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 851
Read events
18 843
Write events
8
Delete events
0

Modification events

(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4788) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
30
Text files
322
Unknown types
201

Dropped files

PID
Process
Filename
Type
4788wscript.exeC:\Users\admin\Desktop\greatmillion.jpg.vbsimage
MD5:AC8DACBA3F27D772E2E6CE3C136DE98D
SHA256:43993FB910D032D4057A294510026EB9816CE9A9EC63F40C6E85898350EF658D
4788wscript.exeC:\Users\admin\Desktop\deapplications.rtf.vbstext
MD5:9E4BBE7076C09D0BD407129E61F7AE3A
SHA256:C7AA05DA09C08BCDC5489D78C2D295AA1AC0A957F001D86EC5C0A15B24D2981C
4788wscript.exeC:\Users\admin\Desktop\ownervia.png.vbsimage
MD5:A975530AE05ED923FE402ADC65404D4A
SHA256:10E8A05BA87E800F090D5726C50E9776C558CC72F6A95F223AEEE2C86C2712E6
4788wscript.exeC:\Users\admin\Desktop\seriescancer.jpg.vbsimage
MD5:A19EA7060EFCE06950F9A8B0F6B94A0D
SHA256:5F0916346E71FB0E5332E46B1BFD5B55E048C8FDD6141889962AA6ED51787446
4788wscript.exeC:\Users\admin\Downloads\classsettings.jpg.vbsimage
MD5:5657A3BA6959294BF5A6410A1698DE67
SHA256:BAF352ADAC759F022871E61C535AC7ADF017C822AB2F6237BB0B6D7D1E4B2B1D
4788wscript.exeC:\Users\admin\Downloads\desktop.ini.vbstext
MD5:3A37312509712D4E12D27240137FF377
SHA256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
4788wscript.exeC:\Users\admin\Desktop\sitesq.rtf.vbstext
MD5:BA4DEEA66F68603B6B7A6AC57F31CE04
SHA256:B3AFD9472838BA4906E844208CC87215CBD7C1D5995166726CE75C42CB0CB6D6
4788wscript.exeC:\Users\admin\Desktop\billlesbian.jpg.vbsimage
MD5:581B5957FF4687D447C53534F10AA836
SHA256:536ACD95170B272B694BB91F2481097B877702FB7B0D22D03A7F6FA1E052FD1C
4788wscript.exeC:\Users\admin\Desktop\requiredrates.png.vbsimage
MD5:0F0487931CE0E18A294C9D8B7CF5CBE7
SHA256:FDC00AF58B127D9A54B728323AEE2204E80B0408C635BF47831AADB1C52C3A81
4788wscript.exeC:\Users\admin\Desktop\script.vbstext
MD5:7E3AF4CEBC43300A82D0D08DBCA5FF84
SHA256:F038E0A1352E6DF0A8655FEE4848DC83A18123BBC43AEB5B04D1C6110744D0EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
204
104.126.37.139:443
https://www.bing.com/threshold/xls.aspx
unknown
GET
200
13.107.246.45:443
https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?5d4a2dcba33e699653c21a0699ed0e8d
unknown
image
43 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
200
52.168.117.169:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
200
20.42.73.25:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
GET
200
13.107.246.45:443
https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?34199e0c36eeb8c91d4d36e327e75045
unknown
image
43 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6220
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6012
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
unknown
3940
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3332
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.153
  • 104.126.37.170
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.147
  • 104.126.37.154
whitelisted
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
script.vbs