File name:

Aleichem.js

Full analysis: https://app.any.run/tasks/c89fd944-7a2a-4cff-95cb-1a3964714cf2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 11:53:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ta558
apt
payload
stegocampaign
loader
reverseloader
Indicators:
MIME: application/octet-stream
File info: data
MD5:

12C5B820868440F4197E6FDCB1E61254

SHA1:

0138CAFE61E7EC580CF1ED8F32041BEA99407B1A

SHA256:

239BCF64FC9D0B5DBCD7E1351444244695BD530E510846E0BB91055CA2E97ED1

SSDEEP:

192:nhBTHI4bGwhalXggsGJJsBt9gfqffJQJmPNNfO0MusJ+MICkBMCikC0XMCd/RL:rbGwhaFggsGJJsL9gfqffJQJmPNNfO/w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 864)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 3240)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 864)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 864)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 3240)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 3240)

    • Starts Visual C# compiler

      • powershell.exe (PID: 5112)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • wscript.exe (PID: 864)
      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 3240)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 864)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 864)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 3240)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 864)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 864)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 864)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 864)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 3240)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 6240)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 3240)

    • Connects to unusual port

      • jsc.exe (PID: 4980)
      • jsc.exe (PID: 1188)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 864)
      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 3240)
      • slui.exe (PID: 5984)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 3240)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 3240)

    • Disables trace logs

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 5112)
      • powershell.exe (PID: 3240)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5392)
      • powershell.exe (PID: 5324)
      • powershell.exe (PID: 3240)
      • powershell.exe (PID: 5112)

    • Reads the computer name

      • jsc.exe (PID: 4980)
      • csc.exe (PID: 6080)
      • jsc.exe (PID: 536)
      • jsc.exe (PID: 1188)

    • Checks supported languages

      • csc.exe (PID: 6080)
      • jsc.exe (PID: 4980)
      • jsc.exe (PID: 536)
      • jsc.exe (PID: 1188)

    • Reads the machine GUID from the registry

      • jsc.exe (PID: 4980)
      • csc.exe (PID: 6080)
      • jsc.exe (PID: 536)
      • jsc.exe (PID: 1188)

    • Reads the software policy settings

      • slui.exe (PID: 5984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
24
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs jsc.exe cmd.exe no specs conhost.exe no specs csc.exe no specs csc.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs jsc.exe no specs jsc.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
jsc.exe
Exit code:
0
Version:
14.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\jsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\Aleichem.jsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
jsc.exe
Version:
14.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\jsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
1240"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\chagrining.js"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\inthronize.js"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
30 423
Read events
30 418
Write events
5
Delete events
0

Modification events

(PID) Process:(864) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
11ED100000000000
(PID) Process:(5392) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Path
Value:
C:\Users\Public\Downloads\inthronize.js
(PID) Process:(5112) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Path
Value:
C:\Users\Public\Downloads\flaneurs.js
(PID) Process:(5324) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Path
Value:
C:\Users\Public\Downloads\chagrining.js
(PID) Process:(3240) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Path
Value:
C:\Users\Public\Downloads\Aleichem.js
Executable files
0
Suspicious files
5
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2088cmd.exeC:\Users\Public\Downloads\flaneurs.jsbinary
MD5:12C5B820868440F4197E6FDCB1E61254
SHA256:239BCF64FC9D0B5DBCD7E1351444244695BD530E510846E0BB91055CA2E97ED1
5392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xf4usual.1qd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5oihnqqd.10a.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dfh2iqva.r2b.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j3upshni.bij.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_itqbmmjf.20b.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1240cmd.exeC:\Users\Public\Downloads\chagrining.jsbinary
MD5:12C5B820868440F4197E6FDCB1E61254
SHA256:239BCF64FC9D0B5DBCD7E1351444244695BD530E510846E0BB91055CA2E97ED1
6240cmd.exeC:\Users\Public\Downloads\Aleichem.jsbinary
MD5:12C5B820868440F4197E6FDCB1E61254
SHA256:239BCF64FC9D0B5DBCD7E1351444244695BD530E510846E0BB91055CA2E97ED1
1568cmd.exeC:\Users\Public\Downloads\inthronize.jsbinary
MD5:12C5B820868440F4197E6FDCB1E61254
SHA256:239BCF64FC9D0B5DBCD7E1351444244695BD530E510846E0BB91055CA2E97ED1
5324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ffyfgzbj.eek.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
113
DNS requests
28
Threats
56

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
207.241.224.2:443
https://archive.org/download/new_image_20250413/new_image.jpg
unknown
864
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/302dzPON/0
unknown
shared
2104
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
404
23.186.113.60:443
https://paste.ee/d/sl2iy3l6/0
unknown
GET
302
207.241.224.2:443
https://archive.org/download/new_image_20250413/new_image.jpg
unknown
864
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/sl2iy3l6/0
unknown
shared
864
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/TCCerER0/0
unknown
shared
GET
302
207.241.224.2:443
https://archive.org/download/new_image_20250413/new_image.jpg
unknown
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
864
wscript.exe
23.186.113.60:80
paste.ee
shared
864
wscript.exe
23.186.113.60:443
paste.ee
shared
2104
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
paste.ee
  • 23.186.113.60
shared
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.131
  • 20.190.159.71
  • 20.190.159.129
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.1
  • 20.190.159.23
whitelisted
archive.org
  • 207.241.224.2
whitelisted
ia601700.us.archive.org
  • 207.241.227.90
whitelisted
ia801700.us.archive.org
  • 207.241.233.30
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
864
wscript.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
A Network Trojan was detected
LOADER [ANY.RUN] Suspicious WinHttp Connection (paste .ee)
A Network Trojan was detected
LOADER [ANY.RUN] Suspicious WinHttp Connection (paste .ee)
A Network Trojan was detected
LOADER [ANY.RUN] Suspicious WinHttp Connection (paste .ee)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
A Network Trojan was detected
PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Aleichem.js