File name:

index.dll

Full analysis: https://app.any.run/tasks/2a41e354-f6b7-4f41-884a-9d8f5fa90569
Verdict: Malicious activity
Analysis date: May 16, 2025, 02:53:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

08E624448C93AF58ACA94586E0748598

SHA1:

48CE5F2A5BE760ACAE63A7494E9DFD84D87C1014

SHA256:

498275A211EE32C44D8C6A72440338407784B9FBF47F9C598591F25F242D8C1B

SSDEEP:

12288:6Rn99nyxQvAOOcDL9iWncZpMOgiC89UfAey:On7nj9O05iWgpMOpCoZey

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets username (SCRIPT)

      • wscript.exe (PID: 7948)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 7948)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7948)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7948)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7948)

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 7948)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7948)

  • SUSPICIOUS

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 7948)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 7948)

    • Gets computer name (SCRIPT)

      • wscript.exe (PID: 7948)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7948)

    • Changes charset (SCRIPT)

      • wscript.exe (PID: 7948)

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 7948)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 7948)

    • Script creates XML DOM node (SCRIPT)

      • wscript.exe (PID: 7948)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 7948)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7948)

  • INFO

    • The sample compiled with english language support

      • rundll32.exe (PID: 7424)

    • Create files in a temporary directory

      • rundll32.exe (PID: 7424)

    • Checks proxy server information

      • wscript.exe (PID: 7948)
      • slui.exe (PID: 2284)

    • Reads the software policy settings

      • slui.exe (PID: 7492)
      • slui.exe (PID: 2284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:23 10:12:00+00:00
ImageFileCharacteristics: Executable, 32-bit, DLL
PEType: PE32
LinkerVersion: 14
CodeSize: 214016
InitializedDataSize: 220160
UninitializedDataSize: -
EntryPoint: 0x27cdb
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.2.9424.7188
ProductVersionNumber: 4.2.9424.7188
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Wish Lotexcept
FileDescription: Boughtmeasure ride
FileVersion: 4.2.9424.7188
InternalName: me.dll
LegalCopyright: ©2012 Wish Lotexcept Corporation. All rights reserved.
OriginalFileName: me.dll
ProductName: Wish Lotexcept Boughtmeasure ride
ProductVersion: 4.2.9424.7188
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs sppextcomobj.exe no specs slui.exe wscript.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7424"C:\WINDOWS\SysWOW64\rundll32.exe" C:\Users\admin\AppData\Local\Temp\index.dll, #1C:\Windows\SysWOW64\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7460C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7492"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7948wscript.exe //E:jscript "C:\Users\admin\AppData\Local\Temp\s5q8.0 "C:\Windows\SysWOW64\wscript.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
7 419
Read events
7 415
Write events
4
Delete events
0

Modification events

(PID) Process:(7948) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7948) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7948) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7948) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
7DEF110000000000
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7424rundll32.exeC:\Users\admin\AppData\Local\Temp\s5q8.0text
MD5:85C8E02D944C693DC8395E9B726FE380
SHA256:A033006AAB7F61C580DE6EC556512D4B351BB66C95AE316DD2B13FEBAA5995EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7948
wscript.exe
GET
404
3.238.30.69:80
http://shengbo769.com/project.aspx?cwdTelemetry=2&regclid=bWhhZWI2SElfR1hDXCFGS0BARkBINkhJX0dYQ1whRktAQEZASDZqbWB%2FaTY0OD5qPDU%2FOz4%2BNnl4aT02Pj4%3D&agwHit=xnkfen&cClass=le&ubwG=cbuakbfibdsx
unknown
malicious
7948
wscript.exe
GET
404
49.13.77.253:80
http://bao-universe.com/project.aspx?cwdTelemetry=2&regclid=aWxlYWYyTE1bQ1xHWCVCT0REQkRMMkxNW0NcR1glQk9EREJETDJuaWR7bTIwPDpuODE7Pzo6Mn18bTkyOjo%3D&agwHit=qnkikm&cClass=iy&ubwG=xsgwssuqlyzp
unknown
unknown
7948
wscript.exe
GET
404
49.13.77.253:80
http://rylandi2002.com/project.aspx?cwdTelemetry=2&regclid=a25nY2QwTk9ZQV5FWidATUZGQEZOME5PWUFeRVonQE1GRkBGTjBsa2Z5bzAyPjhsOjM5PTg4MH9%2BbzswODg%3D&agwHit=bznkch&cClass=vr&ubwG=lyudiwddxplg
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7948
wscript.exe
3.238.30.69:80
shengbo769.com
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.4
  • 40.126.32.68
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.133
whitelisted
shengbo769.com
  • 3.238.30.69
malicious
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
  • 2603:1030:7::106
whitelisted
206.23.85.13.in-addr.arpa
unknown
6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
rylandi2002.com
  • 49.13.77.253
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
index.dll