File name:

license.js

Full analysis: https://app.any.run/tasks/f04a4b34-6578-49ff-98e2-773c95a56432
Verdict: Malicious activity
Analysis date: April 15, 2025, 19:41:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
MD5:

D6C142AFBB5A25E452E0F902D3B43A3B

SHA1:

E310A551F718339F79D8B0A74119358D2F6EF51E

SHA256:

5230C4EBF4F03787E6F4B78233EA6A1CCD5BDEDE1FBD23BA7E21339C01B0D0E7

SSDEEP:

6144:uS4SJ+lDfex/l5CDbnl94ZPpy9pH7eJzmz:7VJ+lDfex/l5CDbnl94ZPs9p7eJz4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Gets %windir% folder path (SCRIPT)

      • cscript.exe (PID: 7404)
    • Reads the value of a key from the registry (SCRIPT)

      • cscript.exe (PID: 7404)
    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • cscript.exe (PID: 7404)
    • Gets TEMP folder path (SCRIPT)

      • cscript.exe (PID: 7404)
    • Modifies registry startup key (SCRIPT)

      • cscript.exe (PID: 7404)
    • Copies file to a new location (SCRIPT)

      • cscript.exe (PID: 7404)
    • Changes the autorun value in the registry

      • cscript.exe (PID: 7404)
    • Create files in the Startup directory

      • cscript.exe (PID: 7404)
    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 7404)
    • Gets username (SCRIPT)

      • cscript.exe (PID: 7404)
    • Accesses information about the status of the installed antivirus(Win32_AntivirusProduct) via WMI (SCRIPT)

      • cscript.exe (PID: 7404)
    • Sends HTTP request (SCRIPT)

      • cscript.exe (PID: 7404)
    • Uses sleep, probably for evasion detection (SCRIPT)

      • cscript.exe (PID: 7404)
    • Creates internet connection object (SCRIPT)

      • cscript.exe (PID: 7404)
    • Opens an HTTP connection (SCRIPT)

      • cscript.exe (PID: 7404)
  • SUSPICIOUS

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 7340)
      • cscript.exe (PID: 7404)
    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7340)
    • The process executes JS scripts

      • wscript.exe (PID: 7340)
    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 7404)
    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 7404)
    • Creates a Folder object (SCRIPT)

      • cscript.exe (PID: 7404)
    • Gets computer name (SCRIPT)

      • cscript.exe (PID: 7404)
    • Accesses current user name via WMI (SCRIPT)

      • cscript.exe (PID: 7404)
    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 7404)
    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 7404)
    • Accesses operating system name via WMI (SCRIPT)

      • cscript.exe (PID: 7404)
    • Accesses WMI object caption (SCRIPT)

      • cscript.exe (PID: 7404)
    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • cscript.exe (PID: 7404)
    • Accesses WMI object display name (SCRIPT)

      • cscript.exe (PID: 7404)
    • Accesses antivirus product name via WMI (SCRIPT)

      • cscript.exe (PID: 7404)
    • Connects to unusual port

      • cscript.exe (PID: 7404)
  • INFO

    • Self-termination (SCRIPT)

      • wscript.exe (PID: 7340)
    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 7404)
    • Creates files or folders in the user directory

      • cscript.exe (PID: 7404)
    • Checks proxy server information

      • cscript.exe (PID: 7404)
    • Reads the software policy settings

      • slui.exe (PID: 7608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cscript.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5972C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7340"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\license.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7404"C:\WINDOWS\SysWOW64\cscript.exe" /e:jscript "C:\Users\admin\AppData\Local\Temp\license.js"C:\Windows\SysWOW64\cscript.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
7412\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7560C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7608"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
2 246
Read events
2 243
Write events
3
Delete events
0

Modification events

(PID) Process:(7340) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
3ABA100000000000
(PID) Process:(7404) cscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(7404) cscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:11840STYL3
Value:
"C:\Users\admin\AppData\Local\Temp\license.js"
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7404cscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.jstext
MD5:D6C142AFBB5A25E452E0F902D3B43A3B
SHA256:5230C4EBF4F03787E6F4B78233EA6A1CCD5BDEDE1FBD23BA7E21339C01B0D0E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
26
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8172
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8172
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7404
cscript.exe
46.196.24.72:79
sbhfth.mywire.org
Turksat Uydu Haberlesme ve Kablo TV Isletme A.S.
TR
unknown
6544
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.41
  • 184.24.77.42
  • 184.24.77.6
  • 184.24.77.23
  • 184.24.77.35
  • 184.24.77.11
  • 184.24.77.12
  • 184.24.77.7
  • 184.24.77.10
whitelisted
sbhfth.mywire.org
  • 46.196.24.72
unknown
login.live.com
  • 20.190.159.73
  • 40.126.31.131
  • 40.126.31.2
  • 20.190.159.71
  • 40.126.31.71
  • 40.126.31.129
  • 20.190.159.2
  • 20.190.159.129
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.mywire .org Domain
No debug info