File name:

Selfbot.js

Full analysis: https://app.any.run/tasks/937cfa58-1fc6-496b-b529-1e245cd590d3
Verdict: Malicious activity
Analysis date: May 31, 2025, 08:11:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
evasion
MIME: application/javascript
File info: JavaScript source, Unicode text, UTF-8 text, with very long lines (3425), with CRLF line terminators
MD5:

13B0D258F7C6B502A8D5F3CED7634C60

SHA1:

0BE6AFAFB7C16D5FB50DE086E0CD5FB2B3F1A44F

SHA256:

841798C72D91CC3A5F1387EFFD2536A241682EF1B57864DF3CE659BA016F3C1A

SSDEEP:

96:g7J7/vViU2+ZBOwfcRe/dxQqpkfOiTnS+2I4RL3Ems:g7JzvViUL8lRe/4xfOInZ2IWS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 5096)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 5096)

    • Scans artifacts that could help determine the target

      • wscript.exe (PID: 5096)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 5096)

  • SUSPICIOUS

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 5096)

    • Checks for external IP

      • wscript.exe (PID: 5096)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 5096)

    • Potential Corporate Privacy Violation

      • wscript.exe (PID: 5096)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 5096)
      • slui.exe (PID: 5064)

    • Attempting to use instant messaging service

      • wscript.exe (PID: 5096)

    • Reads the software policy settings

      • slui.exe (PID: 5064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.s | Digital Micrograph Script (100)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5096"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\Selfbot.jsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 389
Read events
7 377
Write events
12
Delete events
0

Modification events

(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5096) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
A308120000000000
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5096wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\TR3AASJ7.txttext
MD5:9416BB54987BD87A49B7C4DD8778D0B2
SHA256:BBE16BDC1E239C4D2E87F9860DD7EB4F8946F97F1192B0EFA977E816B163B360
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
9
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
404
162.159.137.232:443
https://discord.com/api/webhooks/1376268788416122952/L_biv0UIR2tyRp04DgKHXgEJUNZQghnZoZwzwTCD-OIk_hx5sPZ0TSMMfEv_YFhi99NT
unknown
binary
45 b
whitelisted
5096
wscript.exe
GET
200
104.26.12.205:80
http://api.ipify.org/?format=text
unknown
malicious
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
7328
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
7328
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7328
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5096
wscript.exe
104.26.12.205:80
api.ipify.org
CLOUDFLARENET
US
shared
5096
wscript.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
whitelisted
7328
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7328
RUXIMICS.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1168
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5064
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.74.206
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
discord.com
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.128.233
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
5096
wscript.exe
Potential Corporate Privacy Violation
ET INFO External IP Lookup (ipify .org)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5096
wscript.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
5096
wscript.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
5096
wscript.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Selfbot.js