File name:

login.php

Full analysis: https://app.any.run/tasks/3111a820-523e-4710-9512-a43852c820a2
Verdict: Malicious activity
Analysis date: March 23, 2025, 00:34:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (5558), with no line terminators
MD5:

5DAF53BF848BB4CDA008A655BDECF425

SHA1:

422EDA5A133D4BD324C634F113639A57C38BB552

SHA256:

847B4AD90B1DABA2D9117A8E05776F3F902DDA593FB1252289538ACF476C4268

SSDEEP:

96:j1Xp6Fi8ComWlyo5kxb2mRWcxHnLVRmqq4mAP0JEp7USUO5ip5iW33KlKXFd18eH:D6FismQVmamRVHLVwtKP8KK6uGiut3W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 2848)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 2848)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 2848)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2848)

    • Reads the Internet Settings

      • wscript.exe (PID: 2848)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2848"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\login.php.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
790
Read events
764
Write events
20
Delete events
6

Modification events

(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ED7FFFC-28CA-445E-ADB6-3D15696A184E}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ED7FFFC-28CA-445E-ADB6-3D15696A184E}
Operation:writeName:WpadDecisionTime
Value:
7463ED4A8B9BDB01
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ED7FFFC-28CA-445E-ADB6-3D15696A184E}
Operation:writeName:WpadDecision
Value:
0
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ED7FFFC-28CA-445E-ADB6-3D15696A184E}
Operation:writeName:WpadNetworkName
Value:
Network 5
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8ED7FFFC-28CA-445E-ADB6-3D15696A184E}
Operation:delete valueName:WpadDetectedUrl
Value:
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d4-da-6d-e0-c8-39
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d4-da-6d-e0-c8-39
Operation:writeName:WpadDecisionTime
Value:
7463ED4A8B9BDB01
(PID) Process:(2848) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d4-da-6d-e0-c8-39
Operation:writeName:WpadDecision
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
soundata.top
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
login.php