File name:

RECHNUNG_18208_177710896.js

Full analysis: https://app.any.run/tasks/a49407fd-22b2-4954-8a77-a58461ec1402
Verdict: Malicious activity
Analysis date: January 30, 2026, 14:37:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (3784), with CRLF line terminators
MD5:

3508904CE78AC94DF266715B98602A34

SHA1:

EE9AF56398BFEC7E79824A8C179D2DC6702BD731

SHA256:

A4F74E43E4F14CAC480C64F5A75147742F8AAB699AA84915C6E30B1EB041032E

SSDEEP:

96:GeM6AofENzhUY/urwPhoL0evf72X2GgnXIXVe5+bLXonXIX5wGWC/Z8nZltsqNZ0:ZMQENaYyLDvfqMXIeQXEXIpwGWC6L8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Copies file to a new location (SCRIPT)

      • wscript.exe (PID: 6928)

    • Reads the value of a key from the registry (SCRIPT)

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Opens a text file (SCRIPT)

      • cscript.exe (PID: 8144)

    • Sends HTTP request (SCRIPT)

      • cscript.exe (PID: 8144)

    • Opens an HTTP connection (SCRIPT)

      • cscript.exe (PID: 8144)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • cscript.exe (PID: 8144)

  • SUSPICIOUS

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Accesses system license id via WMI (SCRIPT)

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • The process executes JS scripts

      • wscript.exe (PID: 6928)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6928)

  • INFO

    • Drops script file

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Reads Windows Product ID

      • wscript.exe (PID: 6928)
      • cscript.exe (PID: 8144)

    • Create files in a temporary directory

      • cscript.exe (PID: 8144)

    • Checks proxy server information

      • cscript.exe (PID: 8144)
      • slui.exe (PID: 6272)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 8144)

    • Self-termination (SCRIPT)

      • wscript.exe (PID: 6928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cscript.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4136\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6272C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6928"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\RECHNUNG_18208_177710896.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8144"C:\Windows\System32\cscript.exe" C:\Users\admin\AppData\Local\Temp\2686505780.jsC:\Windows\System32\cscript.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 771
Read events
4 767
Write events
4
Delete events
0

Modification events

(PID) Process:(8144) cscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8144) cscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8144) cscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6928) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
65641E0000000000
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6928wscript.exeC:\Users\admin\AppData\Local\Temp\2686505780.jstext
MD5:3508904CE78AC94DF266715B98602A34
SHA256:A4F74E43E4F14CAC480C64F5A75147742F8AAB699AA84915C6E30B1EB041032E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
34
DNS requests
19
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WaaS/FeatureManagement?IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&CurrentBranch=vb_release&AccountFirstChar=&ActivationChannel=Retail&OEMModel=DELL&FlightRing=Retail&AttrDataVer=186&InstallLanguage=en-US&OSUILocale=en-US&WebExperience=1&FlightingBranchName=&ChassisTypeId=1&OSSkuId=48&App=CDM&InstallDate=1661339444&AppVer=&OSArchitecture=AMD64&DefaultUserRegion=244&TelemetryLevel=1&OSVersion=10.0.19045.4046&DeviceFamily=Windows.Desktop
unknown
whitelisted
7004
svchost.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
whitelisted
8788
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
8788
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
8788
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
8788
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
8144
cscript.exe
GET
404
31.58.87.143:80
http://microsoftpoller20.com/gt.php?00330-80002-46879-AA687@-DE-DESKTOP-JGLLJLD&Fri%20Jan%2030%2009:37:41%20EST%202026
unknown
unknown
356
svchost.exe
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7004
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1324
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
92.123.104.56:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5568
SearchApp.exe
92.123.104.26:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
8144
cscript.exe
31.58.87.143:80
microsoftpoller20.com
AS56971 AS56971 Cloud
HK
unknown
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.251.141.110
whitelisted
www.bing.com
  • 92.123.104.56
  • 92.123.104.62
  • 92.123.104.65
  • 92.123.104.63
  • 92.123.104.66
  • 92.123.104.61
  • 92.123.104.59
  • 92.123.104.52
  • 92.123.104.58
whitelisted
th.bing.com
  • 92.123.104.26
  • 92.123.104.29
  • 92.123.104.33
  • 92.123.104.30
  • 92.123.104.38
  • 92.123.104.34
  • 92.123.104.37
  • 92.123.104.31
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
self.events.data.microsoft.com
  • 20.189.173.7
whitelisted
microsoftpoller20.com
  • 31.58.87.143
unknown
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.14
  • 40.126.32.138
  • 20.190.160.66
  • 20.190.160.130
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
whitelisted

Threats

PID
Process
Class
Message
8144
cscript.exe
Misc activity
ET INFO Observed UA-CPU Header
7004
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RECHNUNG_18208_177710896.js