| File name: | key.js |
| Full analysis: | https://app.any.run/tasks/2e0314e1-a457-4664-9cec-6a1237fe6d7c |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 22, 2024, 12:44:33 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (1153), with CRLF, CR, LF line terminators |
| MD5: | 3D797697724542DE38D7AFF217F815C3 |
| SHA1: | 1212693A8F2C31255F0F9D993B89D430F56FA2A4 |
| SHA256: | B3D506E2EF7C628E97B450A26CDAA1CE50516A7347272AD54419EAEA5E394527 |
| SSDEEP: | 6144:Bt0VwBj2JgXQllpi0xHcqI4y6Wa3cdc8HOcMYeictxCcMPtH:8VwBO8QfptHcqHJ7vMcMV |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 2372)
SUSPICIOUS
Process drops legitimate windows executable
- msiexec.exe (PID: 2372)
Executes as Windows Service
- uhssvc.exe (PID: 4068)
INFO
Manual execution by a user
- regedit.exe (PID: 6472)
- regedit.exe (PID: 6324)
Executable content was dropped or overwritten
- msiexec.exe (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
234
Monitored processes
12
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2372 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4068 | "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe" | C:\Program Files\Microsoft Update Health Tools\uhssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Update Health Service Exit code: 0 Version: 10.0.19041.3626 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4536 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4768 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5016 | C:\WINDOWS\SysWOW64\schtasks.exe -create -tn Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler -xml plugscheduler.xml -F | C:\Windows\SysWOW64\schtasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6180 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\key.js" | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6308 | C:\WINDOWS\SysWOW64\schtasks.exe -delete -tn Microsoft\Windows\WindowsUpdate\RUXIM\RUXIMDisplay -F | C:\Windows\SysWOW64\schtasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6324 | "C:\WINDOWS\regedit.exe" | C:\Windows\regedit.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6360 | C:\WINDOWS\SysWOW64\schtasks.exe -delete -tn Microsoft\Windows\WindowsUpdate\RUXIM\RUXIMSync -F | C:\Windows\SysWOW64\schtasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6372 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 910
Read events
8 702
Write events
97
Delete events
111
Modification events
| (PID) Process: | (6180) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe |
| Operation: | write | Name: | JScriptSetScriptStateStarted |
Value: 25F9000000000000 | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders |
| Operation: | write | Name: | C:\Config.Msi\ |
Value: | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\16be6.rbs |
Value: 31095894 | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\16be6.rbsLow |
Value: | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A1AA8848303FD74A9153D728F9AEABB |
| Operation: | write | Name: | 831A7A9B5DFB37C42A967FC8AC8251E0 |
Value: C:\Program Files\RUXIM\RUXIMICS.exe | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A1AA8848303FD74A9153D728F9AEABB\831A7A9B5DFB37C42A967FC8AC8251E0 |
| Operation: | write | Name: | PatchGUID |
Value: | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A1AA8848303FD74A9153D728F9AEABB\831A7A9B5DFB37C42A967FC8AC8251E0 |
| Operation: | write | Name: | MediaCabinet |
Value: | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A1AA8848303FD74A9153D728F9AEABB\831A7A9B5DFB37C42A967FC8AC8251E0 |
| Operation: | write | Name: | File |
Value: FID_RUXIM_ICS | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A1AA8848303FD74A9153D728F9AEABB\831A7A9B5DFB37C42A967FC8AC8251E0 |
| Operation: | write | Name: | ComponentVersion |
Value: 24.0.94.0 | |||
| (PID) Process: | (2372) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A1AA8848303FD74A9153D728F9AEABB\831A7A9B5DFB37C42A967FC8AC8251E0 |
| Operation: | write | Name: | ProductVersion |
Value: 8.94.0 | |||
Executable files
14
Suspicious files
18
Text files
2
Unknown types
25
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2372 | msiexec.exe | C:\Program Files\RUXIM\DTUDriver.exe | executable | |
MD5:179937CE0463778C97B65427E499D6EA | SHA256:4704C8F0F18FEAD460DB8DC6893B8DEB8C15414ECF4D833A78EAE0267BAB9CAC | |||
| 2372 | msiexec.exe | C:\WINDOWS\TEMP\~DF5C72B90E8CA90B6E.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
| 6180 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850 | der | |
MD5:57B2A3DB7308ECBCCA8000007ACE4302 | SHA256:7B34EB089C61D84FE681242FC53D68E13553D89936409A0EFAE7C59034C9F19C | |||
| 2372 | msiexec.exe | C:\WINDOWS\Installer\MSI6E84.tmp | binary | |
MD5:139737AFBCB6CCE0896DE6B8190E485A | SHA256:5C069CC9CA95068607D9F10951A6B1F48FE7D299EC0929AB45E111CDF8F105B7 | |||
| 2372 | msiexec.exe | C:\Config.Msi\16be7.rbf | executable | |
MD5:6FBAC8FCE6DB989CC62175C8B7DC5550 | SHA256:0C835D244CA70504894DE4C91D7B4A873A5549E3C75BC1D8C67DBDA99BF71EBC | |||
| 6180 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FE | binary | |
MD5:62DF7033A1BCB4175DA69601D59A244A | SHA256:4D7E59B055F6F29E69C3C41481BFFC6AFA49BD66CF239D31BBCBDBB993C9B2BD | |||
| 2372 | msiexec.exe | C:\WINDOWS\Installer\inprogressinstallinfo.ipi | binary | |
MD5:46E1D3A5DA2E6A939B6CA6CFF1D5266E | SHA256:D125EE53B0FFBE16DA87637A41653826AB1DC238FC4F2EE51FC0114A06BB5147 | |||
| 2372 | msiexec.exe | C:\Config.Msi\16be8.rbf | executable | |
MD5:447B23ED3A291EC1C62F6ACA91A85B48 | SHA256:2EC904C8F335BC23FB46C1C3E2850F9528146B64084E453DC820673B10FDFF1C | |||
| 6180 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850 | binary | |
MD5:48FD476610E4B6D608EC855FFB498EDB | SHA256:F536EFB73AAD46658DE35C8A0070A693B95F5BF432B773697C61A245E00E247C | |||
| 2372 | msiexec.exe | C:\Config.Msi\16be9.rbf | executable | |
MD5:0F56AEDE718CB23D856D919A7480E8D2 | SHA256:86866300F14620A5884511FAC7193C3C757763FADA04963D6957E499CCCDD39F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1 126
TCP/UDP connections
107
DNS requests
51
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6180 | wscript.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | DE | binary | 824 b | unknown |
4148 | svchost.exe | GET | 206 | 23.216.77.146:80 | http://2.au.download.windowsupdate.com/c/msdownload/update/software/defu/2024/01/mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe | DE | text | 2 b | unknown |
4148 | svchost.exe | GET | 206 | 23.216.77.132:80 | http://2.au.download.windowsupdate.com/c/msdownload/update/software/defu/2024/01/mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe | DE | text | 2 b | unknown |
6180 | wscript.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl | DE | binary | 557 b | unknown |
4148 | svchost.exe | GET | 206 | 23.216.77.132:80 | http://2.au.download.windowsupdate.com/c/msdownload/update/software/defu/2024/01/mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe | DE | executable | 897 Kb | unknown |
4148 | svchost.exe | GET | 206 | 23.216.77.146:80 | http://2.au.download.windowsupdate.com/c/msdownload/update/software/updt/2024/03/windows10.0-kb5001716-x64_d92aa5a45222707542efa229d9cb0a8840bcfff1.cab | DE | text | 2 b | unknown |
4148 | svchost.exe | GET | 206 | 23.216.77.132:80 | http://2.au.download.windowsupdate.com/c/msdownload/update/software/updt/2024/03/windows10.0-kb5001716-x64_d92aa5a45222707542efa229d9cb0a8840bcfff1.cab | DE | text | 2 b | unknown |
4148 | svchost.exe | GET | 200 | 23.32.238.178:80 | http://download.windowsupdate.com/phf/c/doc/ph/prod5/msdownload/update/software/crup/2022/11/1024/windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d04d026bb8c8e76.cab.json | DE | binary | 361 b | unknown |
4148 | svchost.exe | GET | 206 | 23.216.77.146:80 | http://2.au.download.windowsupdate.com/c/msdownload/update/software/updt/2024/03/windows10.0-kb5001716-x64_d92aa5a45222707542efa229d9cb0a8840bcfff1.cab | DE | compressed | 811 Kb | unknown |
4148 | svchost.exe | GET | 200 | 23.48.23.47:80 | http://dl.delivery.mp.microsoft.com/filestreamingservice//files/e3a4bc08-0df1-4ac3-bed8-464981e9de90/pieceshash | DE | binary | 858 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
3852 | svchost.exe | 20.114.59.183:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
3852 | svchost.exe | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1612 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2744 | svchost.exe | 13.89.179.9:443 | v10.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2864 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
6404 | WaaSMedicAgent.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
slscr.update.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
tsfe.trafficshaping.dsp.mp.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
v10.events.data.microsoft.com |
| whitelisted |
cp501.prod.do.dsp.mp.microsoft.com |
| whitelisted |
fe2cr.update.microsoft.com |
| whitelisted |
2.au.download.windowsupdate.com |
| whitelisted |
download.windowsupdate.com |
| whitelisted |
dl.delivery.mp.microsoft.com |
| whitelisted |