File name:

sample01.js

Full analysis: https://app.any.run/tasks/a93fdbca-ac49-42b8-b4b0-97557e1308f3
Verdict: Malicious activity
Analysis date: September 24, 2024, 21:16:54
OS: Windows 10 Professional (build: 19045, 64 bit)
MIME: text/plain
File info: ASCII text, with very long lines (4666)
MD5:

F6D7C45FC0991C94A6723ACA1FE07576

SHA1:

120FAEBE4BEB38B21A8163E17D0172AE6723CD9C

SHA256:

B7CC674BBD23CE8DFA4BE5284C1BCC84D6392BA931536BEB65B5001A14E350D0

SSDEEP:

96:opJ9FjUUJ80SVd1SoYixT2wle2soENRib0URyxhL1T/rX1vHu4uzbNYV5smUo2g0:orI0WyxhL1T/Sia/oAToAiqzP0+5uG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 4444)

    • Gets TEMP folder path (SCRIPT)

      • wscript.exe (PID: 4444)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 4444)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 4444)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 4444)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4444)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 4444)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 4444)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 4444)

    • Changes charset (SCRIPT)

      • wscript.exe (PID: 4444)

    • Reads data from a file (SCRIPT)

      • wscript.exe (PID: 4444)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 4444)

    • Potential Corporate Privacy Violation

      • wscript.exe (PID: 4444)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 4444)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 4444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
4444"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\sample01.jsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
692
Read events
688
Write events
4
Delete events
0

Modification events

(PID) Process:(4444) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4444) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4444) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4444) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
28B11F0000000000
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4444wscript.exeC:\Users\admin\AppData\Local\Temp\V7bTrYJ4lbO6OShtml
MD5:6BEE3E4223CE28F916A914A3EC3F0195
SHA256:40A19806B864722877B4D344F0F83905ADC731DDA84451F019F9FBCE6179B8AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
36
DNS requests
21
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4444
wscript.exe
GET
404
62.173.139.159:80
http://xn--k1affefe.xn--p1ai/8wzzjk24u
unknown
unknown
4444
wscript.exe
GET
404
194.67.71.3:80
http://anti-dust.ru/7k6cp
unknown
unknown
4444
wscript.exe
GET
302
3.18.7.81:80
http://tx318.com/kqe4ca
unknown
whitelisted
4444
wscript.exe
GET
404
218.8.245.83:80
http://fyd123.cn/kib6h2d9ga
unknown
unknown
6196
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1692
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
1692
svchost.exe
52.185.211.133:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
MoUsoCoreWorker.exe
52.185.211.133:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6392
RUXIMICS.exe
52.185.211.133:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4444
wscript.exe
3.18.7.81:80
tx318.com
AMAZON-02
US
whitelisted
4444
wscript.exe
62.173.139.159:80
xn--k1affefe.xn--p1ai
Internet-Cosmos LLC
RU
unknown
4444
wscript.exe
218.8.245.83:80
fyd123.cn
CHINA UNICOM China169 Backbone
CN
unknown
4444
wscript.exe
194.67.71.3:80
anti-dust.ru
Domain names registrar REG.RU, Ltd
RU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 52.185.211.133
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
tx318.com
  • 3.18.7.81
  • 3.19.116.195
whitelisted
www.hugedomains.com
  • 104.26.6.37
  • 104.26.7.37
  • 172.67.70.191
whitelisted
xn--k1affefe.xn--p1ai
  • 62.173.139.159
unknown
zwljfc.com
unknown
fyd123.cn
  • 218.8.245.83
unknown
anti-dust.ru
  • 194.67.71.3
unknown
login.live.com
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
4444
wscript.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
4444
wscript.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sample01.js