File name:

TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe

Full analysis: https://app.any.run/tasks/936e7c7f-bbae-42e4-80e0-63b6fb9db8e3
Verdict: Malicious activity
Analysis date: March 24, 2025, 15:26:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

B8B574302546C7438DB7789159AE3DF6

SHA1:

C1EA27BF5072BAE210F32AD208D8B818DDBFE240

SHA256:

AD1BF9CB469E21CCD8B6B1A9395DA13A99B1107060C83E78CFEACD481E36FE67

SSDEEP:

24576:IPP9zj8VMACXt+gR2xRc5AAMGibKza52WbN4pB0P7dP8wd/iQVt12vWzfqKEhdHy:IPP9zj8qACXQgCy6AMGibKza52WbN4pK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6744)

  • SUSPICIOUS

    • Executing commands from ".cmd" file

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 1324)

    • Starts CMD.EXE for commands execution

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)
      • cmd.exe (PID: 7736)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7736)

    • There is functionality for taking screenshot (YARA)

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • Application launched itself

      • cmd.exe (PID: 7736)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6248)
      • cmd.exe (PID: 1052)

    • Probably download files using WebClient

      • cmd.exe (PID: 7736)

  • INFO

    • The sample compiled with english language support

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • Reads the computer name

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • Create files in a temporary directory

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • Reads mouse settings

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • Checks supported languages

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • UPX packer has been detected

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • The process uses AutoIt

      • TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe (PID: 7688)

    • Disables trace logs

      • powershell.exe (PID: 7800)

    • Checks proxy server information

      • powershell.exe (PID: 7800)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:26 16:10:40+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 380928
InitializedDataSize: 417792
UninitializedDataSize: 970752
EntryPoint: 0x14a720
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.2.2.0
ProductVersionNumber: 8.2.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 8.2.2.0
Comments: Always the latest version
FileDescription: Topaz Gigapixel AI Pro v8.2.2
ProductVersion: 8.2.2.0
CompanyName: Ghost Productions
LegalCopyright: Ghost
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
12
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start topazgigapixelaiprov8.2.2onlinebyghost.exe cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs findstr.exe no specs powershell.exe cmd.exe no specs findstr.exe no specs powershell.exe slui.exe topazgigapixelaiprov8.2.2onlinebyghost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1052C:\WINDOWS\system32\cmd.exe /c findstr /r /c:"TopazGigapixelAI-8.2.2*.msi" "C:\Users\admin\AppData\Local\Temp\Ghost\html.txt"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1324powershell -Command "Invoke-WebRequest -Uri 'https://community.topazlabs.com/t/gigapixel-8-2-2/87852' -OutFile 'C:\Users\admin\AppData\Local\Temp\Ghost\html.txt' -UseBasicParsing"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4784findstr /r /c:"Gigapixel 8.2.2" "C:\Users\admin\AppData\Local\Temp\Ghost\html.txt"C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5416findstr /r /c:"TopazGigapixelAI-8.2.2*.msi" "C:\Users\admin\AppData\Local\Temp\Ghost\html.txt"C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6248C:\WINDOWS\system32\cmd.exe /c findstr /r /c:"Gigapixel 8.2.2" "C:\Users\admin\AppData\Local\Temp\Ghost\html.txt"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6744powershell -Command "$webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://downloads.topazlabs.com/deploy/TopazGigapixelAI/8.2.2/TopazGigapixelAI-8.2.2.msi', 'C:\Users\admin\AppData\Local\Temp\Ghost\Setup.msi')"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7444C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7580"C:\Users\admin\Desktop\TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe" C:\Users\admin\Desktop\TopazGigapixelAIProv8.2.2ONLINEbyGhost.exeexplorer.exe
User:
admin
Company:
Ghost Productions
Integrity Level:
MEDIUM
Description:
Topaz Gigapixel AI Pro v8.2.2
Exit code:
3221226540
Version:
8.2.2.0
Modules
Images
c:\users\admin\desktop\topazgigapixelaiprov8.2.2onlinebyghost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7688"C:\Users\admin\Desktop\TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe" C:\Users\admin\Desktop\TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe
explorer.exe
User:
admin
Company:
Ghost Productions
Integrity Level:
HIGH
Description:
Topaz Gigapixel AI Pro v8.2.2
Exit code:
0
Version:
8.2.2.0
Modules
Images
c:\users\admin\desktop\topazgigapixelaiprov8.2.2onlinebyghost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7736C:\WINDOWS\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\Ghost\Ghost.cmd"C:\Windows\SysWOW64\cmd.exeTopazGigapixelAIProv8.2.2ONLINEbyGhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
18 138
Read events
18 124
Write events
14
Delete events
0

Modification events

(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7800) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
6
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
7688TopazGigapixelAIProv8.2.2ONLINEbyGhost.exeC:\Users\admin\AppData\Local\Temp\~DFB163197A649F267D.TMPbinary
MD5:B53513A93B784E8F8ED62ED23904FC93
SHA256:820943C5F290136B7BEF26B8807E65854C12B3463D2025691989879B0DE037C3
7688TopazGigapixelAIProv8.2.2ONLINEbyGhost.exeC:\Users\admin\AppData\Local\Temp\autE0BD.tmpbinary
MD5:AA2A2EBD443366E37324B87E399A78AE
SHA256:9B4C3645E0AC4D30BE53802511EC952976D2E21847E67485C211B1E6A63F5169
7688TopazGigapixelAIProv8.2.2ONLINEbyGhost.exeC:\Users\admin\AppData\Local\Temp\Ghost\Ghost.cmdtext
MD5:37077E51E13E7D6D97D973C9110E400E
SHA256:3F5184FEDF551D881E9308ADB869740D4E70D5052573C64CA727312922F921F9
7688TopazGigapixelAIProv8.2.2ONLINEbyGhost.exeC:\Users\admin\AppData\Local\Temp\Ghost\Banner.jpgbinary
MD5:AA2A2EBD443366E37324B87E399A78AE
SHA256:9B4C3645E0AC4D30BE53802511EC952976D2E21847E67485C211B1E6A63F5169
7688TopazGigapixelAIProv8.2.2ONLINEbyGhost.exeC:\Users\admin\AppData\Local\Temp\autE1E7.tmpbinary
MD5:1B525660EF5F8B63642A15EC89E5940B
SHA256:0398CA5BE0B3473DECF85EA29E45AF83C5EE0D01D58C8AD87E54A51F6AA9B2EA
7800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w2xqhbwe.rhe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6744powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8B8A832FCE2174C8FEE26B70F2483FBB
SHA256:0FBA3A37EF443507F533A7C3F31C0B5826EA416B95FDE43479E02D4E0C29400B
1324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wz5kylow.rqt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6744powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u0cyekei.hhi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ecu3k0x3.clo.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
59
DNS requests
17
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
8176
SIHClient.exe
GET
200
23.48.23.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8176
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T152702Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1c17ca4b32974facbe4300360dd5e91c&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967646&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358176&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.31 Kb
whitelisted
POST
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T152702Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=195a124536784c79aae531605d6208e9&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967646&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358176&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.96 Kb
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T152702Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=2c155c384e354efeba2fad0882286025&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967646&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358176&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.95 Kb
whitelisted
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
whitelisted
GET
200
18.207.92.233:443
https://community.topazlabs.com/c/gigapixel-ai/gigapixel-ai/66
unknown
html
83.5 Kb
whitelisted
POST
400
20.190.160.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
664
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.66
  • 20.190.160.17
  • 40.126.32.72
  • 20.190.160.22
  • 40.126.32.74
  • 20.190.160.131
  • 40.126.32.133
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
google.com
  • 142.250.184.206
whitelisted
community.topazlabs.com
  • 18.207.92.233
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.48.23.139
  • 23.48.23.138
  • 23.48.23.137
  • 23.48.23.190
  • 23.48.23.140
  • 23.48.23.188
  • 23.48.23.194
  • 23.48.23.185
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TopazGigapixelAIProv8.2.2ONLINEbyGhost.exe