File name:

PROD_Start_DriverPack.hta

Full analysis: https://app.any.run/tasks/a0182b4b-a71d-4098-913f-52ec4f21d5a2
Verdict: Malicious activity
Analysis date: September 03, 2024, 08:13:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/html
File info: HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
MD5:

DDA846A4704EFC2A03E1F8392E6F1FFC

SHA1:

387171A06EEE5A76AAEDC3664385BB89703CF6DF

SHA256:

E9DC9648D8FB7D943431459F49A7D9926197C2D60B3C2B6A58294FD75B672B25

SSDEEP:

48:uzK1vpKljUYpuqgs1pxXzOSRByHCpmF50bxxdW6kI:qiIT3BjNOSOGmF50tKA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 236)

    • Downloads files via BITSADMIN.EXE

      • cmd.exe (PID: 7024)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • mshta.exe (PID: 236)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7024)
      • cmd.exe (PID: 3852)
      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 6336)
      • cmd.exe (PID: 5104)
      • cmd.exe (PID: 6280)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 6016)
      • cmd.exe (PID: 1712)
      • cmd.exe (PID: 5064)
      • cmd.exe (PID: 6384)
      • cmd.exe (PID: 5040)
      • cmd.exe (PID: 1640)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 6432)

    • Query Microsoft Defender status

      • mshta.exe (PID: 236)
      • cmd.exe (PID: 448)

    • The process verifies whether the antivirus software is installed

      • mshta.exe (PID: 236)

    • Found strings related to reading or modifying Windows Defender settings

      • mshta.exe (PID: 236)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 236)

    • Cmdlet gets the status of antimalware software installed on the computer

      • cmd.exe (PID: 448)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 448)

  • INFO

    • Manual execution by a user

      • mshta.exe (PID: 236)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 420)

    • Checks proxy server information

      • mshta.exe (PID: 236)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 236)

    • The process uses the downloaded file

      • mshta.exe (PID: 236)
      • powershell.exe (PID: 6376)

    • Uses BITSADMIN.EXE

      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 3852)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 5104)
      • cmd.exe (PID: 6280)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 1712)
      • cmd.exe (PID: 6336)
      • cmd.exe (PID: 6016)
      • cmd.exe (PID: 5040)
      • cmd.exe (PID: 6384)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 1640)
      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 5064)
      • cmd.exe (PID: 6432)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)

EXIF

HTML

Title: Starting...
HTTPEquivXUACompatible: IE=7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
91
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start notepad.exe no specs rundll32.exe no specs mshta.exe cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs findstr.exe no specs findstr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\Documents\PROD_Start_DriverPack.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\SysWOW64\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
420"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\PROD_Start_DriverPack.hta.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
448"C:\Windows\System32\cmd.exe" /c powershell Get-MpComputerStatus > "C:\Users\admin\AppData\Local\Temp\dwnl_30420\log_defenderVersionPowershell.txt"C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
568findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
736findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
1084findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
1116"C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-30420 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; > "C:\Users\admin\AppData\Local\Temp\dwnl_30420\log_bits_info.txt"C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1148findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
1164"C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-30420 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; > "C:\Users\admin\AppData\Local\Temp\dwnl_30420\log_bits_info.txt"C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1184"C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-30420 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; > "C:\Users\admin\AppData\Local\Temp\dwnl_30420\log_bits_info.txt"C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
22 247
Read events
22 165
Write events
78
Delete events
4

Modification events

(PID) Process:(420) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(420) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0400000000000000030000000E0000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(420) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
040000000000000005000000020000000100000003000000FFFFFFFF
(PID) Process:(420) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\Shell
Operation:writeName:SniffedFolderType
Value:
Documents
(PID) Process:(420) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
93
(PID) Process:(420) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
3BC5D66600000000
(PID) Process:(420) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(420) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(420) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(420) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
1
Text files
47
Unknown types
0

Dropped files

PID
Process
Filename
Type
420notepad.exeC:\Users\admin\Documents\PROD_Start_DriverPack.htahtml
MD5:DDA846A4704EFC2A03E1F8392E6F1FFC
SHA256:E9DC9648D8FB7D943431459F49A7D9926197C2D60B3C2B6A58294FD75B672B25
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\client_ip[1].jstext
MD5:24D1F2CFBC8884A75CDE629904E25A89
SHA256:A5173EFFF9E3C5B7DF3DA89A3ED1EDFBD34F16F9C3DACF4804FAF0FCB85B935B
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\step1_av[1].htmhtml
MD5:1FAE5694001ACA3836F123E1A89AFD3D
SHA256:2240EF798569427F1B37E16BF630D7BD5E415F5835CA9FDF730E1F063721291B
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\4[1].jstext
MD5:B21247B2428E6D9F72405EB1A2F5F75C
SHA256:9DDF298484BD63F71CFF04DD81E00913266FA8D71793E2C26F3B7B215067812C
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\background[1].jpgimage
MD5:127D8C7FA37B2B4DEE77ADC97AA2BCC5
SHA256:60FDC7731E194240FE1B586290AFD762793625A92E1BB21061B0B47628861160
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\script[1].jstext
MD5:5E3199E1E9AB11EF8DB27BDC821ECCDC
SHA256:DDF24F928593CF87E0DB0744F8456761089140766A23768D9106BB73EFBD0515
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\matomo[1].htmtext
MD5:51C8E2EC2D4A042736B88F1BE1BE5B7E
SHA256:481BEEA6F83C5C784276DF3BFB8693CC60C0CE8EF0A2CB8F47D624E2D6C9B076
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\statistics[1].jstext
MD5:0701E8CE6920DA0050B219769314E144
SHA256:5D53ECD246441E19CD7B305749C822132476170938E5B7A673856B1FD29708BF
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\lang[1].jshtml
MD5:3B196A2A5E0875A186EFA1A6101B775D
SHA256:B6EF0302FB7FE71577D6B6AFE104B4C890FC6419FB9A9C4EC359A0CC25EA8885
236mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\matomo[1].htmtext
MD5:51C8E2EC2D4A042736B88F1BE1BE5B7E
SHA256:481BEEA6F83C5C784276DF3BFB8693CC60C0CE8EF0A2CB8F47D624E2D6C9B076
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
26
DNS requests
14
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3296
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4444
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4444
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
236
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/style.css
unknown
whitelisted
236
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js
unknown
whitelisted
236
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/step1_av.html
unknown
whitelisted
236
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/client_ip.js
unknown
whitelisted
236
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
unknown
whitelisted
236
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js
unknown
whitelisted
236
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6440
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3296
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3296
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted
4444
SIHClient.exe
40.127.169.103:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4444
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
dwrapper-prod.herokuapp.com
  • 46.137.15.86
  • 54.220.192.176
  • 54.73.53.134
whitelisted
exampledd.matomo.cloud
  • 18.157.122.248
  • 18.195.235.189
  • 3.126.133.169
unknown

Threats

PID
Process
Class
Message
236
mshta.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
236
mshta.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
236
mshta.exe
Potentially Bad Traffic
ET HUNTING PowerShell DownloadFile Command Common In Powershell Stagers
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PROD_Start_DriverPack.hta