File name:

SOLLECITO DI PAGAMENTO.js

Full analysis: https://app.any.run/tasks/be552371-6177-4716-addf-e968e2df2ba0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 10:33:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
evasion
stealerium
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (3992), with no line terminators
MD5:

472514F6ECB5C4A21828D639A4A5C3B6

SHA1:

B97127D918D09529626E04A4320531609B224DF9

SHA256:

F874F4A4FF9789A43D4640B91F51EE0CE47236C4D43A0BC14F86FF70DE50D398

SSDEEP:

96:+BqmMlup4Wu3CKxzkfS9nBr//JiD0II/28mzZUsKbzTTypkQbTyTs:1lupBBKFLwD0II/27UsKbzTT4D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a new folder (SCRIPT)

      • wscript.exe (PID: 7448)

    • Checks whether a specified folder exists (SCRIPT)

      • wscript.exe (PID: 7448)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7448)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7448)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7448)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7512)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 7448)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7512)

    • STEALERIUM has been detected (YARA)

      • RegAsm.exe (PID: 7300)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 7300)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 7300)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7448)

    • Access the System.Security .NET namespace (SCRIPT)

      • wscript.exe (PID: 7448)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7448)

    • The process executes Powershell scripts

      • wscript.exe (PID: 7448)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 7448)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7448)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7512)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7512)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7512)

    • Multiple wallet extension IDs have been found

      • RegAsm.exe (PID: 7300)

    • Connects to the server without a host name

      • IWRcJgsE.exe (PID: 7928)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7448)

    • MS Edge headless start

      • msedge.exe (PID: 7176)
      • msedge.exe (PID: 7832)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 5436)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5528)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 6988)

    • Reads security settings of Internet Explorer

      • RegAsm.exe (PID: 7300)

    • Starts CMD.EXE for commands execution

      • RegAsm.exe (PID: 7300)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • RegAsm.exe (PID: 7300)

    • Loads DLL from Mozilla Firefox

      • RegAsm.exe (PID: 7300)

    • Executing commands from a ".bat" file

      • RegAsm.exe (PID: 7300)

    • Connects to SMTP port

      • RegAsm.exe (PID: 7300)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6988)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6988)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 7448)
      • IWRcJgsE.exe (PID: 7928)
      • RegAsm.exe (PID: 7300)
      • slui.exe (PID: 3888)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7512)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 7512)

    • The executable file from the user directory is run by the Powershell process

      • IWRcJgsE.exe (PID: 7928)

    • Reads the computer name

      • IWRcJgsE.exe (PID: 7928)
      • RegAsm.exe (PID: 7300)
      • msiexec.exe (PID: 7220)

    • Checks supported languages

      • IWRcJgsE.exe (PID: 7928)
      • RegAsm.exe (PID: 7300)
      • chcp.com (PID: 6372)
      • msiexec.exe (PID: 7220)
      • chcp.com (PID: 4980)
      • chcp.com (PID: 4944)

    • Reads the machine GUID from the registry

      • IWRcJgsE.exe (PID: 7928)
      • RegAsm.exe (PID: 7300)

    • Disables trace logs

      • IWRcJgsE.exe (PID: 7928)
      • RegAsm.exe (PID: 7300)

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 7300)

    • Create files in a temporary directory

      • RegAsm.exe (PID: 7300)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 6988)

    • Application launched itself

      • msedge.exe (PID: 7176)

    • Reads CPU info

      • RegAsm.exe (PID: 7300)

    • Process checks computer location settings

      • RegAsm.exe (PID: 7300)

    • Reads the software policy settings

      • RegAsm.exe (PID: 7300)
      • slui.exe (PID: 7712)
      • slui.exe (PID: 3888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
37
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe iwrcjgse.exe #STEALERIUM regasm.exe cmd.exe no specs conhost.exe no specs chcp.com no specs msedge.exe netsh.exe no specs findstr.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs taskkill.exe no specs timeout.exe no specs slui.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148findstr AllC:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284netsh wlan show profile C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
3888C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4944chcp 65001C:\Windows\SysWOW64\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
4980chcp 65001 C:\Windows\SysWOW64\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
5436"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidC:\Windows\SysWOW64\cmd.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5528"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllC:\Windows\SysWOW64\cmd.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
20 667
Read events
20 626
Write events
41
Delete events
0

Modification events

(PID) Process:(7448) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7448) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7448) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7448) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
61D0100000000000
(PID) Process:(7928) IWRcJgsE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IWRcJgsE_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7928) IWRcJgsE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IWRcJgsE_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7928) IWRcJgsE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IWRcJgsE_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7928) IWRcJgsE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IWRcJgsE_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7928) IWRcJgsE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IWRcJgsE_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7928) IWRcJgsE.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IWRcJgsE_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
6
Suspicious files
47
Text files
44
Unknown types
0

Dropped files

PID
Process
Filename
Type
7448wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\sirrrrrdeeeee[1].ps1text
MD5:586CB31F18547F1F17651FF8C2EE91ED
SHA256:777FF6FFAEA5E44D544DC3BFB54C40A2C38EF7B32671876CB4CC93776F9A1452
7512powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1fhnijvl.lot.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7512powershell.exeC:\Users\admin\AppData\Local\Temp\IWRcJgsE.exeexecutable
MD5:6D69BABE24C4A83EC0649192AB058237
SHA256:7DA7AB8EDE346DD38022179DBB4D78F0508A07C925C7D5255CA9ABD617D61FF5
7300RegAsm.exeC:\Users\admin\AppData\Local\4e3532371806cad2bf61c79080178fb1\admin@DESKTOP-JGLLJLD_en-US\Messenger\Skype\Local Storage\leveldb\000003.logbinary
MD5:D5ED573943BC049C36F07D1C7256835A
SHA256:251289CE147173263C5FB4529DD91AC4D78139046493F825B11CB02CC6CCC94A
7512powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:EE256C1B09DD3067F5C36CD860EFE92F
SHA256:CF1824E74271E1DD12E51EAF1894A081D79AD11F1A39C45BE831C860EEAA46FB
7300RegAsm.exeC:\Users\admin\AppData\Local\Temp\tmp250A.tmp.datbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
7300RegAsm.exeC:\Users\admin\AppData\Local\4e3532371806cad2bf61c79080178fb1\admin@DESKTOP-JGLLJLD_en-US\Messenger\Skype\Local Storage\leveldb\CURRENTtext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
7300RegAsm.exeC:\Users\admin\AppData\Local\4e3532371806cad2bf61c79080178fb1\admin@DESKTOP-JGLLJLD_en-US\Directories\Startup.txttext
MD5:85E334A62512BFFF1DAF4FEF976684A1
SHA256:49BCA45D0D4A60F5B7D5FADFB2030EBFB1449465E7C09BB7186781B8CFA1DEDA
7300RegAsm.exeC:\Users\admin\AppData\Local\4e3532371806cad2bf61c79080178fb1\admin@DESKTOP-JGLLJLD_en-US\Messenger\Skype\Local Storage\leveldb\LOGtext
MD5:46EED8B7CAAD25F7F453617DA0FB0857
SHA256:5BC1DE0E32F2969386351B2BE088F13B6CC3DF7693EE9E92FEEF59DB6AF1FB92
7300RegAsm.exeC:\Users\admin\AppData\Local\4e3532371806cad2bf61c79080178fb1\admin@DESKTOP-JGLLJLD_en-US\System\Process.txttext
MD5:316ADEF76B9BADAA2ABEA8F91EC032CC
SHA256:2CDB6F04D0C018A2C7BB03C2395613687AD08C8BBD3E9522DAB20EC2F55E7B16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
94
TCP/UDP connections
138
DNS requests
51
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7448
wscript.exe
GET
200
176.65.144.23:80
http://176.65.144.23/ff/sirrrrrdeeeee.ps1
unknown
unknown
7928
IWRcJgsE.exe
GET
200
176.65.144.23:80
http://176.65.144.23/ff/SIRDEEPHANTOM.txt
unknown
unknown
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1132
WmiPrvSE.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1132
WmiPrvSE.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7448
wscript.exe
176.65.144.23:80
DE
unknown
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7928
IWRcJgsE.exe
176.65.144.23:80
DE
unknown
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5892
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.71
  • 20.190.159.75
  • 40.126.31.0
  • 40.126.31.3
  • 20.190.159.130
  • 40.126.31.67
  • 20.190.159.131
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.130
  • 20.190.160.20
  • 20.190.160.131
  • 40.126.32.74
  • 40.126.32.136
  • 20.190.160.67
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 23.216.77.18
  • 23.216.77.25
  • 23.216.77.10
  • 23.216.77.23
  • 23.216.77.19
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
config.edge.skype.com
  • 52.123.243.83
  • 52.123.243.89
  • 52.123.243.222
  • 52.123.243.223
  • 52.123.243.201
  • 52.123.243.69
  • 52.123.224.66
  • 52.123.243.203
whitelisted
ntp.msn.com
  • 131.253.33.203
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted

Threats

PID
Process
Class
Message
7448
wscript.exe
Potentially Bad Traffic
ET INFO PS1 Powershell File Request
7448
wscript.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
7300
RegAsm.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
7300
RegAsm.exe
Attempted Information Leak
ET INFO IP Check Domain (icanhazip. com in HTTP Host)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
7300
RegAsm.exe
Attempted Information Leak
ET INFO IP Check Domain (icanhazip. com in HTTP Host)
7300
RegAsm.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
7300
RegAsm.exe
Attempted Information Leak
ET INFO IP Check Domain (icanhazip. com in HTTP Host)
7300
RegAsm.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SOLLECITO DI PAGAMENTO.js