File name:

WeModPatcher.exe

Full analysis: https://app.any.run/tasks/c5721afd-121e-46d8-a273-c19f4fa761ae
Verdict: Malicious activity
Threats:

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Malware Trends Tracker     >>>
Analysis date: June 27, 2025, 09:47:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
arch-exec
arch-scr
emmenhtal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

2D2B9C759730A8B30107748A3FDF9F09

SHA1:

229B793724849EBC236D1352D8ABAE6C825FE256

SHA256:

23EF62989C2210F05BD598C64EC995B96C381EE15FF78ECDD6225FB163C0A388

SSDEEP:

98304:40RcUTfCh2HVNYDly8O54AFy9iH1Md2AV3OeghbDE5CdXkVe1NpHHvpUyt80P36t:rB/wOs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMMENHTAL has been detected (YARA)

      • WeModPatcher.exe (PID: 2324)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WeModPatcher.exe (PID: 2324)
      • cmd.exe (PID: 3872)

    • Executing commands from a ".bat" file

      • WeModPatcher.exe (PID: 2324)

    • Drops 7-zip archiver for unpacking

      • WeModPatcher.exe (PID: 2324)

    • Execution of CURL command

      • cmd.exe (PID: 3872)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 7116)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 5504)
      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 684)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 5460)
      • cmd.exe (PID: 5340)
      • cmd.exe (PID: 6772)
      • cmd.exe (PID: 3864)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 3872)
      • net.exe (PID: 2996)

    • Get information on the list of running processes

      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 2276)
      • cmd.exe (PID: 6664)
      • cmd.exe (PID: 3872)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1832)
      • cmd.exe (PID: 3872)

    • Application launched itself

      • cmd.exe (PID: 3872)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 1352)

    • Checks whether a specific file exists (SCRIPT)

      • mshta.exe (PID: 1352)

    • Imports DLL using pinvoke

      • powershell.exe (PID: 3488)

    • Writes binary data to a Stream object (SCRIPT)

      • mshta.exe (PID: 1352)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1520)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 1520)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3872)

    • The process executes VB scripts

      • cmd.exe (PID: 3872)

  • INFO

    • Checks supported languages

      • WeModPatcher.exe (PID: 2324)
      • curl.exe (PID: 5340)
      • mode.com (PID: 3740)
      • chcp.com (PID: 6256)
      • chcp.com (PID: 3908)
      • chcp.com (PID: 1612)
      • chcp.com (PID: 1068)
      • csc.exe (PID: 1520)
      • cvtres.exe (PID: 4932)
      • mode.com (PID: 4768)
      • tar.exe (PID: 3956)
      • chcp.com (PID: 756)

    • The sample compiled with english language support

      • WeModPatcher.exe (PID: 2324)

    • Create files in a temporary directory

      • WeModPatcher.exe (PID: 2324)
      • cvtres.exe (PID: 4932)
      • csc.exe (PID: 1520)
      • tar.exe (PID: 3956)

    • Execution of CURL command

      • cmd.exe (PID: 2076)

    • Reads the computer name

      • curl.exe (PID: 5340)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1832)
      • cmd.exe (PID: 3872)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 3740)
      • mode.com (PID: 4768)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2404)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1352)
      • mshta.exe (PID: 7160)

    • Checks proxy server information

      • mshta.exe (PID: 1352)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1520)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3488)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:07:30 08:52:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 92672
InitializedDataSize: 1956352
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
FileVersionNumber: 1.2.5.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 1.2.5.0
ProductVersion: 1.2.5
ProductName: WeModPatcher
OriginalFileName: WeModPatcher.bat
FileDescription: WeModPatcher
LegalCopyright: brunolee®
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
199
Monitored processes
65
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #EMMENHTAL wemodpatcher.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs curl.exe cmd.exe no specs powershell.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs mode.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs mshta.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs mode.com no specs tar.exe no specs powershell.exe no specs mshta.exe no specs chcp.com no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs slui.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436powershell -Command "[Console]::CursorTop=43-4"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
632C:\WINDOWS\system32\cmd.exe /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;([System.Windows.Forms.Screen]::AllScreens).WorkingArea.Height"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
684C:\WINDOWS\system32\cmd.exe /c powershell -Command "(Get-Culture).Name"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
756chcp 437C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1068chcp 850C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1128powershell -Command "[console]::title='WeModPatcher'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1352powershell -Command "Write-Host -B 13 -F 13 '....' -NoNewline; Write-Host -B 5 -F 5 '....' -NoNewline; Write-Host -B 1 -F 1 '....' -NoNewline; Write-Host -B 9 -F 9 '....' -NoNewline; Write-Host -B 3 -F 3 '....' -NoNewline; Write-Host -B 11 -F 11 '...' `n`n -NoNewline; Write-Host -B 0 -F 10 ' WeModPatcher v1.2.5'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1352mshta.exe "C:\Users\admin\AppData\Local\Temp\Launcher.hta"C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1520"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ysx1xcao.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1612chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
Total events
98 835
Read events
98 828
Write events
7
Delete events
0

Modification events

(PID) Process:(1352) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1352) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1352) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7160) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7160) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7160) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3872) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
1
Suspicious files
2
Text files
64
Unknown types
3

Dropped files

PID
Process
Filename
Type
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\Options.htahtml
MD5:C0826786D1B58B03C4C134865CD0A0A6
SHA256:E4CDEA4433591103E4C416165B9B7EEBFF79C30B011EEE839064C0621FE0B209
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\Options.initext
MD5:83503A2A8B9F78CFFA4ED444885C4959
SHA256:E217B87EA4F57FA0FBF70BED27EDA1DA7FF3A4D3B7A989BF15B1261E6735387A
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\4E10.tmp\4E11.tmp\4E12.batbib
MD5:A11E36537E59303FD2D217D30C310F21
SHA256:312EEF935DFB4A14D9997555C1921BE0EAD0AB209FEE2D655148C91C9A60EA0D
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\lang\lang_en.initext
MD5:DA7F78CEA561177B4593E43E472B8A61
SHA256:5CE043FA53863E2FC94E42D72D870DA746D94CA5CDBC1E1F6FBD364681D69F26
3820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xzku5ig1.spc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4100powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ssmc1hut.uiv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4100powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D7FE52DBFFC5CA917B728669B75F8089
SHA256:E0211A93F422865E9C64F2554653E0864E17E723F6171335411B178B88E85FA0
5424powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l1xnhe2x.xs2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3872cmd.exeC:\Users\admin\AppData\Local\Temp\IsAdminNecessarytext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
5424powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pblen31b.ymi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
38
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
764
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
764
lsass.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6320
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
4984
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4984
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6768
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5340
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
764
lsass.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted
764
lsass.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 69.192.161.161
whitelisted
www.bing.com
  • 2.16.241.216
  • 2.16.241.200
  • 2.16.241.205
  • 2.16.241.222
  • 2.16.241.204
  • 2.16.241.224
  • 2.16.241.201
  • 2.16.241.218
  • 2.16.241.219
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.73
  • 40.126.31.0
  • 40.126.31.71
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.128
  • 20.190.159.0
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeModPatcher.exe