File name:

WeModPatcher.exe

Full analysis: https://app.any.run/tasks/c5721afd-121e-46d8-a273-c19f4fa761ae
Verdict: Malicious activity
Threats:

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Malware Trends Tracker     >>>
Analysis date: June 27, 2025, 09:47:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
arch-exec
arch-scr
emmenhtal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

2D2B9C759730A8B30107748A3FDF9F09

SHA1:

229B793724849EBC236D1352D8ABAE6C825FE256

SHA256:

23EF62989C2210F05BD598C64EC995B96C381EE15FF78ECDD6225FB163C0A388

SSDEEP:

98304:40RcUTfCh2HVNYDly8O54AFy9iH1Md2AV3OeghbDE5CdXkVe1NpHHvpUyt80P36t:rB/wOs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMMENHTAL has been detected (YARA)

      • WeModPatcher.exe (PID: 2324)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • WeModPatcher.exe (PID: 2324)

    • Executing commands from a ".bat" file

      • WeModPatcher.exe (PID: 2324)

    • Application launched itself

      • cmd.exe (PID: 3872)

    • Starts CMD.EXE for commands execution

      • WeModPatcher.exe (PID: 2324)
      • cmd.exe (PID: 3872)

    • Execution of CURL command

      • cmd.exe (PID: 3872)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 5456)
      • cmd.exe (PID: 5504)
      • cmd.exe (PID: 7116)
      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 684)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 5340)
      • cmd.exe (PID: 6772)
      • cmd.exe (PID: 5460)
      • cmd.exe (PID: 3864)

    • Starts NET.EXE to display or manage information about active sessions

      • net.exe (PID: 2996)
      • cmd.exe (PID: 3872)

    • Get information on the list of running processes

      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 2276)
      • cmd.exe (PID: 6664)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 1832)

    • Checks whether a specific file exists (SCRIPT)

      • mshta.exe (PID: 1352)

    • Writes binary data to a Stream object (SCRIPT)

      • mshta.exe (PID: 1352)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 1352)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 1520)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1520)

    • Imports DLL using pinvoke

      • powershell.exe (PID: 3488)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3872)

    • The process executes VB scripts

      • cmd.exe (PID: 3872)

  • INFO

    • The sample compiled with english language support

      • WeModPatcher.exe (PID: 2324)

    • Checks supported languages

      • WeModPatcher.exe (PID: 2324)
      • curl.exe (PID: 5340)
      • chcp.com (PID: 6256)
      • chcp.com (PID: 3908)
      • mode.com (PID: 3740)
      • chcp.com (PID: 1612)
      • chcp.com (PID: 1068)
      • csc.exe (PID: 1520)
      • cvtres.exe (PID: 4932)
      • mode.com (PID: 4768)
      • tar.exe (PID: 3956)
      • chcp.com (PID: 756)

    • Create files in a temporary directory

      • WeModPatcher.exe (PID: 2324)
      • csc.exe (PID: 1520)
      • cvtres.exe (PID: 4932)
      • tar.exe (PID: 3956)

    • Execution of CURL command

      • cmd.exe (PID: 2076)

    • Reads the computer name

      • curl.exe (PID: 5340)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 1832)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 3740)
      • mode.com (PID: 4768)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2404)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1352)
      • mshta.exe (PID: 7160)

    • Checks proxy server information

      • mshta.exe (PID: 1352)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1520)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3488)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:07:30 08:52:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 92672
InitializedDataSize: 1956352
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
FileVersionNumber: 1.2.5.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 1.2.5.0
ProductVersion: 1.2.5
ProductName: WeModPatcher
OriginalFileName: WeModPatcher.bat
FileDescription: WeModPatcher
LegalCopyright: brunolee®
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
199
Monitored processes
65
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #EMMENHTAL wemodpatcher.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs curl.exe cmd.exe no specs powershell.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs mode.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs mshta.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs mode.com no specs tar.exe no specs powershell.exe no specs mshta.exe no specs chcp.com no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs slui.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436powershell -Command "[Console]::CursorTop=43-4"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
632C:\WINDOWS\system32\cmd.exe /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;([System.Windows.Forms.Screen]::AllScreens).WorkingArea.Height"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
684C:\WINDOWS\system32\cmd.exe /c powershell -Command "(Get-Culture).Name"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
756chcp 437C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1068chcp 850C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1128powershell -Command "[console]::title='WeModPatcher'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1352powershell -Command "Write-Host -B 13 -F 13 '....' -NoNewline; Write-Host -B 5 -F 5 '....' -NoNewline; Write-Host -B 1 -F 1 '....' -NoNewline; Write-Host -B 9 -F 9 '....' -NoNewline; Write-Host -B 3 -F 3 '....' -NoNewline; Write-Host -B 11 -F 11 '...' `n`n -NoNewline; Write-Host -B 0 -F 10 ' WeModPatcher v1.2.5'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1352mshta.exe "C:\Users\admin\AppData\Local\Temp\Launcher.hta"C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1520"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ysx1xcao.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1612chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
Total events
98 835
Read events
98 828
Write events
7
Delete events
0

Modification events

(PID) Process:(1352) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1352) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1352) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7160) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7160) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7160) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3872) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
1
Suspicious files
2
Text files
64
Unknown types
3

Dropped files

PID
Process
Filename
Type
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\4E10.tmp\4E11.tmp\4E12.batbib
MD5:A11E36537E59303FD2D217D30C310F21
SHA256:312EEF935DFB4A14D9997555C1921BE0EAD0AB209FEE2D655148C91C9A60EA0D
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\Options.initext
MD5:83503A2A8B9F78CFFA4ED444885C4959
SHA256:E217B87EA4F57FA0FBF70BED27EDA1DA7FF3A4D3B7A989BF15B1261E6735387A
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\lang\lang_es.initext
MD5:EFE851D125CBF4EA90D87CF1F469E331
SHA256:5D75679F3A5CD60EA5700C5F83AF9411D404B1A6077EB994D90597BDFE9855D9
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\lang\lang_pt.initext
MD5:98D8CB666E73522D7478520D685183CC
SHA256:E56FB42EA5361EDF06D352ADCB3C46CD2A675C59D455B2FAF7D14727ACA1ADE3
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\lang\lang_ru.initext
MD5:0CA2E71373B332E16C4DD703DD55D7D2
SHA256:B2AD6A04B335B3421A7B180B5AFB3CFCDF965380F4AC46F0652BEE5F8BD982FD
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\lang\lang_en.initext
MD5:DA7F78CEA561177B4593E43E472B8A61
SHA256:5CE043FA53863E2FC94E42D72D870DA746D94CA5CDBC1E1F6FBD364681D69F26
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\lang\lang_zh-CN.initext
MD5:5CE9ED3CA85C044436445B9484576556
SHA256:73235BBCAF1601E3A1B0B96C59646028B8E671C04A97C37239454D2E474E22B2
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\lang\lang_de.initext
MD5:56F718D833D85B64D368A746CEC7D311
SHA256:9296A56AE3F33183E5DD78159EEDC14E7C55D58B6FF984D30480927F3491A0A6
2324WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\WeModPatcherToolscompressed
MD5:7D2DBEC2395D4CF262EAF10C9B944F4C
SHA256:43F2B4E8D63A62055E8A2CDF80C8809ED6A9FE1574141A9083CA998B65C7E082
3872cmd.exeC:\Users\admin\AppData\Local\Temp\IsAdminNecessarytext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
38
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
764
lsass.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
764
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
6320
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
4984
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4984
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6768
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5340
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
764
lsass.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted
764
lsass.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 69.192.161.161
whitelisted
www.bing.com
  • 2.16.241.216
  • 2.16.241.200
  • 2.16.241.205
  • 2.16.241.222
  • 2.16.241.204
  • 2.16.241.224
  • 2.16.241.201
  • 2.16.241.218
  • 2.16.241.219
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.73
  • 40.126.31.0
  • 40.126.31.71
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.128
  • 20.190.159.0
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeModPatcher.exe