File name:

MultiToolV1.bat

Full analysis: https://app.any.run/tasks/29ae17aa-1d4a-4012-93b7-eb07270dd52c
Verdict: Malicious activity
Analysis date: June 21, 2025, 04:57:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
evasion
auto-reg
auto-startup
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (8006), with CRLF line terminators
MD5:

70A055DBB69CD9D91C1792EFC155A238

SHA1:

F1291A2CAABB105BB03F0F7226394A8284559E82

SHA256:

5729BC5E436A5410BC29105E99ADF5D957ED44360E6E1328F62998D05E3304DF

SSDEEP:

192:nLM/380yAFwt6xPqmfiA9Dn7SkuXccUkVlZ3jzSYZAJVWpvUk1UJnL0r:nLM/380jlx9v+X9UkVlZ7ADAspJnM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 2188)

    • Adds process to the Windows Defender exclusion list

      • ehtwdn1ipjv.exe (PID: 5600)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3844)
      • powershell.exe (PID: 5924)
      • powershell.exe (PID: 6852)
      • powershell.exe (PID: 6164)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 1192)
      • powershell.exe (PID: 1872)

    • Changes powershell execution policy (Bypass)

      • ehtwdn1ipjv.exe (PID: 5600)

    • Changes Windows Defender settings

      • ehtwdn1ipjv.exe (PID: 5600)

    • Adds path to the Windows Defender exclusion list

      • ehtwdn1ipjv.exe (PID: 5600)

    • Uses Task Scheduler to run other applications

      • ehtwdn1ipjv.exe (PID: 5600)

    • Create files in the Startup directory

      • ehtwdn1ipjv.exe (PID: 5600)

    • Changes the autorun value in the registry

      • ehtwdn1ipjv.exe (PID: 5600)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5616)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2076)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5616)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2076)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Reads the date of Windows installation

      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • ehtwdn1ipjv.exe (PID: 2388)

    • Reads security settings of Internet Explorer

      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 5808)
      • mshta.exe (PID: 1136)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 5808)

    • The executable file from the user directory is run by the CMD process

      • ehtwdn1ipjv.exe (PID: 5600)

    • Script adds exclusion process to Windows Defender

      • ehtwdn1ipjv.exe (PID: 5600)

    • Script adds exclusion path to Windows Defender

      • ehtwdn1ipjv.exe (PID: 5600)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 1136)

    • The process executes via Task Scheduler

      • Registry (PID: 3980)
      • ehtwdn1ipjv.exe (PID: 320)
      • ehtwdn1ipjv.exe (PID: 7116)
      • Registry (PID: 7092)

    • Connects to unusual port

      • ehtwdn1ipjv.exe (PID: 5600)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 2076)
      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)
      • slui.exe (PID: 6232)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2076)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2076)

    • The executable file from the user directory is run by the Powershell process

      • ehtwdn1ipjv.exe (PID: 2388)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2076)

    • Checks supported languages

      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)
      • Registry (PID: 4768)
      • ehtwdn1ipjv.exe (PID: 320)
      • Registry (PID: 3980)
      • ehtwdn1ipjv.exe (PID: 7116)
      • Registry (PID: 7092)

    • Reads the computer name

      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)
      • Registry (PID: 4768)
      • Registry (PID: 3980)
      • ehtwdn1ipjv.exe (PID: 320)
      • ehtwdn1ipjv.exe (PID: 7116)
      • Registry (PID: 7092)

    • Disables trace logs

      • ehtwdn1ipjv.exe (PID: 2388)
      • cmstp.exe (PID: 724)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Reads the machine GUID from the registry

      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Reads Environment values

      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Process checks computer location settings

      • ehtwdn1ipjv.exe (PID: 2388)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 724)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5808)
      • mshta.exe (PID: 1136)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3844)
      • powershell.exe (PID: 5924)
      • powershell.exe (PID: 6852)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 1192)
      • powershell.exe (PID: 6164)
      • powershell.exe (PID: 1872)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5924)
      • powershell.exe (PID: 3844)
      • powershell.exe (PID: 6852)
      • powershell.exe (PID: 1192)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 6164)
      • powershell.exe (PID: 1872)

    • Creates files in the program directory

      • dllhost.exe (PID: 2188)
      • ehtwdn1ipjv.exe (PID: 5600)

    • Reads the software policy settings

      • ehtwdn1ipjv.exe (PID: 5600)
      • slui.exe (PID: 6232)

    • Launching a file from the Startup directory

      • ehtwdn1ipjv.exe (PID: 5600)

    • Manual execution by a user

      • Registry (PID: 4768)

    • Launching a file from a Registry key

      • ehtwdn1ipjv.exe (PID: 5600)

    • Creates files or folders in the user directory

      • ehtwdn1ipjv.exe (PID: 5600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
38
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe ehtwdn1ipjv.exe cmstp.exe no specs CMSTPLUA mshta.exe no specs cmd.exe no specs conhost.exe no specs ehtwdn1ipjv.exe mshta.exe no specs taskkill.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs registry no specs slui.exe ehtwdn1ipjv.exe no specs registry no specs ehtwdn1ipjv.exe no specs registry no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\ProgramData\ehtwdn1ipjv.exe"C:\ProgramData\ehtwdn1ipjv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\ehtwdn1ipjv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
724"C:\WINDOWS\system32\cmstp.exe" /au C:\WINDOWS\temp\a5tiuoir.infC:\Windows\System32\cmstp.exeehtwdn1ipjv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
1
Version:
7.2.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1136mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")C:\Windows\System32\mshta.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
1192"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ehtwdn1ipjv.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeehtwdn1ipjv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1380"C:\Windows\System32\taskkill.exe" /IM cmstp.exe /FC:\Windows\System32\taskkill.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1872"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Registry'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeehtwdn1ipjv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
54 222
Read events
54 190
Write events
32
Delete events
0

Modification events

(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2388) ehtwdn1ipjv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ehtwdn1ipjv_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
4
Suspicious files
2
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_osdyatpm.okc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3844powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uv4w3vby.44x.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2076powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D6C90CD96F42FAEFA1F3B0B6274E294B
SHA256:B618D9376BCA34361E6DC52A263CAE3CCF163185B3E555D90AF3014F42685318
2076powershell.exeC:\Users\admin\AppData\Local\Temp\ehtwdn1ipjv.exeexecutable
MD5:483420A163DFA0ADFBCB2D89668C450B
SHA256:73761F01CE17DC9D4B7C3F98C653A8D51B6EC23D8322C6561E23CBBEB17F58FD
6840powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dtnkubwd.hhz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2388ehtwdn1ipjv.exeC:\Windows\Temp\a5tiuoir.inftext
MD5:95666358D016F4C54037FED2EABD4408
SHA256:D5414FC470F5B7C40BD7CDFFEAA4BB7ACC7BBD36148BCE0FB57E5175F275CA32
3844powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5fjpeooj.yf3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_24l33fdh.hl2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xkoghbv5.znb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6852powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lkjhslaw.w45.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
13
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4680
RUXIMICS.exe
GET
200
184.24.77.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4680
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/reagentc2/reagentc/raw/refs/heads/main/Encrypted.exe
unknown
GET
200
140.82.121.4:443
https://raw.githubusercontent.com/reagentc2/reagentc/refs/heads/main/Encrypted.exe
unknown
2388
ehtwdn1ipjv.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
5600
ehtwdn1ipjv.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
5600
ehtwdn1ipjv.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4680
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4680
RUXIMICS.exe
184.24.77.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4680
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 184.24.77.12
  • 184.24.77.37
  • 184.24.77.6
  • 184.24.77.35
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
github.com
  • 140.82.121.4
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
malicious
ip-api.com
  • 208.95.112.1
whitelisted
insellerate.net
  • 104.40.65.56
malicious
safe-shell.gl.at.ply.gg
  • 147.185.221.26
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET HUNTING Download Request Containing Suspicious Filename - Crypted
Potentially Bad Traffic
ET HUNTING Request for EXE via WinHTTP M1
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
A Network Trojan was detected
ET HUNTING Download Request Containing Suspicious Filename - Crypted
Potentially Bad Traffic
ET HUNTING Request for EXE via WinHTTP M1
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
Misc activity
ET INFO WinHttpRequest Downloading EXE
Misc activity
ET HUNTING EXE Downloaded from Github
Exploit Kit Activity Detected
ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MultiToolV1.bat