File name:

emBridge(5.9.1.6).7z

Full analysis: https://app.any.run/tasks/b830f69f-5695-45d4-83f6-a784ed78894a
Verdict: Malicious activity
Analysis date: March 11, 2025, 08:36:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
delphi
inno
installer
confuser
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

1BEEED04BF4BE7CD2A9FE5873A979C48

SHA1:

6C1A738314F30878099D44693B1F3F63A85BF1AA

SHA256:

BF98BD95AA2D934EA57EF80C08AAE3EE816B08648DCBF0ABCD6D8ACD36816249

SSDEEP:

98304:ZeAmUt56LVxfhk2kSL6fJ54pN72ci3Wzzve/HySFkPnXT85nV6TdIMq+/KA+qP6h:rAjT4sGvsVK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7400)

    • Create files in the Startup directory

      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 7244)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • emBridge.tmp (PID: 7368)
      • emBridge.exe (PID: 7232)
      • emBridge.exe (PID: 2040)
      • emBridge.tmp (PID: 7244)
      • _unins.tmp (PID: 4784)
      • emBridge.exe (PID: 2140)

    • Reads the Windows owner or organization settings

      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 7244)
      • _unins.tmp (PID: 4784)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7400)
      • emBridge.tmp (PID: 6080)
      • emBridge.tmp (PID: 7148)
      • emBridge.exe (PID: 7516)

    • Process drops legitimate windows executable

      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 7244)

    • Starts CMD.EXE for commands execution

      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 7244)
      • emBridge.exe (PID: 7516)

    • Executing commands from a ".bat" file

      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 7244)

    • Creates or modifies Windows services

      • emBridge.exe (PID: 5204)

    • Executes as Windows Service

      • emBridge.exe (PID: 7020)
      • emBridge.exe (PID: 7516)

    • Adds/modifies Windows certificates

      • emBridge.exe (PID: 7020)

    • Executes application which crashes

      • emBridge.exe (PID: 7020)

    • Searches for installed software

      • emBridge.tmp (PID: 7244)

    • Starts itself from another location

      • unins000.exe (PID: 1272)

    • Starts application with an unusual extension

      • unins000.exe (PID: 1272)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 7692)
      • cmd.exe (PID: 7660)
      • cmd.exe (PID: 7364)
      • cmd.exe (PID: 6572)
      • cmd.exe (PID: 6960)
      • cmd.exe (PID: 7852)

    • Uses TASKKILL.EXE to kill process

      • _unins.tmp (PID: 4784)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7400)

    • Checks supported languages

      • emBridge.exe (PID: 7232)
      • emBridge.tmp (PID: 7368)
      • emBridge.exe (PID: 5204)
      • emBridge.exe (PID: 7172)
      • emBridge.exe (PID: 7020)
      • emBridge.tmp (PID: 6080)
      • emBridge.exe (PID: 7264)
      • emBridge.exe (PID: 2040)
      • emBridge.tmp (PID: 7244)
      • emBridge.tmp (PID: 7148)
      • unins000.exe (PID: 1272)
      • emBridge.exe (PID: 1348)
      • emBridge.exe (PID: 2140)
      • emBridge.exe (PID: 6808)
      • emBridge.exe (PID: 4200)
      • emBridge.exe (PID: 7516)
      • _unins.tmp (PID: 4784)

    • Reads the computer name

      • emBridge.tmp (PID: 7368)
      • emBridge.exe (PID: 5204)
      • emBridge.exe (PID: 7020)
      • emBridge.exe (PID: 7172)
      • emBridge.tmp (PID: 6080)
      • emBridge.tmp (PID: 7148)
      • emBridge.tmp (PID: 7244)
      • unins000.exe (PID: 1272)
      • _unins.tmp (PID: 4784)
      • emBridge.exe (PID: 1348)
      • emBridge.exe (PID: 4200)
      • emBridge.exe (PID: 6808)

    • Create files in a temporary directory

      • emBridge.tmp (PID: 7368)
      • emBridge.exe (PID: 2140)
      • emBridge.exe (PID: 7232)
      • emBridge.exe (PID: 7264)
      • emBridge.exe (PID: 2040)
      • emBridge.tmp (PID: 7244)
      • unins000.exe (PID: 1272)
      • _unins.tmp (PID: 4784)

    • Detects InnoSetup installer (YARA)

      • emBridge.exe (PID: 7232)
      • emBridge.tmp (PID: 7148)
      • emBridge.exe (PID: 2140)
      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 6080)
      • emBridge.exe (PID: 7264)
      • emBridge.tmp (PID: 7244)

    • Compiled with Borland Delphi (YARA)

      • emBridge.exe (PID: 7232)
      • emBridge.tmp (PID: 7148)
      • emBridge.exe (PID: 2140)
      • emBridge.tmp (PID: 7368)
      • emBridge.exe (PID: 7264)
      • emBridge.tmp (PID: 7244)
      • emBridge.tmp (PID: 6080)

    • The sample compiled with english language support

      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 7244)

    • Creates files in the program directory

      • emBridge.tmp (PID: 7368)
      • emBridge.exe (PID: 5204)
      • emBridge.exe (PID: 7020)
      • emBridge.tmp (PID: 7244)
      • emBridge.exe (PID: 7516)

    • Creates a software uninstall entry

      • emBridge.tmp (PID: 7368)
      • emBridge.tmp (PID: 7244)

    • Checks proxy server information

      • emBridge.tmp (PID: 7368)

    • Reads the machine GUID from the registry

      • emBridge.exe (PID: 5204)
      • emBridge.exe (PID: 7172)
      • emBridge.exe (PID: 7020)
      • emBridge.exe (PID: 7516)
      • emBridge.exe (PID: 4200)
      • emBridge.exe (PID: 1348)

    • Disables trace logs

      • emBridge.exe (PID: 7020)

    • Process checks computer location settings

      • emBridge.tmp (PID: 6080)
      • emBridge.tmp (PID: 7148)
      • _unins.tmp (PID: 4784)

    • Reads the software policy settings

      • slui.exe (PID: 7584)
      • slui.exe (PID: 7816)

    • Confuser has been detected (YARA)

      • emBridge.exe (PID: 7516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2025:03:10 09:59:48+00:00
ArchivedFileName: emBridge(5.9.1.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
52
Malicious processes
3
Suspicious processes
6

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe embridge.exe embridge.tmp no specs embridge.exe embridge.tmp cmd.exe no specs conhost.exe no specs embridge.exe no specs embridge.exe no specs embridge.exe werfault.exe no specs embridge.exe no specs embridge.tmp no specs embridge.exe embridge.tmp slui.exe unins000.exe no specs _unins.tmp taskkill.exe no specs conhost.exe no specs embridge.exe no specs cmd.exe no specs conhost.exe no specs embridge.exe no specs embridge.exe no specs embridge.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs checknetisolation.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs checknetisolation.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
720"C:\WINDOWS\system32\taskkill.exe" /f /im emBridge.exeC:\Windows\SysWOW64\taskkill.exe_unins.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
924CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbweC:\Windows\SysWOW64\CheckNetIsolation.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1272"C:\Program Files (x86)\eMudhra\emBridge\unins000.exe" /SILENT /NORESTART /SUPPRESSMSGBOXESC:\Program Files (x86)\eMudhra\emBridge\unins000.exeemBridge.tmp
User:
admin
Company:
eMudhra Limited
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\program files (x86)\emudhra\embridge\unins000.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Program Files (x86)\eMudhra\emBridge\emBridge.exe" uninstallC:\Program Files (x86)\eMudhra\emBridge\emBridge.exe_unins.tmp
User:
admin
Company:
eMudhra Limited
Integrity Level:
HIGH
Description:
emBridge
Exit code:
0
Version:
5.9.1.6
Modules
Images
c:\program files (x86)\emudhra\embridge\embridge.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
2040"C:\Users\admin\AppData\Local\Temp\Rar$EXa7400.6904\emBridge(5.9.1.6)\emBridge.exe" /SPAWNWND=$802D2 /NOTIFYWND=$40256 C:\Users\admin\AppData\Local\Temp\Rar$EXa7400.6904\emBridge(5.9.1.6)\emBridge.exe
emBridge.tmp
User:
admin
Company:
eMudhra Limited
Integrity Level:
HIGH
Description:
emBridge Setup
Exit code:
1
Version:
5.9.1.6
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa7400.6904\embridge(5.9.1.6)\embridge.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comctl32.dll
c:\windows\syswow64\advapi32.dll
2140"C:\Users\admin\AppData\Local\Temp\Rar$EXa7400.2678\emBridge(5.9.1.6)\emBridge.exe" /SPAWNWND=$1702DC /NOTIFYWND=$6025C C:\Users\admin\AppData\Local\Temp\Rar$EXa7400.2678\emBridge(5.9.1.6)\emBridge.exe
emBridge.tmp
User:
admin
Company:
eMudhra Limited
Integrity Level:
HIGH
Description:
emBridge Setup
Exit code:
0
Version:
5.9.1.6
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa7400.2678\embridge(5.9.1.6)\embridge.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
2316\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 795
Read events
23 694
Write events
90
Delete events
11

Modification events

(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\emBridge(5.9.1.6).7z
(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7368) emBridge.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{a38aa4bd-f42d-44fa-a9c9-da61f74ca666}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.2
(PID) Process:(7368) emBridge.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{a38aa4bd-f42d-44fa-a9c9-da61f74ca666}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\eMudhra\emBridge
Executable files
62
Suspicious files
21
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
7368emBridge.tmpC:\Program Files (x86)\eMudhra\emBridge\is-LRBTT.tmpexecutable
MD5:EEAB8804E228437A0E58993D7A066944
SHA256:E1BADD6860328384FB16178487CC293D79EB6618750A8A28EC652BC7AAB0F7BA
7400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa7400.2678\emBridge(5.9.1.6)\emBridge.exeexecutable
MD5:BD4F0C6901227527B3D616CE5F3231EA
SHA256:B3BA81BD993CA038C0F11328A6D98181DCFF01E93B7863260EC5FD87C2A18CAB
7232emBridge.exeC:\Users\admin\AppData\Local\Temp\is-BTNN3.tmp\emBridge.tmpexecutable
MD5:231A054793512A64C9E972FFA1AB683C
SHA256:B1A3FD598E9A7D312B9B546A41EF9D9F2E3D27AA59B3DADE43669048CAF8055B
2140emBridge.exeC:\Users\admin\AppData\Local\Temp\is-A314G.tmp\emBridge.tmpexecutable
MD5:231A054793512A64C9E972FFA1AB683C
SHA256:B1A3FD598E9A7D312B9B546A41EF9D9F2E3D27AA59B3DADE43669048CAF8055B
7368emBridge.tmpC:\Program Files (x86)\eMudhra\emBridge\unins000.exeexecutable
MD5:EEAB8804E228437A0E58993D7A066944
SHA256:E1BADD6860328384FB16178487CC293D79EB6618750A8A28EC652BC7AAB0F7BA
7368emBridge.tmpC:\Users\admin\AppData\Local\Temp\is-P88DG.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7368emBridge.tmpC:\Program Files (x86)\eMudhra\emBridge\is-07FFU.tmpexecutable
MD5:169A2802F25F1F083432FC099F4B5E6C
SHA256:4B8399F36A0ABEBD8B2A0DC58AF5D83F3A6AE5F2228AC49E1FE9F70497975635
7368emBridge.tmpC:\Windows\System32\drivers\etc\hoststext
MD5:F79F7E6578AB981C42623758399B885A
SHA256:56FFA8A9A7562DF1620C7A37BDB07A16841DAB627984D8ECE0A2BDEF985E53AD
7368emBridge.tmpC:\Program Files (x86)\eMudhra\emBridge\NLog.dllexecutable
MD5:169A2802F25F1F083432FC099F4B5E6C
SHA256:4B8399F36A0ABEBD8B2A0DC58AF5D83F3A6AE5F2228AC49E1FE9F70497975635
7368emBridge.tmpC:\Program Files (x86)\eMudhra\emBridge\emBridge.exeexecutable
MD5:743FDB1D35A0A0D28F31DC16B03940B6
SHA256:FD1D581C1E7BA97A4137B7907B95EEBABE55206A43FC0138B64892E793B0F74B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
27
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7732
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7020
emBridge.exe
GET
200
13.234.51.255:80
http://resources.emudhra.com/hs/updates.xml
unknown
whitelisted
5588
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7516
emBridge.exe
GET
200
13.234.51.255:80
http://resources.emudhra.com/hs/updates.xml
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5588
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7732
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7732
backgroundTaskHost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.3
  • 40.126.32.68
  • 20.190.160.130
  • 40.126.32.72
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
resources.emudhra.com
  • 13.234.51.255
whitelisted

Threats

No threats detected
Process
Message
emBridge.exe
Configuration Result: [Success] Name emBridge [Success] DisplayName emBridge Service [Success] Description emBridge Service. [Success] ServiceName emBridge
emBridge.exe
Topshelf v3.3.154.0, .NET Framework v4.0.30319.42000
emBridge.exe
Topshelf.HostConfigurators.HostConfiguratorImpl Information: 0 :
emBridge.exe
Topshelf.HostFactory Information: 0 :
emBridge.exe
Starting as a Windows service
emBridge.exe
Topshelf.Runtime.Windows.WindowsServiceHost Information: 0 :
emBridge.exe
Topshelf.Runtime.Windows.WindowsServiceHost Information: 0 :
emBridge.exe
[Topshelf] Starting
emBridge.exe
Topshelf.Runtime.Windows.WindowsServiceHost Information: 0 :
emBridge.exe
[Topshelf] Started
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
emBridge(5.9.1.6).7z