File name:

2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/bece7817-63c6-4acf-bef7-8245671c92f1
Verdict: Malicious activity
Analysis date: April 29, 2025, 02:19:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

FBE1AD4697A03B8A3C01B666823DD59E

SHA1:

90E97B9D46093DD9A9984BEF4D6C01C2F63E27F7

SHA256:

025075F84097EDC82E316307A61056BC20E2F2970C0338658525A4AA4F7FBBE7

SSDEEP:

98304:iefUuZuKAuf5jTFLkOefUuZuKAuf5jTFziy9/W10abzzpQXPJP0jjiGHaGx/LOLS:FySbzzdr0ijelYiOwgnEln+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7900)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 8112)
      • cmd.exe (PID: 8052)
      • cmd.exe (PID: 8092)
      • cmd.exe (PID: 8044)
      • net.exe (PID: 5048)
      • net.exe (PID: 1676)
      • cmd.exe (PID: 8068)
      • net.exe (PID: 5204)
      • net.exe (PID: 4696)
      • net.exe (PID: 1052)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 8052)
      • net.exe (PID: 1676)

    • Uses NET.EXE to stop Windows Security Center service

      • cmd.exe (PID: 8068)
      • net.exe (PID: 5204)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 8144)
      • net.exe (PID: 6324)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 8132)
      • net.exe (PID: 6112)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Starts a Microsoft application from unusual location

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7452)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Starts CMD.EXE for commands execution

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Executing commands from a ".bat" file

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Executable content was dropped or overwritten

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Starts itself from another location

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Creates file in the systems drive root

      • UpdatAuto.exe (PID: 7700)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Executes application which crashes

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7900)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7236)
      • sc.exe (PID: 7188)
      • sc.exe (PID: 7256)
      • sc.exe (PID: 7228)
      • sc.exe (PID: 7220)

  • INFO

    • The sample compiled with chinese language support

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Checks supported languages

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7900)

    • Create files in a temporary directory

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • The sample compiled with english language support

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Creates files in the program directory

      • UpdatAuto.exe (PID: 7700)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (28.5)
.exe | InstallShield setup (14.9)
.exe | Win32 Executable MS Visual C++ (generic) (10.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:03:12 04:30:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 102400
InitializedDataSize: 16384
UninitializedDataSize: -
EntryPoint: 0x27dc
OSVersion: 4
ImageVersion: 6.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.0.0
ProductVersionNumber: 6.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Windows Update Manager for NT
CompanyName: Microsoft Corporation
FileDescription: Windows Update Manager for NT
LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
ProductName: Microsoft(R) Windows (R) 2000 Operating System
FileVersion: 6.01
ProductVersion: 6.01
InternalName: INCUBUS
OriginalFileName: INCUBUS.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
48
Malicious processes
4
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs updatauto.exe cmd.exe no specs conhost.exe no specs 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe werfault.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs slui.exe no specs 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1052net stop srserviceC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1276C:\WINDOWS\system32\net1 start TlntSvrC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1676net stop wuauservC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2108C:\WINDOWS\system32\net1 stop wuauservC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432C:\WINDOWS\system32\net1 stop sharedaccessC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2616C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4228C:\WINDOWS\system32\net1 stop srserviceC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
4696net start TlntSvrC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
2 468
Read events
2 443
Write events
22
Delete events
3

Modification events

(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:ProgramId
Value:
0006e62228761404c3e223313b6231aced3200000904
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:FileId
Value:
000040a3c1c61109606af8b306dbe7437a404957815a
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\desktop\2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:LongPathHash
Value:
2025-04-29_fbe1a|5e3d37c773a64b79
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:Name
Value:
2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:OriginalFileName
Value:
chrome_pwa_launcher.exe
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:Publisher
Value:
google llc
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:Version
Value:
123.0.6312.123
Executable files
17
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7984WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-04-29_fbe1a_a18eec895c95de9d3816ca5a223882b6e5b7eb_e5a8c848_d2a022ad-eb03-41c8-8151-eb979fa7fbf8\Report.wer
MD5:
SHA256:
7984WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE002.tmp.WERInternalMetadata.xmlbinary
MD5:78B5BD4285619A67F9DBC702D0AD3042
SHA256:E6942CFE601626BC2B57A39164086F8AB8444723766FD32F6155DB920F181E45
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\Users\admin\Desktop\2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exeexecutable
MD5:EB6D908E2474936F38C8ED6A11C68B05
SHA256:428B8FE2150485661B201E4B9803BFE22675152DB5F5BC603030367F69EE0858
7984WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:0440885C3D64060F0D7920B633035D31
SHA256:C77151AE5D782567AB3B3543CC5D3DEA85C36EC728D345AF91BB78C352EC0164
7984WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE032.tmp.xmlxml
MD5:5B94D9FB86E4AA6300C4FA1EE6F08DB2
SHA256:403B7CCC9E7AF0AF8F373F51A88353672DE4CE32D1E1361D1B7B2FA8E836CBAD
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
MD5:
SHA256:
7700UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
MD5:
SHA256:
7700UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeexecutable
MD5:752C461B9036F588F96A13992340BB92
SHA256:E6403F781E0686F71FB40EA823E1F54ECDF310E93E2D379F93F5F26D49D73115
7700UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeexecutable
MD5:F5D6CAB3D60B921634F7B39C8A315CB8
SHA256:F37CC3CA5FD6F6F63DA63DB250B35397E115AEDE8F6BC0AA720DC297031437BB
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeexecutable
MD5:958E47D7582B0C3127C08FC33D1B81DD
SHA256:4E9F7409704BFBE50F5ADA70C215E01EE86299BE243ABB78F453F24BC07A9804
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6456
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6456
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6456
RUXIMICS.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader