File name:

2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/bece7817-63c6-4acf-bef7-8245671c92f1
Verdict: Malicious activity
Analysis date: April 29, 2025, 02:19:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

FBE1AD4697A03B8A3C01B666823DD59E

SHA1:

90E97B9D46093DD9A9984BEF4D6C01C2F63E27F7

SHA256:

025075F84097EDC82E316307A61056BC20E2F2970C0338658525A4AA4F7FBBE7

SSDEEP:

98304:iefUuZuKAuf5jTFLkOefUuZuKAuf5jTFziy9/W10abzzpQXPJP0jjiGHaGx/LOLS:FySbzzdr0ijelYiOwgnEln+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7900)

    • Starts NET.EXE for service management

      • net.exe (PID: 1676)
      • cmd.exe (PID: 8052)
      • cmd.exe (PID: 8044)
      • net.exe (PID: 5048)
      • cmd.exe (PID: 8092)
      • net.exe (PID: 5204)
      • net.exe (PID: 1052)
      • net.exe (PID: 4696)
      • cmd.exe (PID: 8112)
      • cmd.exe (PID: 8068)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 8052)
      • net.exe (PID: 1676)

    • Uses NET.EXE to stop Windows Security Center service

      • cmd.exe (PID: 8068)
      • net.exe (PID: 5204)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 6112)
      • cmd.exe (PID: 8132)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 8144)
      • net.exe (PID: 6324)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Starts a Microsoft application from unusual location

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7452)

    • Process drops legitimate windows executable

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Starts CMD.EXE for commands execution

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Executable content was dropped or overwritten

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Starts itself from another location

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Creates file in the systems drive root

      • UpdatAuto.exe (PID: 7700)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Executes application which crashes

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7900)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7188)
      • sc.exe (PID: 7228)
      • sc.exe (PID: 7220)
      • sc.exe (PID: 7256)
      • sc.exe (PID: 7236)

  • INFO

    • Create files in a temporary directory

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • The sample compiled with chinese language support

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)

    • Checks supported languages

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)
      • UpdatAuto.exe (PID: 7700)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe (PID: 7900)

    • The sample compiled with english language support

      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Creates files in the program directory

      • UpdatAuto.exe (PID: 7700)
      • 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe (PID: 7540)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (28.5)
.exe | InstallShield setup (14.9)
.exe | Win32 Executable MS Visual C++ (generic) (10.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:03:12 04:30:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 102400
InitializedDataSize: 16384
UninitializedDataSize: -
EntryPoint: 0x27dc
OSVersion: 4
ImageVersion: 6.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.0.0
ProductVersionNumber: 6.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Windows Update Manager for NT
CompanyName: Microsoft Corporation
FileDescription: Windows Update Manager for NT
LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
ProductName: Microsoft(R) Windows (R) 2000 Operating System
FileVersion: 6.01
ProductVersion: 6.01
InternalName: INCUBUS
OriginalFileName: INCUBUS.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
48
Malicious processes
4
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs updatauto.exe cmd.exe no specs conhost.exe no specs 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe werfault.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs slui.exe no specs 2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1052net stop srserviceC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1276C:\WINDOWS\system32\net1 start TlntSvrC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1676net stop wuauservC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2108C:\WINDOWS\system32\net1 stop wuauservC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432C:\WINDOWS\system32\net1 stop sharedaccessC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2616C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4228C:\WINDOWS\system32\net1 stop srserviceC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
4696net start TlntSvrC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
2 468
Read events
2 443
Write events
22
Delete events
3

Modification events

(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:ProgramId
Value:
0006e62228761404c3e223313b6231aced3200000904
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:FileId
Value:
000040a3c1c61109606af8b306dbe7437a404957815a
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\desktop\2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:LongPathHash
Value:
2025-04-29_fbe1a|5e3d37c773a64b79
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:Name
Value:
2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exe
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:OriginalFileName
Value:
chrome_pwa_launcher.exe
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:Publisher
Value:
google llc
(PID) Process:(7984) WerFault.exeKey:\REGISTRY\A\{22d780e1-fe16-cfcd-7fe1-fe2970dc441e}\Root\InventoryApplicationFile\2025-04-29_fbe1a|5e3d37c773a64b79
Operation:writeName:Version
Value:
123.0.6312.123
Executable files
17
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7984WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-04-29_fbe1a_a18eec895c95de9d3816ca5a223882b6e5b7eb_e5a8c848_d2a022ad-eb03-41c8-8151-eb979fa7fbf8\Report.wer
MD5:
SHA256:
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\Windows\SysWOW64\UpdatAuto.exeexecutable
MD5:A1FC72A7F55F40A16C1AAB28AD3D2171
SHA256:43216D3098DF0811A13FA777E4427E6DDF7D2079AA3DC8CD721E43E93C609460
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeexecutable
MD5:1CC799DEF79DE0F893FF5A1CA534FBB5
SHA256:37242F6762F3FB07417DF2022675FF563DC24A8FE7AC4A2F8C93ADBAEF2DCCB4
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\ntldr~6executable
MD5:A1FC72A7F55F40A16C1AAB28AD3D2171
SHA256:43216D3098DF0811A13FA777E4427E6DDF7D2079AA3DC8CD721E43E93C609460
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\Users\admin\Desktop\2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader~4.exeexecutable
MD5:EB6D908E2474936F38C8ED6A11C68B05
SHA256:428B8FE2150485661B201E4B9803BFE22675152DB5F5BC603030367F69EE0858
75402025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
MD5:
SHA256:
7700UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
MD5:
SHA256:
7984WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE002.tmp.WERInternalMetadata.xmlbinary
MD5:78B5BD4285619A67F9DBC702D0AD3042
SHA256:F1D9F02CCD3E879379C90DE10893B33AA32D1BCE76DEF20774804596DDFF8AB3
7984WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:0440885C3D64060F0D7920B633035D31
SHA256:C77151AE5D782567AB3B3543CC5D3DEA85C36EC728D345AF91BB78C352EC0164
7700UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeexecutable
MD5:F1386CE8A1AC3E690980267F787BD54F
SHA256:488B9641CDC0D8AE6712317F629455C28EA9D0B7F53CD78A5B9F0E7A8C3F83E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6456
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6456
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6456
RUXIMICS.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_fbe1ad4697a03b8a3c01b666823dd59e_akira_black-basta_elex_hijackloader_remcos_rhadamanthys_smoke-loader