File name:

2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop

Full analysis: https://app.any.run/tasks/6ff66084-b5c1-4c8b-a5aa-4fcd9c7f28c7
Verdict: Malicious activity
Analysis date: May 28, 2025, 17:02:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

D4A5A885A48C564CE2FF734FF26D17E6

SHA1:

6ED7F3483CD563821F92568965EA0AEB806132AD

SHA256:

235111F9C5636DAA99C9FC64613D3BC08982993C763CB8CE5685677ED784247A

SSDEEP:

98304:LOkw7Bqbjx3qyKpavsNUWcMaBqbjx3qyicgK0xWLcJj01lUf4rGCGyTF0lGvGQG8:eUPr0FPIr0FP2o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • drvinst.exe (PID: 1180)

    • The process creates files with name similar to system file names

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)

    • Drops 7-zip archiver for unpacking

      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Reads the Windows owner or organization settings

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)

    • Creates a software uninstall entry

      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Executes as Windows Service

      • spoolsv.exe (PID: 1040)

    • Reads security settings of Internet Explorer

      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Creates files in the driver directory

      • drvinst.exe (PID: 1180)

  • INFO

    • The sample compiled with english language support

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • drvinst.exe (PID: 1180)

    • Creates files in the program directory

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Checks supported languages

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • msiexec.exe (PID: 7128)
      • drvinst.exe (PID: 1180)

    • Create files in a temporary directory

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)

    • Reads the computer name

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • msiexec.exe (PID: 7128)
      • drvinst.exe (PID: 1180)

    • Creates files or folders in the user directory

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)

    • Reads the software policy settings

      • msiexec.exe (PID: 6656)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • drvinst.exe (PID: 1180)
      • slui.exe (PID: 2904)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6656)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • drvinst.exe (PID: 1180)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6656)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6656)

    • Checks proxy server information

      • slui.exe (PID: 2904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (27.1)
.exe | Win32 EXE PECompact compressed (generic) (26.2)
.exe | Win32 Executable MS Visual C++ (generic) (19.6)
.exe | Win64 Executable (generic) (17.4)
.dll | Win32 Dynamic Link Library (generic) (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:29 23:29:47+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 197632
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0x22c58
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2024.1.2.6742
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: This installation was built with InstallAware: http://www.installaware.com
CompanyName: Objectif Lune Inc
FileDescription: PlanetPress Printer Installation
FileVersion: 2024.1.2.6742
LegalCopyright: ?? Objectif Lune Inc All rights reserved
ProductName: PlanetPress Printer
ProductVersion: 2024.1.2.6742
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe planetpress printer standalone.exe msiexec.exe msiexec.exe no specs drvinst.exe spoolsv.exe no specs slui.exe 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040C:\WINDOWS\System32\spoolsv.exeC:\Windows\System32\spoolsv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Spooler SubSystem App
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1180DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{9649dfe6-4bc2-504e-844b-5d516c40734c}\pps.inf" "9" "40760e1df" "00000000000001D4" "WinSta0\Default" "00000000000001E4" "208" "c:\users\admin\appdata\local\temp\ppsuite7driver"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2904C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5728"C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
explorer.exe
User:
admin
Company:
Objectif Lune Inc
Integrity Level:
HIGH
Description:
PlanetPress Printer Installation
Exit code:
0
Version:
2024.1.2.6742
Modules
Images
c:\users\admin\desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6060"C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeexplorer.exe
User:
admin
Company:
Objectif Lune Inc
Integrity Level:
MEDIUM
Description:
PlanetPress Printer Installation
Exit code:
3221226540
Version:
2024.1.2.6742
Modules
Images
c:\users\admin\desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6300".\PlanetPress Printer Standalone.exe" /m="C:\Users\admin\Desktop\2025-0~1.EXE" /k=""C:\ProgramData\miaBEFC.tmp\PlanetPress Printer Standalone.exe
2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
User:
admin
Company:
Objectif Lune Inc
Integrity Level:
HIGH
Description:
PlanetPress Printer Installation
Exit code:
0
Version:
2024.1.2.6742
Modules
Images
c:\programdata\miabefc.tmp\planetpress printer standalone.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6656C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7128C:\Windows\syswow64\MsiExec.exe -Embedding B5DEB4EEB4A5224774CAAB501609154FC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
16 067
Read events
15 817
Write events
241
Delete events
9

Modification events

(PID) Process:(5728) 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
Operation:writeName:IsHostApp
Value:
(PID) Process:(6300) PlanetPress Printer Standalone.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\PlanetPress Printer Standalone.exe
Operation:writeName:IsHostApp
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
001A0000E240D650F2CFDB01
(PID) Process:(6656) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
064021156B6DB27228565096B6E6F55042D5F0AEB3721CA0DF4FCFA5E568A3BA
(PID) Process:(6656) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{DFC3F3C4-ABA0-446D-AEB0-8A0C47F8A942}
Operation:writeName:DisplayName
Value:
PlanetPress Printer
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\4C3F3CFD0ABAD644EA0BA8C0748F9A24
Operation:writeName:FEATURE_ID
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4C3F3CFD0ABAD644EA0BA8C0748F9A24\Features
Operation:writeName:FEATURE_ID
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\10d1ea.rbs
Value:
31182834
Executable files
31
Suspicious files
25
Text files
41
Unknown types
24

Dropped files

PID
Process
Filename
Type
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\PlanetPress Printer Standalone.res
MD5:
SHA256:
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\46E20F9E\olps3001.catcat
MD5:64C84FB70FAD90B881F140EEE7F13162
SHA256:68ADB9B2D1F61D2287BBC7AA4586F4162FAF3B5FC407D442CC5B770DEC648E48
6300PlanetPress Printer Standalone.exeC:\Users\admin\AppData\Local\IIIQF\7z.dllexecutable
MD5:31CAD6A3EDD1C32981AD6B565CBEAC94
SHA256:B8521ABDA09EC17DDAD36528C1BC50395DC8C5F7C11C026A5B3FF23110C54182
6300PlanetPress Printer Standalone.exeC:\Users\admin\AppData\Local\Temp\mia.tmptext
MD5:C936B686DCA25B0C9E20703F8B15FAD0
SHA256:DAA36420BFE153CF6950E5776D24A53E05768E206734285F1FBFEF9300C5F459
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\PlanetPress Printer Standalone.msiexecutable
MD5:1F769B5B794CA7A41E3261174371DB7F
SHA256:D96293A11CC85D43EF97B65F3126B0088F898F29D383B41C1AB76D457B875FCA
6300PlanetPress Printer Standalone.exeC:\Users\admin\AppData\Local\Temp\mia1\componentstree.dfmimage
MD5:7ABD6BD2B201E76EA624B72EC854E178
SHA256:B7E2337DDFE813C051D10B5CBBBBDC7FCD0EEF4B5B2621C3A77D6B91743C0F4D
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\46E20F9E\ol001x64.catcat
MD5:A5F71F9E41611102980687D701297B33
SHA256:DE16E87D93A5D37826AD0A84DEB6BB0FA4BDC266D5F2B4A5629EE97BE6453CA4
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\46E20F9E\pps.infbinary
MD5:2F0E86DE99AAAC737801B2EF53EB2F4E
SHA256:C53E6CE053C04978182FA8EA481D087107C30B1F206C3A0909EE84923DE821BD
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\PlanetPress Printer Standalone.exeexecutable
MD5:A1702D42B0396A02F9DE60A4D9993954
SHA256:E3B4F446B1FA623CA1DD7EC7C1C402FEBC574A7AF783B6B232716033B5FD8CBD
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\mia.libexecutable
MD5:35E256EEC0EE6B300432B0FD160124FB
SHA256:17DA59160C2CE9794C079C8DD7AF6630B77FDB063A59D681932C671AB0420E83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5796
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1180
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5796
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1180
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6656
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAJ8pru20T29OnAB5zu%2FLg4%3D
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
6656
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6656
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5796
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1180
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1180
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5796
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1180
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5796
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5796
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop