File name:

2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop

Full analysis: https://app.any.run/tasks/6ff66084-b5c1-4c8b-a5aa-4fcd9c7f28c7
Verdict: Malicious activity
Analysis date: May 28, 2025, 17:02:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

D4A5A885A48C564CE2FF734FF26D17E6

SHA1:

6ED7F3483CD563821F92568965EA0AEB806132AD

SHA256:

235111F9C5636DAA99C9FC64613D3BC08982993C763CB8CE5685677ED784247A

SSDEEP:

98304:LOkw7Bqbjx3qyKpavsNUWcMaBqbjx3qyicgK0xWLcJj01lUf4rGCGyTF0lGvGQG8:eUPr0FPIr0FP2o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Executable content was dropped or overwritten

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • drvinst.exe (PID: 1180)

    • Drops 7-zip archiver for unpacking

      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Reads the Windows owner or organization settings

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)

    • Creates a software uninstall entry

      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Creates files in the driver directory

      • drvinst.exe (PID: 1180)

    • Reads security settings of Internet Explorer

      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Executes as Windows Service

      • spoolsv.exe (PID: 1040)

  • INFO

    • Checks supported languages

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • msiexec.exe (PID: 7128)
      • drvinst.exe (PID: 1180)

    • The sample compiled with english language support

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • drvinst.exe (PID: 1180)

    • Creates files in the program directory

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)

    • Reads the computer name

      • 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe (PID: 5728)
      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • msiexec.exe (PID: 7128)
      • drvinst.exe (PID: 1180)

    • Creates files or folders in the user directory

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)

    • Create files in a temporary directory

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6656)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6656)

    • Reads the software policy settings

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • drvinst.exe (PID: 1180)
      • slui.exe (PID: 2904)

    • Reads the machine GUID from the registry

      • PlanetPress Printer Standalone.exe (PID: 6300)
      • msiexec.exe (PID: 6656)
      • drvinst.exe (PID: 1180)

    • Checks proxy server information

      • slui.exe (PID: 2904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (27.1)
.exe | Win32 EXE PECompact compressed (generic) (26.2)
.exe | Win32 Executable MS Visual C++ (generic) (19.6)
.exe | Win64 Executable (generic) (17.4)
.dll | Win32 Dynamic Link Library (generic) (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:29 23:29:47+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 197632
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0x22c58
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2024.1.2.6742
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: This installation was built with InstallAware: http://www.installaware.com
CompanyName: Objectif Lune Inc
FileDescription: PlanetPress Printer Installation
FileVersion: 2024.1.2.6742
LegalCopyright: ?? Objectif Lune Inc All rights reserved
ProductName: PlanetPress Printer
ProductVersion: 2024.1.2.6742
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe planetpress printer standalone.exe msiexec.exe msiexec.exe no specs drvinst.exe spoolsv.exe no specs slui.exe 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040C:\WINDOWS\System32\spoolsv.exeC:\Windows\System32\spoolsv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Spooler SubSystem App
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1180DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{9649dfe6-4bc2-504e-844b-5d516c40734c}\pps.inf" "9" "40760e1df" "00000000000001D4" "WinSta0\Default" "00000000000001E4" "208" "c:\users\admin\appdata\local\temp\ppsuite7driver"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2904C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5728"C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
explorer.exe
User:
admin
Company:
Objectif Lune Inc
Integrity Level:
HIGH
Description:
PlanetPress Printer Installation
Exit code:
0
Version:
2024.1.2.6742
Modules
Images
c:\users\admin\desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6060"C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeexplorer.exe
User:
admin
Company:
Objectif Lune Inc
Integrity Level:
MEDIUM
Description:
PlanetPress Printer Installation
Exit code:
3221226540
Version:
2024.1.2.6742
Modules
Images
c:\users\admin\desktop\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6300".\PlanetPress Printer Standalone.exe" /m="C:\Users\admin\Desktop\2025-0~1.EXE" /k=""C:\ProgramData\miaBEFC.tmp\PlanetPress Printer Standalone.exe
2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
User:
admin
Company:
Objectif Lune Inc
Integrity Level:
HIGH
Description:
PlanetPress Printer Installation
Exit code:
0
Version:
2024.1.2.6742
Modules
Images
c:\programdata\miabefc.tmp\planetpress printer standalone.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6656C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7128C:\Windows\syswow64\MsiExec.exe -Embedding B5DEB4EEB4A5224774CAAB501609154FC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
16 067
Read events
15 817
Write events
241
Delete events
9

Modification events

(PID) Process:(5728) 2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exe
Operation:writeName:IsHostApp
Value:
(PID) Process:(6300) PlanetPress Printer Standalone.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\PlanetPress Printer Standalone.exe
Operation:writeName:IsHostApp
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
001A0000E240D650F2CFDB01
(PID) Process:(6656) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
064021156B6DB27228565096B6E6F55042D5F0AEB3721CA0DF4FCFA5E568A3BA
(PID) Process:(6656) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{DFC3F3C4-ABA0-446D-AEB0-8A0C47F8A942}
Operation:writeName:DisplayName
Value:
PlanetPress Printer
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\4C3F3CFD0ABAD644EA0BA8C0748F9A24
Operation:writeName:FEATURE_ID
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4C3F3CFD0ABAD644EA0BA8C0748F9A24\Features
Operation:writeName:FEATURE_ID
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(6656) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\10d1ea.rbs
Value:
31182834
Executable files
31
Suspicious files
25
Text files
41
Unknown types
24

Dropped files

PID
Process
Filename
Type
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\PlanetPress Printer Standalone.res
MD5:
SHA256:
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\1CC2BD24\PPSPS.dllexecutable
MD5:19A4A86D1E82E99DD3D170FCD78A2789
SHA256:F1758E074AC73BBBBA065656E2C486B76F4FDD0ED235E69C099C6C483E478FD8
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\mia.libexecutable
MD5:35E256EEC0EE6B300432B0FD160124FB
SHA256:17DA59160C2CE9794C079C8DD7AF6630B77FDB063A59D681932C671AB0420E83
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\46E20F9E\ol001x64.catcat
MD5:A5F71F9E41611102980687D701297B33
SHA256:DE16E87D93A5D37826AD0A84DEB6BB0FA4BDC266D5F2B4A5629EE97BE6453CA4
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\46E20F9E\pps.infbinary
MD5:2F0E86DE99AAAC737801B2EF53EB2F4E
SHA256:C53E6CE053C04978182FA8EA481D087107C30B1F206C3A0909EE84923DE821BD
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\7724F465\PPS.INItext
MD5:6FF201DDF8DCB09B483332F6723C23AE
SHA256:CE24A3BD307B800FE1EDE83CCFCB1C231D73C7D1AE14D94AFCEC7C88A949DF08
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\7724F465\PPS.ppdppd
MD5:D5700B2DB5041D1DF7E053EFBC32ED29
SHA256:1BEF7D73793BFDA86663D72C47AB14CFF595DEBA36609D8BC2E85727D7966146
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\PlanetPress Printer Standalone.msiexecutable
MD5:1F769B5B794CA7A41E3261174371DB7F
SHA256:D96293A11CC85D43EF97B65F3126B0088F898F29D383B41C1AB76D457B875FCA
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\PlanetPress Printer Standalone.msiexecutable
MD5:1F769B5B794CA7A41E3261174371DB7F
SHA256:D96293A11CC85D43EF97B65F3126B0088F898F29D383B41C1AB76D457B875FCA
57282025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop.exeC:\ProgramData\miaBEFC.tmp\data\OFFLINE\98123CB0\49D3CDF2\PPSPS.dllexecutable
MD5:44877D83AF7D9AEFC0D1BAE4CEA4FC43
SHA256:29867770C95589A74070919C71316DF9D3FACC88C27AEF36ACA8F0916D859C01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1180
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5796
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1180
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5796
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6656
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6656
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6656
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAJ8pru20T29OnAB5zu%2FLg4%3D
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5796
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1180
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1180
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5796
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1180
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5796
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5796
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-28_d4a5a885a48c564ce2ff734ff26d17e6_amadey_darkgate_elex_hijackloader_rhadamanthys_sliver_smoke-loader_stop