File name:

_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe

Full analysis: https://app.any.run/tasks/241e36d3-1b49-4f42-8e94-b0b6fa761090
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 06, 2026, 20:40:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
remotex
rat
websocket
evasion
auto-reg
stealer
ip-check
chromelevator
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

B1F11118C92187CB5A0219554EB2A516

SHA1:

F326F0BF9C8AB5FDC04E0A05FBD55AB38EF37F3D

SHA256:

75A4B975E48C2469DA55BB4BC5FD3C812593F34E676C95ED8EACA3F641BB359E

SSDEEP:

98304:sicwZNhghum09l3YqQxc04TPaOhP3huMBowximn9dkcnlfX1BvE/nvKmO6ybetxH:hwMXGMiX37QJNlCh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • REMOTEX mutex has been found

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)
      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 5264)

    • Chromium App-Bound protection bypass detected (YARA)

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

  • SUSPICIOUS

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Uses TASKKILL.EXE to kill Browsers

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Uses WMIC.EXE to obtain CPU information

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Checks for external IP

      • svchost.exe (PID: 2232)
      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Possible stealing of messenger data

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Browser sandbox disabling

      • chrome.exe (PID: 4312)
      • chrome.exe (PID: 7172)
      • chrome.exe (PID: 5660)
      • chrome.exe (PID: 7604)
      • chrome.exe (PID: 6856)
      • chrome.exe (PID: 2960)
      • chrome.exe (PID: 2364)
      • chrome.exe (PID: 5664)

    • There is functionality for capture public ip (YARA)

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Multiple wallet extension IDs have been found

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

  • INFO

    • Reads the computer name

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)
      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 5264)

    • Launching a file from a Registry key

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Reads the machine GUID from the registry

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Checks supported languages

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)
      • chrome_injector.exe (PID: 7944)
      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 5264)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2728)
      • WMIC.exe (PID: 2268)
      • WMIC.exe (PID: 6012)
      • WMIC.exe (PID: 2268)
      • WMIC.exe (PID: 2132)
      • WMIC.exe (PID: 2748)

    • Create files in a temporary directory

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Manual execution by a user

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 5264)

    • Creates files or folders in the user directory

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Application launched itself

      • chrome.exe (PID: 4396)
      • chrome.exe (PID: 4312)
      • chrome.exe (PID: 5448)

    • There is functionality for taking screenshot (YARA)

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Application based on Golang

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)

    • Detects GO elliptic curve encryption (YARA)

      • _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe (PID: 420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 5696000
InitializedDataSize: 1962496
UninitializedDataSize: -
EntryPoint: 0x7c660
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
211
Monitored processes
74
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
416"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6460,i,7213578132437360957,9050337066810411521,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6292 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
420"C:\Users\admin\Desktop\_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe" C:\Users\admin\Desktop\_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
1180"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5076,i,7213578132437360957,9050337066810411521,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5656 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1268"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffe22f9fff8,0x7ffe22fa0004,0x7ffe22fa0010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1352"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3756,i,7213578132437360957,9050337066810411521,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2568 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1772"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
chrome_injector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
3765269347
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2016netsh advfirewall firewall add rule "name=RemoteX Client In" dir=in action=allow program=C:\Users\admin\Desktop\_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Windows\System32\netsh.exe_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2116"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3764,i,7213578132437360957,9050337066810411521,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=3784 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2132wmic cpu get nameC:\Windows\System32\wbem\WMIC.exe_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\iphlpapi.dll
2220C:\WINDOWS\system32\WerFault.exe -u -p 6684 -s 740C:\Windows\System32\WerFault.exechrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
7 719
Read events
7 718
Write events
1
Delete events
0

Modification events

(PID) Process:(420) _75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RemoteX
Value:
C:\Users\admin\Desktop\_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Executable files
0
Suspicious files
6
Text files
16
Unknown types
231

Dropped files

PID
Process
Filename
Type
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite.rxcopy-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite.rxcopybinary
MD5:34B2848FBEDBF3D43462938703592DBC
SHA256:6CF535DAEEC70899C28C0C6127F210900C2999A97189DEDDA415987D0F353A72
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\Temp\rxinj2134729108\chrome_injector.exebinary
MD5:1D04536714BB22A3E909525A7DD627F0
SHA256:E857298FD2F8D1C7D48780769433F33E7B3CEAAE5EA5A74C13CE8C10BCC7B690
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\RemoteX\Profiles\chrome.staging\Default\Secure Preferencesbinary
MD5:F9BD800C5126EA6CDCF6244F71C83FA6
SHA256:8379F5AE4E145C4D4513AE7497201C1EE9AD97A0A1567136B16F3837F87E3CC1
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\RemoteX\Profiles\chrome.staging\Default\Preferencesbinary
MD5:B2FBAFDBAD74445DC8B3DD1C81E58DFB
SHA256:F233FDE272BA7D65C704674CE0C536D29B592C38C9F1A5EF04E626429F461C06
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\RemoteX\Profiles\chrome.staging\Local Statetext
MD5:D513ECFFE446763EF0D61B8150D397DA
SHA256:89B2FF3035FBBD25E7D702E3E6D096175C62E639C12298A92CAB3D9AEDAB32D9
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\RemoteX\Profiles\chrome.staging\Default\Login Databinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\RemoteX\Profiles\chrome.staging\Default\Login Data For Accountbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\RemoteX\Profiles\chrome.staging\Default\Web Databinary
MD5:9815AE2E8A4DC9C87A80F2997FFE09B7
SHA256:CEDF71B38DAC654BD34348EA31F92BE9F7A18BA5AB4A8709C36BA796266B23F9
420_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exeC:\Users\admin\AppData\Local\RemoteX\Profiles\chrome.staging\Default\Network\Cookiesbinary
MD5:17D64271D89F9032A8835D30FEE7A1F4
SHA256:0661263A4836DC9F0C822F8279EDF86BD4883C4B534F4DCF7361E5F2F51C7B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
153
TCP/UDP connections
87
DNS requests
61
Threats
48

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5584
svchost.exe
GET
200
23.220.113.225:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
2432
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
binary
512 b
whitelisted
5584
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
200
104.26.12.205:443
https://api.ipify.org/
US
binary
12 b
unknown
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
GET
101
65.109.103.93:80
http://65.109.103.93/ws/client?id=RX-1F1CAE3E012248B3
DE
unknown
5316
svchost.exe
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
US
binary
1.24 Kb
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
GET
200
104.26.12.205:443
https://api.ipify.org/
US
binary
12 b
unknown
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
GET
101
212.162.150.121:80
http://212.162.150.121/ws/client?id=RX-1F1CAE3E012248B3
US
unknown
2432
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
binary
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.7:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5584
svchost.exe
23.55.110.211:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5584
svchost.exe
23.220.113.225:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5208
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2432
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
65.109.103.93:80
HETZNER-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 92.123.104.7
  • 92.123.104.65
  • 92.123.104.66
  • 92.123.104.52
  • 92.123.104.63
  • 92.123.104.50
  • 92.123.104.61
  • 92.123.104.37
  • 92.123.104.47
whitelisted
google.com
  • 142.250.187.238
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 23.220.113.225
  • 72.246.29.11
whitelisted
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.131
  • 40.126.31.131
  • 20.190.159.71
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted

Threats

PID
Process
Class
Message
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2232
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
420
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Google\Chrome\User Data directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_75a4b975e48c2469da55bb4bc5fd3c812593f34e676c95ed8eaca3f641bb359e.exe