File name:

2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex

Full analysis: https://app.any.run/tasks/4e9ade50-f94d-4150-815b-973bf2a744ac
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 22:32:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
babuk
ransomware
auto-download
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

691363D7D246853FDA6D66C929562CE9

SHA1:

CC72D25964DA3E7B4C076CA51BD10A94946AF26B

SHA256:

88B67A8C39AF420B3A1D7CA04103458196A9ED918A394D7C060D20979864FA87

SSDEEP:

3072:EQ/fcml0hfBZU5I3e991Q+gyV/nv7Elz9FB97Zxzno3JIg/3Qe9YrrB7AFZpDvXU:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BABUK mutex has been found

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Deletes shadow copies

      • cmd.exe (PID: 1296)
      • cmd.exe (PID: 5904)

    • RANSOMWARE has been detected

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Renames files like ransomware

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Reads security settings of Internet Explorer

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Creates file in the systems drive root

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

  • INFO

    • Reads the machine GUID from the registry

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Reads the computer name

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Process checks computer location settings

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Checks supported languages

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Creates files or folders in the user directory

      • 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe (PID: 6640)

    • Manual execution by a user

      • notepad.exe (PID: 6216)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6216)

    • Reads the software policy settings

      • slui.exe (PID: 5744)

    • Checks proxy server information

      • slui.exe (PID: 5744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:03:23 19:22:40+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.27
CodeSize: 74752
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0xabc0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BABUK 2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs slui.exe notepad.exe no specs rundll32.exe no specs explorer.exe no specs COpenControlPanel no specs

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietC:\Windows\System32\cmd.exe2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1740C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
2368C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2680C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2952vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4040vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4868\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5744C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5904"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietC:\Windows\System32\cmd.exe2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6216"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Downloads\How To Restore Your Files.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
7 088
Read events
7 065
Write events
21
Delete events
2

Modification events

(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
000000000E000000040000000300000011000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(2368) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(2368) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Operation:writeName:ITBar7Layout
Value:
13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
00000000040000000E0000000300000011000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\257\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}
Operation:writeName:Mode
Value:
1
(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\257\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}
Operation:writeName:LogicalViewMode
Value:
3
(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\257\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}
Operation:writeName:FFlags
Value:
18874369
(PID) Process:(2368) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\257\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}
Operation:writeName:IconSize
Value:
48
Executable files
1
Suspicious files
61
Text files
109
Unknown types
0

Dropped files

PID
Process
Filename
Type
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\BOOTNXT.babykbinary
MD5:93B885ADFE0DA089CDF634904FD59F71
SHA256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\Documents\How To Restore Your Files.txttext
MD5:BEACC1C9772892395922791A920349BD
SHA256:4BBBB01170790336B9EE648B794CED3326D8B74BD8456E61F9E6ADDD8446BD73
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\.ms-ad\How To Restore Your Files.txttext
MD5:BEACC1C9772892395922791A920349BD
SHA256:4BBBB01170790336B9EE648B794CED3326D8B74BD8456E61F9E6ADDD8446BD73
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\bootTel.dat.babykbinary
MD5:5C95D04D8A6FEF2C823E9538BD0A1B38
SHA256:FDD46368879C37E8002FE3CD17BF800A066B3D5A870DCE8B8D69D19C4513D485
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\Contacts\How To Restore Your Files.txttext
MD5:BEACC1C9772892395922791A920349BD
SHA256:4BBBB01170790336B9EE648B794CED3326D8B74BD8456E61F9E6ADDD8446BD73
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\Documents\junehave.rtf.babyktext
MD5:7ABB90B6EF3807E8B799EBFD30B69503
SHA256:B24D485FC877D68996799A46425D1F0096D2BCD3B32D05586BF4726F469DA4A2
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\How To Restore Your Files.txttext
MD5:BEACC1C9772892395922791A920349BD
SHA256:4BBBB01170790336B9EE648B794CED3326D8B74BD8456E61F9E6ADDD8446BD73
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\Desktop\painrepublic.rtf.babyktext
MD5:798A695A832F7E3E56CD2D990C59F97C
SHA256:7F89E1599FF79E83524E7C856F923327104E6536CDECB36B6AE751FF4C2BFB32
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\Desktop\itselfsubjects.png.babykimage
MD5:6B1559CDFA6C93526D5F2D6FC54F820C
SHA256:5B85AE3AC8F2C775B720CAD1B0965D6071FF7DE1D2C7B231E454E9E80E297EFD
66402025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex.exeC:\Users\admin\AppData\Roaming\How To Restore Your Files.txttext
MD5:BEACC1C9772892395922791A920349BD
SHA256:4BBBB01170790336B9EE648B794CED3326D8B74BD8456E61F9E6ADDD8446BD73
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1812
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_691363d7d246853fda6d66c929562ce9_babuk_destroyer_elex