File name:

2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/fd7797c4-707f-4c61-9a71-5436316bafb2
Verdict: Malicious activity
Analysis date: May 29, 2025, 15:37:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

2FB832A7001CAFF9A3E369DE43EF3C92

SHA1:

78F8FDE013420EB1C831CF3E48F527B8325AE4C0

SHA256:

B0D5C284937F57C27E12F6BDA2E353270AB8EE0C89372A13ECD053971106E207

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyh:5MG2czngHMd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 8479468775.exe (PID: 8172)
      • 8479468775.exe (PID: 7224)
      • install.exe (PID: 2564)

    • CANBIS mutex has been found

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

    • Executable content was dropped or overwritten

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • TiWorker.exe (PID: 2384)

    • Process drops legitimate windows executable

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • Reads security settings of Internet Explorer

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • install.exe (PID: 2564)

    • Starts a Microsoft application from unusual location

      • 8479468775.exe (PID: 8172)
      • 8479468775.exe (PID: 7224)

    • Reads the Windows owner or organization settings

      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)

    • Creates file in the systems drive root

      • msiexec.exe (PID: 5404)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

  • INFO

    • Reads the computer name

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • install.exe (PID: 2564)

    • Checks supported languages

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)

    • The sample compiled with english language support

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • Process checks computer location settings

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

    • Failed to create an executable file in Windows directory

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

    • Reads the machine GUID from the registry

      • 8479468775.exe (PID: 7224)
      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)

    • The sample compiled with japanese language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with korean language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with german language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with chinese language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with spanish language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • Create files in a temporary directory

      • install.exe (PID: 2564)

    • Creates files or folders in the user directory

      • install.exe (PID: 2564)

    • Reads the software policy settings

      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)
      • slui.exe (PID: 7324)

    • Checks proxy server information

      • install.exe (PID: 2564)
      • slui.exe (PID: 7324)

    • The sample compiled with french language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with Italian language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5404)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe 8479468775.exe no specs 8479468775.exe install.exe msiexec.exe slui.exe tiworker.exe

Process information

PID
CMD
Path
Indicators
Parent process
2384C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2564c:\b74784ee94357f50a180008e81929f5c\.\install.exeC:\b74784ee94357f50a180008e81929f5c\install.exe
8479468775.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Exit code:
0
Version:
9.0.21022.8 built by: RTM
Modules
Images
c:\b74784ee94357f50a180008e81929f5c\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5404C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7224"C:\Users\admin\Desktop\8479468775.exe" C:\Users\admin\Desktop\8479468775.exe
2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
0
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\8479468775.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7528"C:\Users\admin\Desktop\2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
5
Modules
Images
c:\users\admin\desktop\2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8172"C:\Users\admin\Desktop\8479468775.exe" C:\Users\admin\Desktop\8479468775.exe2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\8479468775.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
16 459
Read events
16 008
Write events
380
Delete events
71

Modification events

(PID) Process:(5404) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
1C150000F1CA9ABBAFD0DB01
(PID) Process:(5404) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
6EAAEF08E84E06F9A4C0688A26A95F6669447EA1F035EEA5FA82A0377659CAD8
(PID) Process:(5404) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:c:\Config.Msi\
Value:
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11d4e3.rbs
Value:
31183023
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11d4e3.rbsLow
Value:
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AA5D9C68C00F12943B2F6CA09FE28244
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
22:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\9.0\SP
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DDA695F96EBE974FAAE0D63A6F7BE67
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
22:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\9.0\RED\1033\Install
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BA48942F9CACEE9458670A5B7550A66C
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
c:\
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\76C258679BD2A6E478BA99D65D12BD37
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
c:\
Executable files
84
Suspicious files
12
Text files
105
Unknown types
55

Dropped files

PID
Process
Filename
Type
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\vc_red.cabcompressed
MD5:E2758D09B59904CE852E05C8F2827FAF
SHA256:B55461E4A403480A3B70099D7B622A94C0B2C1E94C7ACE3AFB2493E06EA2F8CD
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\vc_red.msiexecutable
MD5:D53737CEA320B066C099894ED1780705
SHA256:BE6288737EA9691F29A17202ECCBC0A2E3E1B1B4BACC090CEEE2436970AEC240
75282025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\3247095952.exeexecutable
MD5:2FB832A7001CAFF9A3E369DE43EF3C92
SHA256:B0D5C284937F57C27E12F6BDA2E353270AB8EE0C89372A13ECD053971106E207
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.exeexecutable
MD5:E015A2D8890E2A96A93CA818F834C45B
SHA256:DC1BA9CB15D0808DC2D80CE13ACFA0B07ACDFCFE2CDF94DA47E0E570E7345F6D
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1041.dllexecutable
MD5:A3946D3C9ED130AF89D1C1A9E63DEAA6
SHA256:AEEC0DFF47BB952F63212655525B598B66B1B17E06B93150389F264BBE2C3235
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1036.dllexecutable
MD5:37C8A4717B40540816A3B92C470FD58F
SHA256:6BA48823DD30CD857280535F303D3AAD407654BE4B7C2A6CE8843D5CA940D74B
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.2052.dllexecutable
MD5:213BF3AD8A5F31C021BBE011D6460752
SHA256:BA36839B267799CD24471F9D1BF63B16E2B90DA2723CEDDD66F290F4EBDDD9AE
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1028.dllexecutable
MD5:8F05FE39BDD336C8FA2A18EC3DFE418C
SHA256:29EEB7535005A69D7BC503D5A40FDB06E91DB90AEC04D95A39B7868B18AE274D
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\eula.1033.txttext
MD5:99C22D4A31F4EAD4351B71D6F4E5F6A1
SHA256:93A3C629FECFD10C1CF614714EFD69B10E89CFCAF94C2609D688B27754E4AB41
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1031.dllexecutable
MD5:7D9EBB7DCA62BA75361346CAF4EC196B
SHA256:0AB18D157DC3658438BDBC097565BBDCD2F31447193F864EE327E084D7CBA382
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7892
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7892
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5796
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6480
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6480
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5796
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6480
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
6480
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5796
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
6480
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5796
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 2.23.181.156
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.3
  • 20.190.160.65
  • 40.126.32.133
  • 20.190.160.17
  • 20.190.160.5
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader