File name:

2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/fd7797c4-707f-4c61-9a71-5436316bafb2
Verdict: Malicious activity
Analysis date: May 29, 2025, 15:37:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

2FB832A7001CAFF9A3E369DE43EF3C92

SHA1:

78F8FDE013420EB1C831CF3E48F527B8325AE4C0

SHA256:

B0D5C284937F57C27E12F6BDA2E353270AB8EE0C89372A13ECD053971106E207

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyh:5MG2czngHMd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 8479468775.exe (PID: 8172)
      • 8479468775.exe (PID: 7224)
      • install.exe (PID: 2564)

    • CANBIS mutex has been found

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • TiWorker.exe (PID: 2384)

    • Process drops legitimate windows executable

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

    • Reads security settings of Internet Explorer

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • install.exe (PID: 2564)

    • Starts a Microsoft application from unusual location

      • 8479468775.exe (PID: 7224)
      • 8479468775.exe (PID: 8172)

    • Reads the Windows owner or organization settings

      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)

    • The process drops C-runtime libraries

      • TiWorker.exe (PID: 2384)
      • msiexec.exe (PID: 5404)

    • Creates file in the systems drive root

      • msiexec.exe (PID: 5404)

  • INFO

    • Checks supported languages

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)

    • Reads the computer name

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)

    • The sample compiled with english language support

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)
      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • Failed to create an executable file in Windows directory

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

    • Process checks computer location settings

      • 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 7528)

    • Reads the machine GUID from the registry

      • 8479468775.exe (PID: 7224)
      • install.exe (PID: 2564)
      • msiexec.exe (PID: 5404)

    • The sample compiled with japanese language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with korean language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with german language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with french language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with spanish language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • The sample compiled with Italian language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • Create files in a temporary directory

      • install.exe (PID: 2564)

    • The sample compiled with chinese language support

      • 8479468775.exe (PID: 7224)
      • msiexec.exe (PID: 5404)
      • TiWorker.exe (PID: 2384)

    • Checks proxy server information

      • install.exe (PID: 2564)
      • slui.exe (PID: 7324)

    • Reads the software policy settings

      • install.exe (PID: 2564)
      • TiWorker.exe (PID: 2384)
      • msiexec.exe (PID: 5404)
      • slui.exe (PID: 7324)

    • Creates files or folders in the user directory

      • install.exe (PID: 2564)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5404)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe 8479468775.exe no specs 8479468775.exe install.exe msiexec.exe slui.exe tiworker.exe

Process information

PID
CMD
Path
Indicators
Parent process
2384C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2564c:\b74784ee94357f50a180008e81929f5c\.\install.exeC:\b74784ee94357f50a180008e81929f5c\install.exe
8479468775.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Exit code:
0
Version:
9.0.21022.8 built by: RTM
Modules
Images
c:\b74784ee94357f50a180008e81929f5c\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5404C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7224"C:\Users\admin\Desktop\8479468775.exe" C:\Users\admin\Desktop\8479468775.exe
2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
0
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\8479468775.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7528"C:\Users\admin\Desktop\2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
5
Modules
Images
c:\users\admin\desktop\2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8172"C:\Users\admin\Desktop\8479468775.exe" C:\Users\admin\Desktop\8479468775.exe2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\8479468775.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
16 459
Read events
16 008
Write events
380
Delete events
71

Modification events

(PID) Process:(5404) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
1C150000F1CA9ABBAFD0DB01
(PID) Process:(5404) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
6EAAEF08E84E06F9A4C0688A26A95F6669447EA1F035EEA5FA82A0377659CAD8
(PID) Process:(5404) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:c:\Config.Msi\
Value:
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11d4e3.rbs
Value:
31183023
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11d4e3.rbsLow
Value:
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AA5D9C68C00F12943B2F6CA09FE28244
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
22:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\9.0\SP
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DDA695F96EBE974FAAE0D63A6F7BE67
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
22:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\9.0\RED\1033\Install
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BA48942F9CACEE9458670A5B7550A66C
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
c:\
(PID) Process:(5404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\76C258679BD2A6E478BA99D65D12BD37
Operation:writeName:153AA053AF120723B8A73845437E66DA
Value:
c:\
Executable files
84
Suspicious files
12
Text files
105
Unknown types
55

Dropped files

PID
Process
Filename
Type
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1033.dllexecutable
MD5:43FB29E3A676D26FCBF0352207991523
SHA256:4107F4813BC41ED6A6586D1BA01A5C3703ED60C2DF060CBA6791F449F3689DE7
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1042.dllexecutable
MD5:A5CFFE01D83AFECCD9590B4D696AA44E
SHA256:85C532DE2266C5BA75D58E7F848F071082B802D5344A46E234CEE69A5704264F
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\vc_red.cabcompressed
MD5:E2758D09B59904CE852E05C8F2827FAF
SHA256:B55461E4A403480A3B70099D7B622A94C0B2C1E94C7ACE3AFB2493E06EA2F8CD
75282025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\8479468775.exeexecutable
MD5:A31DC1A74F1DEE5CAF63AEC8EBB5FE20
SHA256:BAAAEDDC17BCDA8D20C0A82A9EB1247BE06B509A820D65DDA1342F4010BDB4A0
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.exeexecutable
MD5:E015A2D8890E2A96A93CA818F834C45B
SHA256:DC1BA9CB15D0808DC2D80CE13ACFA0B07ACDFCFE2CDF94DA47E0E570E7345F6D
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\vc_red.msiexecutable
MD5:D53737CEA320B066C099894ED1780705
SHA256:BE6288737EA9691F29A17202ECCBC0A2E3E1B1B4BACC090CEEE2436970AEC240
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.3082.dllexecutable
MD5:FACD045628070999B43EB7C13AB2E0FE
SHA256:A31F7F80C1EB3CBDA64666F80CA49F41FF745DEC063203D59771DB309E31CF26
75282025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\3247095952.exeexecutable
MD5:2FB832A7001CAFF9A3E369DE43EF3C92
SHA256:B0D5C284937F57C27E12F6BDA2E353270AB8EE0C89372A13ECD053971106E207
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1028.dllexecutable
MD5:8F05FE39BDD336C8FA2A18EC3DFE418C
SHA256:29EEB7535005A69D7BC503D5A40FDB06E91DB90AEC04D95A39B7868B18AE274D
72248479468775.exeC:\b74784ee94357f50a180008e81929f5c\install.res.1036.dllexecutable
MD5:37C8A4717B40540816A3B92C470FD58F
SHA256:6BA48823DD30CD857280535F303D3AAD407654BE4B7C2A6CE8843D5CA940D74B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5796
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6480
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6480
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.129:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
5796
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.129:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5796
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6480
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
6480
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5796
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
6480
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5796
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 2.23.181.156
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.3
  • 20.190.160.65
  • 40.126.32.133
  • 20.190.160.17
  • 20.190.160.5
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-29_2fb832a7001caff9a3e369de43ef3c92_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader