File name:

2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/92c2f7ab-40bc-4de1-9132-b6d163f8db4a
Verdict: Malicious activity
Analysis date: June 02, 2025, 20:46:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D5E352B813798F704D059BB99CABF9A5

SHA1:

5E12F0BB3D73E03D4B4269B0AC3FDDF4C18D7971

SHA256:

B586653B9B062B79886AF1554B5ACE46C59CED2814B22B0C91FB8668ACAE2796

SSDEEP:

49152:U6hpgV2kJgU9hgf5f5XAKig8z96vAEfYF2wt/umw8zcQKCAiRG7:U6o4dhdAXOHfYFRQ8zP3G7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • cqxfqdpkwz.exe (PID: 4192)
      • jawcphwktj.exe (PID: 716)

    • Reads security settings of Internet Explorer

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • jawcphwktj.exe (PID: 716)

    • Starts a Microsoft application from unusual location

      • cqxfqdpkwz.exe (PID: 4192)

    • Process drops legitimate windows executable

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • cqxfqdpkwz.exe (PID: 4192)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4188)

    • Executing commands from a ".bat" file

      • cqxfqdpkwz.exe (PID: 4192)

    • Starts CMD.EXE for commands execution

      • cqxfqdpkwz.exe (PID: 4192)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6820)

    • Uses pipe srvsvc via SMB (transferring data)

      • bindsvc.exe (PID: 2284)

  • INFO

    • Checks supported languages

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • cqxfqdpkwz.exe (PID: 4192)
      • jawcphwktj.exe (PID: 716)
      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 3156)
      • bindsvc.exe (PID: 2284)

    • Create files in a temporary directory

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • cqxfqdpkwz.exe (PID: 4192)

    • Reads the computer name

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • jawcphwktj.exe (PID: 716)
      • cqxfqdpkwz.exe (PID: 4192)
      • bindsvc.exe (PID: 2284)

    • Process checks computer location settings

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • jawcphwktj.exe (PID: 716)

    • The sample compiled with english language support

      • 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6108)
      • cqxfqdpkwz.exe (PID: 4192)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 5452)

    • UPX packer has been detected

      • bindsvc.exe (PID: 2284)
      • cqxfqdpkwz.exe (PID: 4192)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 5548)

    • Creates files in the program directory

      • SearchIndexer.exe (PID: 5452)

    • Creates files or folders in the user directory

      • bindsvc.exe (PID: 2284)

    • Checks proxy server information

      • slui.exe (PID: 2796)

    • Reads the software policy settings

      • slui.exe (PID: 2796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:04 08:51:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 50688
InitializedDataSize: 29184
UninitializedDataSize: -
EntryPoint: 0x7b1f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe jawcphwktj.exe cqxfqdpkwz.exe searchindexer.exe no specs 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs bindsvc.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs slui.exe 2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
716"C:\Users\admin\AppData\Local\Temp\jawcphwktj.exe" "C:\Users\admin\AppData\Local\Temp\khmbuwhgti.exe" "C:\Users\admin\Desktop\2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\admin\AppData\Local\Temp\jawcphwktj.exe
2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\jawcphwktj.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2284"C:\WINDOWS\System32\bindsvc.exe"C:\Windows\System32\bindsvc.execqxfqdpkwz.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\windows\system32\bindsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2796C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3156"C:\Users\admin\Desktop\2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exejawcphwktj.exe
User:
admin
Integrity Level:
HIGH
Description:
Scanner Driver Uninstaller(x86)
Exit code:
0
Version:
2. 0. 0. 0
Modules
Images
c:\users\admin\desktop\2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\difxapi.dll
4188sc config msdtc obj= LocalSystemC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4192C:\Users\admin\AppData\Local\Temp\cqxfqdpkwz.exeC:\Users\admin\AppData\Local\Temp\cqxfqdpkwz.exe
2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Digitizer to Monitor Mapping Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\cqxfqdpkwz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4748C:\WINDOWS\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\lBof61vM.bat"C:\Windows\System32\cmd.execqxfqdpkwz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
5452C:\WINDOWS\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Version:
7.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
5548"C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\tquery.dll
c:\windows\system32\combase.dll
Total events
9 767
Read events
9 705
Write events
39
Delete events
23

Modification events

(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\5
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\6
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\7
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Extensions
Operation:writeName:IncludedExtensions
Value:
0
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Protocols\Csc\0
Operation:writeName:ProgIdHandler
Value:
Search.CscHandler.1
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Protocols\DP\0
Operation:writeName:ProgIdHandler
Value:
FhSearchPHLibrary.FhSearchProtocol.1
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Protocols\File\0
Operation:writeName:ProgIdHandler
Value:
Search.FileHandler.1
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Protocols\Mapi16\0
Operation:writeName:ProgIdHandler
Value:
Outlook.Search.MAPI16Handler.1
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Protocols\OneIndex16\0
Operation:writeName:Included
Value:
1
(PID) Process:(5452) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Protocols\OneIndex16\0
Operation:writeName:ProgIdHandler
Value:
Search.OneIndexHandler.2
Executable files
11
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5452SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
MD5:
SHA256:
61082025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\cqxfqdpkwz.exeexecutable
MD5:2C2029588AD8B86759C17B7AE885EE03
SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290
716jawcphwktj.exeC:\Users\admin\Desktop\2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exeexecutable
MD5:4567D4E581360C4771A35E5A731782B4
SHA256:57C38A19B74848809DC03DE8D1CCEACA34F0DE1FFE632A1A6B9008253A45F110
4192cqxfqdpkwz.exeC:\Windows\System32\oci.dllexecutable
MD5:D7DDFD90C55AD42200B2A7E51110AD87
SHA256:4FDC7AACB3981434E797106944F27A507201D11CDF194B3FAB79747CE98F2446
61082025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\khmbuwhgti.exeexecutable
MD5:4567D4E581360C4771A35E5A731782B4
SHA256:57C38A19B74848809DC03DE8D1CCEACA34F0DE1FFE632A1A6B9008253A45F110
4192cqxfqdpkwz.exeC:\Windows\SysWOW64\bindsvc.exeexecutable
MD5:7C5B397FB54D5AA06BD2A6FB99C62FEE
SHA256:D032BDC64C9451BBB653B346C5BD6AC9F83A91EDEB0155497F098C8D6182DDEE
4192cqxfqdpkwz.exeC:\Windows\SysWOW64\racfg.exeexecutable
MD5:DC0222F1E0868C3612A93BA2D83B99BE
SHA256:6BC4497B86DF521B413E4574F4CD4289C986348D2A69DA1945FF1A1784DB05DB
4192cqxfqdpkwz.exeC:\Windows\SysWOW64\wideshut.exeexecutable
MD5:2C2029588AD8B86759C17B7AE885EE03
SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290
61082025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\jawcphwktj.exeexecutable
MD5:E48B89715BF5E4C55EB5A1FED67865D9
SHA256:C25D90168FC2026D8ED2A69C066BD5A7E11004C3899928A7DB24CB7636FC4D9E
4192cqxfqdpkwz.exeC:\Users\admin\AppData\Local\Temp\lBof61vM.battext
MD5:5B3CA3E3379DBA2795F6577721D076EB
SHA256:EB4CDF844074DC7BCFFE1FC430557B11B55091BA4038BF39DE0838C0D91D4783
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
52
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7924
RUXIMICS.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
7924
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
5560
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5560
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5560
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5560
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
7924
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7924
RUXIMICS.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7924
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.1:445
unknown
4
System
192.168.100.2:445
whitelisted
4
System
192.168.100.1:139
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.143
  • 23.48.23.180
  • 23.48.23.177
  • 23.48.23.141
  • 23.48.23.190
  • 23.48.23.169
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.219.150.101
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.14
  • 40.126.32.138
  • 20.190.160.130
  • 40.126.32.133
  • 20.190.160.65
  • 20.190.160.17
  • 20.190.160.22
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-02_d5e352b813798f704d059bb99cabf9a5_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop