File name:

2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/6cb635cc-d4ab-4673-a265-4cfb0f4ad355
Verdict: Malicious activity
Analysis date: June 23, 2025, 13:56:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

52D05688DFFED8A3F04F79FBD02FC8F9

SHA1:

F729EF06A123A002781999C40EDEB2292B256652

SHA256:

BBA19EDBBF0B23AEB991C1568D32BCC8D848D86433F87855F01F5D05FF2F8C7F

SSDEEP:

98304:K6V4dhdAXOHfYFRQ8zPXCJ7HLzPEgP9Ipv0tsUTPZifGZQtSNi45i1gy5HocyYDH:YMogLASR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 1896)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • qiyxyqmpqw.exe (PID: 4968)
      • mqvqxptgze.exe (PID: 5168)

    • Executable content was dropped or overwritten

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • qiyxyqmpqw.exe (PID: 4968)
      • qiyxyqmpqw.exe (PID: 5908)
      • mqvqxptgze.exe (PID: 5168)
      • setup.exe (PID: 6840)
      • _INS5176._MP (PID: 3720)
      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 4528)

    • Process drops legitimate windows executable

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • qiyxyqmpqw.exe (PID: 5908)
      • _INS5176._MP (PID: 3720)

    • Starts a Microsoft application from unusual location

      • qiyxyqmpqw.exe (PID: 4968)
      • qiyxyqmpqw.exe (PID: 5908)

    • Starts application with an unusual extension

      • setup.exe (PID: 6840)

    • Creates file in the systems drive root

      • _isdel.exe (PID: 3048)
      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 4528)

    • Starts CMD.EXE for commands execution

      • qiyxyqmpqw.exe (PID: 5908)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5764)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2288)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 4528)
      • setup.exe (PID: 6840)
      • _INS5176._MP (PID: 3720)

    • Executing commands from a ".bat" file

      • qiyxyqmpqw.exe (PID: 5908)

    • Uses pipe srvsvc via SMB (transferring data)

      • bindsvc.exe (PID: 6224)

  • INFO

    • Create files in a temporary directory

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 4528)
      • setup.exe (PID: 6840)
      • _INS5176._MP (PID: 3720)
      • qiyxyqmpqw.exe (PID: 5908)

    • Checks supported languages

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • qiyxyqmpqw.exe (PID: 4968)
      • xFeKJYVr.exe (PID: 1332)
      • qiyxyqmpqw.exe (PID: 5908)
      • mqvqxptgze.exe (PID: 5168)
      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 4528)
      • _isdel.exe (PID: 3048)
      • _INS5176._MP (PID: 3720)
      • setup.exe (PID: 6840)
      • bindsvc.exe (PID: 6224)

    • Reads the computer name

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • qiyxyqmpqw.exe (PID: 4968)
      • xFeKJYVr.exe (PID: 1332)
      • qiyxyqmpqw.exe (PID: 5908)
      • mqvqxptgze.exe (PID: 5168)
      • setup.exe (PID: 6840)
      • _INS5176._MP (PID: 3720)
      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 4528)
      • bindsvc.exe (PID: 6224)

    • Creates files in the program directory

      • qiyxyqmpqw.exe (PID: 4968)
      • SearchIndexer.exe (PID: 4236)

    • The sample compiled with english language support

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • qiyxyqmpqw.exe (PID: 5908)
      • mqvqxptgze.exe (PID: 5168)
      • setup.exe (PID: 6840)
      • _INS5176._MP (PID: 3720)
      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 4528)

    • Process checks computer location settings

      • 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 2076)
      • qiyxyqmpqw.exe (PID: 4968)
      • mqvqxptgze.exe (PID: 5168)

    • Reads the machine GUID from the registry

      • xFeKJYVr.exe (PID: 1332)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 1896)
      • SearchProtocolHost.exe (PID: 7264)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 4236)

    • UPX packer has been detected

      • qiyxyqmpqw.exe (PID: 5908)
      • bindsvc.exe (PID: 6224)

    • Creates files or folders in the user directory

      • bindsvc.exe (PID: 6224)

    • Checks proxy server information

      • slui.exe (PID: 7360)

    • Reads the software policy settings

      • slui.exe (PID: 7360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (29.8)
.exe | Win32 Executable MS Visual C++ (generic) (21.6)
.exe | Win64 Executable (generic) (19.1)
.exe | UPX compressed Win32 Executable (18.7)
.dll | Win32 Dynamic Link Library (generic) (4.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:04 08:51:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 50688
InitializedDataSize: 29696
UninitializedDataSize: -
EntryPoint: 0x7b1f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
21
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe mqvqxptgze.exe qiyxyqmpqw.exe xfekjyvr.exe CMSTPLUA qiyxyqmpqw.exe searchindexer.exe no specs 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe no specs 2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe setup.exe _ins5176._mp _isdel.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs bindsvc.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
856C:\WINDOWS\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\2bgSMASO.bat"C:\Windows\System32\cmd.exeqiyxyqmpqw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1208"C:\Users\admin\Desktop\2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exemqvqxptgze.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
MEDIUM
Description:
PackageForTheWeb Stub
Exit code:
3221226540
Version:
2.02.001
Modules
Images
c:\users\admin\desktop\2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1332"C:\ProgramData\Temp\xFeKJYVr.exe" C:\Users\admin\AppData\Local\Temp\qiyxyqmpqw.exe gQ9VOe5m8zP6C:\ProgramData\Temp\xFeKJYVr.exe
qiyxyqmpqw.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\programdata\temp\xfekjyvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1896C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
2076"C:\Users\admin\Desktop\2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2288sc config msdtc obj= LocalSystemC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3048C:\Windows\SysWOW64\InstallShield\_ISDEL.EXEC:\Windows\SysWOW64\InstallShield\_isdel.exesetup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
32-bit InstallShield Deleter.
Version:
5, 51, 138, 0
Modules
Images
c:\windows\syswow64\installshield\_isdel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acspecfc.dll
3720C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MPC:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP
setup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield Engine
Version:
5.10.146.0
Modules
Images
c:\users\admin\appdata\local\temp\_istmp1.dir\_ins5176._mp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acspecfc.dll
3876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4236C:\WINDOWS\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Version:
7.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
Total events
11 132
Read events
11 067
Write events
42
Delete events
23

Modification events

(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:Shutdown
Value:
0
(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache\C:
Operation:writeName:DriveType
Value:
3
(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache\C:
Operation:writeName:VolumeLabel
Value:
(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:writeName:000003eb
Value:
010000004051CACD2E0C00000100000000000000
(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:

(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Operation:delete valueName:000003eb
Value:
(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:

(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Operation:delete valueName:000003f5
Value:
(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Search\Preferences
Operation:delete valueName:DataDirectory
Value:
(PID) Process:(4236) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search
Operation:writeName:SchemaCacheTimestamp
Value:
30F44CD30259DA01
Executable files
58
Suspicious files
9
Text files
32
Unknown types
8

Dropped files

PID
Process
Filename
Type
4236SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
MD5:
SHA256:
45282025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\pft7C37~tmp\pftw1.pkg
MD5:
SHA256:
20762025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\mqvqxptgze.exeexecutable
MD5:E48B89715BF5E4C55EB5A1FED67865D9
SHA256:C25D90168FC2026D8ED2A69C066BD5A7E11004C3899928A7DB24CB7636FC4D9E
45282025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\plf7148.tmpini
MD5:B7A48BD3C990175B49570700EAC0FF04
SHA256:1A233CD321E2FE8B38208DA726A4FF2D22989CF5FB345798E90AE79446981AEB
5908qiyxyqmpqw.exeC:\Windows\SysWOW64\wimsvc.exeexecutable
MD5:2C2029588AD8B86759C17B7AE885EE03
SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290
45282025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\pft7C37~tmp\Aps\Ubtnrcti.8bfexecutable
MD5:3A6B5FDC4FEFF6FC0C4D854AF656EDB5
SHA256:75CB527A342DE68D03489EDDF6B97C02732A021D1E5A9EAE979896AA94FCCA6C
45282025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\pft7C37~tmp\Aps\Uimgtag.8bf8*
MD5:A132F318D2477894D18A52ABA3486F2C
SHA256:4B6A862B565AF45EF20C464649ADFF11A686C74B4092320C3E9554F2C1625F9F
45282025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\pft7C37~tmp\Aps\Udshadow.8bf8*
MD5:E3C4474561253EC9C6DD553275A7B71D
SHA256:864CB7A050B3FD07162A713ABF8CDE74C148CFDD9C5D39DA70AB76AF7A4D0BD4
45282025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\pft7C37~tmp\Aps\Ushadow.8bfexecutable
MD5:7B1D6B6D8CD4AF494A6F6AB74894C194
SHA256:BC8B1597C12C843DED1AA18B64EC74370F2DB566B782B8BC7CB4EB4918830DC3
45282025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\pft7C37~tmp\Ulead.dat\U32BASE.CFGgmc
MD5:E13231D096EFC35934933F73798131FB
SHA256:265216CFA820D95EF9B91E94F9331D4FF88C609531C755CCD54E9DD1A48CF400
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
51
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5476
RUXIMICS.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.66:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.160.66:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5476
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5476
RUXIMICS.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5476
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5944
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.8
  • 23.216.77.28
  • 23.216.77.36
  • 23.216.77.20
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.22
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.131
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.66
  • 20.190.160.64
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
Process
Message
xFeKJYVr.exe
lpszParam = gQ9VOe5m8zP6
xFeKJYVr.exe
We will start with normal mode!
xFeKJYVr.exe
lpszPath = C:\Users\admin\AppData\Local\Temp\qiyxyqmpqw.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-23_52d05688dffed8a3f04f79fbd02fc8f9_amadey_darkgate_elex_rhadamanthys_smoke-loader