File name:

2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/61e2f492-4ff0-4f1e-b8de-03c193e95903
Verdict: Malicious activity
Analysis date: April 29, 2025, 20:49:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

4EEF5D00B62E57B100BA66AF6D9F011B

SHA1:

F57468A1ADFA399CF060360DBD8E234157DA99F7

SHA256:

BDC5440B51042BC3A92020373BA92D832A91A0A7301955230418F7AE3801A699

SSDEEP:

98304:iefUuZuKAuf5jTFnkOefUuZuKAuf5jTFziy9/W10abzzpQXPJP0jjiGHaGx/LOLC:xySbzzdr0ijelYV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses NET.EXE to stop Windows Security Center service

      • cmd.exe (PID: 7828)
      • net.exe (PID: 8080)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 7812)
      • cmd.exe (PID: 7828)
      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 7844)
      • cmd.exe (PID: 7804)
      • net.exe (PID: 8064)
      • net.exe (PID: 8072)
      • net.exe (PID: 8080)
      • net.exe (PID: 8104)
      • net.exe (PID: 8112)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 7812)
      • net.exe (PID: 8072)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 7880)
      • net.exe (PID: 8096)

    • Executing a file with an untrusted certificate

      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader~4.exe (PID: 7728)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 7908)
      • net.exe (PID: 8088)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7392)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader~4.exe (PID: 7728)

    • Process drops legitimate windows executable

      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)
      • UpdatAuto.exe (PID: 7632)

    • Starts CMD.EXE for commands execution

      • UpdatAuto.exe (PID: 7632)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)

    • Creates file in the systems drive root

      • UpdatAuto.exe (PID: 7632)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8056)
      • sc.exe (PID: 8120)
      • sc.exe (PID: 8140)
      • sc.exe (PID: 8156)
      • sc.exe (PID: 8128)

    • Executable content was dropped or overwritten

      • UpdatAuto.exe (PID: 7632)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)

    • Executing commands from a ".bat" file

      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)
      • UpdatAuto.exe (PID: 7632)

    • Starts itself from another location

      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)

  • INFO

    • The sample compiled with chinese language support

      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)
      • UpdatAuto.exe (PID: 7632)

    • Checks supported languages

      • UpdatAuto.exe (PID: 7632)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader~4.exe (PID: 7728)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)

    • Create files in a temporary directory

      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)
      • UpdatAuto.exe (PID: 7632)

    • Reads the computer name

      • UpdatAuto.exe (PID: 7632)

    • Creates files in the program directory

      • UpdatAuto.exe (PID: 7632)
      • 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (63.9)
.exe | Win32 Executable MS Visual C++ (generic) (24.3)
.dll | Win32 Dynamic Link Library (generic) (5.1)
.exe | Win32 Executable (generic) (3.5)
.exe | Generic Win/DOS Executable (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:03:12 04:30:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 102400
InitializedDataSize: 16384
UninitializedDataSize: -
EntryPoint: 0x27dc
OSVersion: 4
ImageVersion: 6.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.0.0
ProductVersionNumber: 6.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Windows Update Manager for NT
CompanyName: Microsoft Corporation
FileDescription: Windows Update Manager for NT
LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
ProductName: Microsoft(R) Windows (R) 2000 Operating System
FileVersion: 6.01
ProductVersion: 6.01
InternalName: INCUBUS
OriginalFileName: INCUBUS.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
48
Malicious processes
4
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs updatauto.exe cmd.exe no specs conhost.exe no specs 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader~4.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs slui.exe no specs 2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1628C:\WINDOWS\system32\net1 stop wscsvcC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1804C:\WINDOWS\system32\net1 localgroup administrators helpassistant /addC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
4608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5164C:\WINDOWS\system32\net1 stop srserviceC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
5256C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5404C:\WINDOWS\system32\net1 stop sharedaccessC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
5800C:\WINDOWS\system32\net1 user helpassistant 123456C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
6044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6272C:\WINDOWS\system32\net1 start TlntSvrC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
6644C:\WINDOWS\system32\net1 stop wuauservC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
709
Read events
709
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
74602025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exeC:\Windows\SysWOW64\Option.battext
MD5:1D04ABF39E9DF55EED1D04430CC21EB8
SHA256:0BC485263CF8A962E64DB0B88F156F2A9AF1B81ECFDB1CF9111D497E85DF70F3
74602025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exeC:\Users\admin\Desktop\2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader~4.exeexecutable
MD5:8F88D65F7E200184084FF1C3EA7CDF07
SHA256:5AF7BD9B9DFA824EFFD05E9330A6EF006997C8E4199527D34A02DFBAD78EBC29
7632UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
MD5:
SHA256:
7632UpdatAuto.exeC:\ntldr~6
MD5:
SHA256:
74602025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
MD5:
SHA256:
7632UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
MD5:
SHA256:
74602025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exeC:\Windows\SysWOW64\UpdatAuto.exeexecutable
MD5:BF77E1BB653997783A26FDCDCE6A1D24
SHA256:7BE0CB621342F2282757115E37CC06D94ED08A30E5D5EBD0910B23F179108D07
74602025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeexecutable
MD5:00E9D7E5134DAB462AE16556152351F9
SHA256:00DF307E3D94EAC39A43E6E4CA4969DF79555D57EAFD1A7B4AD547F87694A244
74602025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader.exeC:\ntldr~6executable
MD5:BF77E1BB653997783A26FDCDCE6A1D24
SHA256:7BE0CB621342F2282757115E37CC06D94ED08A30E5D5EBD0910B23F179108D07
7632UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeexecutable
MD5:E90E2763125CDDBBE3EF1E500EC6A6C8
SHA256:3175E2B0ED93F9F39CC590B0102A59723107CB53C13F16D08035B0E62E1EA4B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
40
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7712
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.13:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7712
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7712
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7712
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7712
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7712
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7712
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2568
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.13:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7712
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.216.77.13
  • 23.216.77.41
  • 23.216.77.6
  • 23.216.77.37
  • 23.216.77.7
  • 23.216.77.18
  • 23.216.77.39
  • 23.216.77.42
  • 23.216.77.15
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.219.150.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.20
  • 20.190.160.130
  • 20.190.160.4
  • 40.126.32.134
  • 20.190.160.2
  • 20.190.160.65
  • 40.126.32.72
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_4eef5d00b62e57b100ba66af6d9f011b_akira_black-basta_elex_hijackloader_rhadamanthys_smoke-loader