File name:

2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/b494fc6a-aa01-406b-b8d3-2ae0d4fae876
Verdict: Malicious activity
Analysis date: May 16, 2025, 13:34:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

E0208B836BEF46077544149BD389E36F

SHA1:

3271C5966D8E10C32D994591E3FB26780D3234FD

SHA256:

D35D8FB10FC4F17CD6B3CC2F73EE0C9D4DB215AA02C78946BB9B26833346E67C

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyN:5MGX7UqWMpdLTR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 3804396779.exe (PID: 4448)
      • 3804396779.exe (PID: 1764)
      • install.exe (PID: 6372)

    • CANBIS mutex has been found

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • TiWorker.exe (PID: 744)
      • msiexec.exe (PID: 3784)

    • Executable content was dropped or overwritten

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • TiWorker.exe (PID: 744)

    • Reads security settings of Internet Explorer

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • install.exe (PID: 6372)

    • Starts a Microsoft application from unusual location

      • 3804396779.exe (PID: 4448)
      • 3804396779.exe (PID: 1764)

    • Creates file in the systems drive root

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

    • Reads the Windows owner or organization settings

      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

  • INFO

    • Checks supported languages

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)

    • Reads the computer name

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)

    • Process checks computer location settings

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

    • The sample compiled with english language support

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Failed to create an executable file in Windows directory

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

    • Reads the machine GUID from the registry

      • 3804396779.exe (PID: 1764)
      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)

    • The sample compiled with korean language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with japanese language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with spanish language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with chinese language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with german language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Create files in a temporary directory

      • install.exe (PID: 6372)

    • Reads the software policy settings

      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)
      • slui.exe (PID: 5304)
      • TiWorker.exe (PID: 744)

    • Checks proxy server information

      • install.exe (PID: 6372)
      • slui.exe (PID: 5304)

    • Creates files or folders in the user directory

      • install.exe (PID: 6372)

    • The sample compiled with Italian language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with french language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3784)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe 3804396779.exe no specs 3804396779.exe install.exe msiexec.exe tiworker.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
744C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1764"C:\Users\admin\Desktop\3804396779.exe" C:\Users\admin\Desktop\3804396779.exe
2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
0
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\3804396779.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3784C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4448"C:\Users\admin\Desktop\3804396779.exe" C:\Users\admin\Desktop\3804396779.exe2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\3804396779.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5304C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6372c:\0ffa2de3564fcdc80e727cb2df61929b\.\install.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.exe
3804396779.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Exit code:
0
Version:
9.0.21022.8 built by: RTM
Modules
Images
c:\0ffa2de3564fcdc80e727cb2df61929b\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
6712"C:\Users\admin\Desktop\2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
5
Modules
Images
c:\users\admin\desktop\2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
16 417
Read events
15 959
Write events
387
Delete events
71

Modification events

(PID) Process:(3784) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
C80E00003156E25867C6DB01
(PID) Process:(3784) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A464FAD9971873938E230B5D72BE03D89883B9231C82BE3FAEC4EFB66ED11359
(PID) Process:(3784) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:c:\Config.Msi\
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11439f.rbs
Value:
31180391
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11439f.rbsLow
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AA5D9C68C00F12943B2F6CA09FE28244
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
02:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\9.0\SP
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D5F5530C7649E0398C42CAFFE25A211
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80FBC10D4B028C03FAA5699F48E7283A
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\55C7536C164715D3A95EDF17AC4220A7
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
>mfc90.dll\Microsoft.VC90.MFC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32"
Executable files
86
Suspicious files
50
Text files
101
Unknown types
3

Dropped files

PID
Process
Filename
Type
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\vc_red.cabcompressed
MD5:E10F2F6E6379E9185F71AEC1421F37B4
SHA256:9681BCFD73C610EB6A9538D872C1E7844548FCA341F22FB66CCADB4D78530B4D
67122025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\4623080301.exeexecutable
MD5:E0208B836BEF46077544149BD389E36F
SHA256:D35D8FB10FC4F17CD6B3CC2F73EE0C9D4DB215AA02C78946BB9B26833346E67C
67122025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\3804396779.exeexecutable
MD5:B936F0F378B9A35489353E878154E899
SHA256:C6A7E484F4D84883BC1205BCCEA3114C0521025712922298EDE9B2A1CD632357
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.1028.dllexecutable
MD5:4151A4D07640863783F837E588235837
SHA256:58475A90250C6818F73763775EEA6379E06DA6C38E8D2CF0F54EB6112A0A6AEE
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\eula.1042.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.1031.dllexecutable
MD5:3B8A82E04238655EAEF97E074FB29911
SHA256:5E49C21B9A15C3A0FDDDE7DDC32FDA220302EE57B8AFF66F4F78B370E049410D
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\eula.1036.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.1036.dllexecutable
MD5:5B6FF470CFA7087690E61F87E81EF78A
SHA256:2D1C0A1B17266CFF3BE7D46CF3020B176E4A058FD7FC57F7B6B97E0760CC45DB
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.2052.dllexecutable
MD5:D7366B34E8AFB605C39EF56E2201FE85
SHA256:F7AA6EBF1413A6E4816BCAD5B77C47B6BBE0CFC05CAFDE4AA872ABE3FBD5E62B
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\eula.1033.txttext
MD5:99C22D4A31F4EAD4351B71D6F4E5F6A1
SHA256:93A3C629FECFD10C1CF614714EFD69B10E89CFCAF94C2609D688B27754E4AB41
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
53
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6372
install.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6372
install.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
uk.undernet.org
unknown
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.65
  • 40.126.32.140
  • 40.126.32.76
  • 20.190.160.3
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader