File name:

2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/b494fc6a-aa01-406b-b8d3-2ae0d4fae876
Verdict: Malicious activity
Analysis date: May 16, 2025, 13:34:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

E0208B836BEF46077544149BD389E36F

SHA1:

3271C5966D8E10C32D994591E3FB26780D3234FD

SHA256:

D35D8FB10FC4F17CD6B3CC2F73EE0C9D4DB215AA02C78946BB9B26833346E67C

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyN:5MGX7UqWMpdLTR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CANBIS mutex has been found

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

    • Executing a file with an untrusted certificate

      • 3804396779.exe (PID: 4448)
      • 3804396779.exe (PID: 1764)
      • install.exe (PID: 6372)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Executable content was dropped or overwritten

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • TiWorker.exe (PID: 744)

    • Starts a Microsoft application from unusual location

      • 3804396779.exe (PID: 4448)
      • 3804396779.exe (PID: 1764)

    • Reads security settings of Internet Explorer

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • install.exe (PID: 6372)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

    • Reads the Windows owner or organization settings

      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)

    • Creates file in the systems drive root

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

  • INFO

    • Reads the computer name

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • install.exe (PID: 6372)

    • Checks supported languages

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • install.exe (PID: 6372)

    • The sample compiled with english language support

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)
      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Process checks computer location settings

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

    • Failed to create an executable file in Windows directory

      • 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 6712)

    • The sample compiled with Italian language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with spanish language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with french language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with chinese language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Reads the machine GUID from the registry

      • 3804396779.exe (PID: 1764)
      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)

    • The sample compiled with korean language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • The sample compiled with japanese language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Create files in a temporary directory

      • install.exe (PID: 6372)

    • Reads the software policy settings

      • install.exe (PID: 6372)
      • msiexec.exe (PID: 3784)
      • slui.exe (PID: 5304)
      • TiWorker.exe (PID: 744)

    • Checks proxy server information

      • install.exe (PID: 6372)
      • slui.exe (PID: 5304)

    • Creates files or folders in the user directory

      • install.exe (PID: 6372)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3784)

    • The sample compiled with german language support

      • 3804396779.exe (PID: 1764)
      • msiexec.exe (PID: 3784)
      • TiWorker.exe (PID: 744)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe 3804396779.exe no specs 3804396779.exe install.exe msiexec.exe tiworker.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
744C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1764"C:\Users\admin\Desktop\3804396779.exe" C:\Users\admin\Desktop\3804396779.exe
2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
0
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\3804396779.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3784C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4448"C:\Users\admin\Desktop\3804396779.exe" C:\Users\admin\Desktop\3804396779.exe2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\3804396779.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5304C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6372c:\0ffa2de3564fcdc80e727cb2df61929b\.\install.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.exe
3804396779.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Exit code:
0
Version:
9.0.21022.8 built by: RTM
Modules
Images
c:\0ffa2de3564fcdc80e727cb2df61929b\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
6712"C:\Users\admin\Desktop\2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
5
Modules
Images
c:\users\admin\desktop\2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
16 417
Read events
15 959
Write events
387
Delete events
71

Modification events

(PID) Process:(3784) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
C80E00003156E25867C6DB01
(PID) Process:(3784) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A464FAD9971873938E230B5D72BE03D89883B9231C82BE3FAEC4EFB66ED11359
(PID) Process:(3784) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:c:\Config.Msi\
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11439f.rbs
Value:
31180391
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:c:\Config.Msi\11439f.rbsLow
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AA5D9C68C00F12943B2F6CA09FE28244
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
02:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\9.0\SP
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D5F5530C7649E0398C42CAFFE25A211
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80FBC10D4B028C03FAA5699F48E7283A
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(3784) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\55C7536C164715D3A95EDF17AC4220A7
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
>mfc90.dll\Microsoft.VC90.MFC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32"
Executable files
86
Suspicious files
50
Text files
101
Unknown types
3

Dropped files

PID
Process
Filename
Type
67122025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\4623080301.exeexecutable
MD5:E0208B836BEF46077544149BD389E36F
SHA256:D35D8FB10FC4F17CD6B3CC2F73EE0C9D4DB215AA02C78946BB9B26833346E67C
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\vc_red.msiexecutable
MD5:E0951D3CB1038EB2D2B2B2F336E1AB32
SHA256:507AC60E145057764F13CF1AD5366A7E15DDC0DA5CC22216F69E3482697D5E88
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.1033.dllexecutable
MD5:9EDEB8B1C5C0A4CD3A3016B85108127D
SHA256:9BF7026A47DAAB7BB2948FD23E8CF42C06DD2E19EF8CDEA0AF7367453674A8F9
67122025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\3804396779.exeexecutable
MD5:B936F0F378B9A35489353E878154E899
SHA256:C6A7E484F4D84883BC1205BCCEA3114C0521025712922298EDE9B2A1CD632357
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.1040.dllexecutable
MD5:6310AB8FC9E3DBEE80592FC453A34FEE
SHA256:7774F2436C96A70B0CDC8176883EE7A4614353F17AD61BFBD5A8D7A1906483D3
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.3082.dllexecutable
MD5:41BB37A347121F3E5E88D85100638B79
SHA256:320C305177AB4EC6E00883A2CF0886019B5D36557219E4A188CF9DF3768F157F
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.1042.dllexecutable
MD5:0D4FB4095EA49C1EC89B9E8DB0B936A3
SHA256:7D86F3BA0232C2AC4B4FCE96E4CEBB23700312A032D5D0DB988EC6B358BE1686
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.exeexecutable
MD5:520A6D1CBCC9CF642C625FE814C93C58
SHA256:08966CE743AA1CBED0874933E104EF7B913188ECD8F0C679F7D8378516C51DA2
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\install.res.1036.dllexecutable
MD5:5B6FF470CFA7087690E61F87E81EF78A
SHA256:2D1C0A1B17266CFF3BE7D46CF3020B176E4A058FD7FC57F7B6B97E0760CC45DB
17643804396779.exeC:\0ffa2de3564fcdc80e727cb2df61929b\eula.1040.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
53
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6372
install.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6372
install.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
uk.undernet.org
unknown
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.65
  • 40.126.32.140
  • 40.126.32.76
  • 20.190.160.3
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_e0208b836bef46077544149bd389e36f_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader