File name:

2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex

Full analysis: https://app.any.run/tasks/61fba339-46af-40c4-9887-09d42d11e6ab
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 00:33:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-reg
botnet
phorpiex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0214B0A1455EB6210A15256E6E3DF7CD

SHA1:

64EDC2C7A4E344D4308ED3765582D2E796BEC053

SHA256:

DE68838FDA356A41992D5222FB6B2C6399DD177A2D4492D5BF9506D73C640E54

SSDEEP:

98304:0n6F1AGKdcvnkNwJaUIeFHfbxgHXAkEKKgfuUf9:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)

    • Changes the autorun value in the registry

      • 1861723657.exe (PID: 4020)

    • PHORPIEX has been detected (SURICATA)

      • sysparvadl.exe (PID: 5424)

    • Connects to the CnC server

      • sysparvadl.exe (PID: 5424)

    • PHORPIEX has been detected (YARA)

      • sysparvadl.exe (PID: 5424)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • sysparvadl.exe (PID: 5424)
      • 1805723035.exe (PID: 6536)

    • Executable content was dropped or overwritten

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • 1861723657.exe (PID: 4020)
      • 296316545.exe (PID: 5432)

    • Connects to the server without a host name

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • sysparvadl.exe (PID: 5424)

    • Process requests binary or script from the Internet

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)

    • Starts itself from another location

      • 1861723657.exe (PID: 4020)

    • Potential Corporate Privacy Violation

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)

    • Contacting a server suspected of hosting an CnC

      • sysparvadl.exe (PID: 5424)

    • Starts CMD.EXE for commands execution

      • 1805723035.exe (PID: 6536)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5012)
      • cmd.exe (PID: 1300)
      • cmd.exe (PID: 3672)
      • cmd.exe (PID: 1212)
      • cmd.exe (PID: 5808)
      • cmd.exe (PID: 3780)
      • cmd.exe (PID: 4932)
      • cmd.exe (PID: 6368)

    • Connects to unusual port

      • sysparvadl.exe (PID: 5424)

  • INFO

    • The sample compiled with english language support

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 296316545.exe (PID: 5432)

    • Checks supported languages

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • 1861723657.exe (PID: 4020)
      • sysparvadl.exe (PID: 5424)
      • sysparvadl.exe (PID: 5548)
      • 1805723035.exe (PID: 6536)
      • 296316545.exe (PID: 5432)
      • 260959749.exe (PID: 5564)

    • Reads the computer name

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • sysparvadl.exe (PID: 5424)
      • 1805723035.exe (PID: 6536)

    • Checks proxy server information

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • sysparvadl.exe (PID: 5424)
      • slui.exe (PID: 7108)

    • Creates files or folders in the user directory

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • sysparvadl.exe (PID: 5424)
      • 296316545.exe (PID: 5432)

    • Create files in a temporary directory

      • 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe (PID: 4192)
      • 5E2D.exe (PID: 4576)
      • sysparvadl.exe (PID: 5424)
      • 1805723035.exe (PID: 6536)

    • Failed to create an executable file in Windows directory

      • 1861723657.exe (PID: 4020)

    • Launching a file from a Registry key

      • 1861723657.exe (PID: 4020)

    • Manual execution by a user

      • sysparvadl.exe (PID: 5548)

    • Process checks computer location settings

      • 1805723035.exe (PID: 6536)

    • Reads the software policy settings

      • slui.exe (PID: 7108)

    • Reads the machine GUID from the registry

      • sysparvadl.exe (PID: 5424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:01 15:50:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1335296
InitializedDataSize: 670720
UninitializedDataSize: -
EntryPoint: 0x1ed000
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.0
ProductVersionNumber: 1.0.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Javad Taheri
FileDescription: Keyboard Test Utility Application
FileVersion: 1.0.1
InternalName: KeyboardTestUtility.exe
LegalCopyright: Copyright © 2014 Javad Taheri. All rights reserved.
OriginalFileName: KeyboardTestUtility.exe
ProductName: Keyboard Test Utility
ProductVersion: 1.0.1
E-mail: [email protected]
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
33
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe 5e2d.exe 1861723657.exe #PHORPIEX sysparvadl.exe sysparvadl.exe no specs 1805723035.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs 296316545.exe slui.exe 260959749.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
768taskkill /F /IM dwm.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1164taskkill /F /IM conhost.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1212"C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exeC:\Windows\SysWOW64\cmd.exe1805723035.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1300"C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exeC:\Windows\SysWOW64\cmd.exe1805723035.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1564taskkill /F /IM conhost.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3488taskkill /F /IM conhost.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 849
Read events
8 831
Write events
18
Delete events
0

Modification events

(PID) Process:(4192) 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4192) 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4192) 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4192) 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4192) 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4192) 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4192) 2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4576) 5E2D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4576) 5E2D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4576) 5E2D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
41922025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeC:\Users\admin\AppData\Local\Temp\5E2D.exeexecutable
MD5:447898443BDADC94B975F51A9FFFBDBD
SHA256:748F26CD2090EBE98470E1D1EE6B5019EF6B49BDF44D3A9012EA92EB9D625AE0
5424sysparvadl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\1[1]binary
MD5:97575AB0211376DE58C2E309BF46CA5F
SHA256:D83A00E0A92C5999C906A3F3DCB6727B6243A52C6BFA710B45DF99A903DE2FAA
40201861723657.exeC:\Users\admin\sysparvadl.exeexecutable
MD5:03045E36ACEECF393EE8E1B73B995484
SHA256:1507D9D4F99AF6A4601DA2B7C4B2C346411ED328919EFB103DA874D22A25E0A5
5424sysparvadl.exeC:\Users\admin\tbtnds.datbinary
MD5:9333D7B16979DE096BA525B913B70CC8
SHA256:0DE22BBC54F967A3F48176D840E526ABA1986DA60C1B83C4C4D324147D4692D0
5424sysparvadl.exeC:\Users\admin\AppData\Local\Temp\260959749.exebinary
MD5:82F3FF5835E2B77E42664E4E74FF32B3
SHA256:F0FE0585B5F0F62DC16E010E3E6A7831DBB144CA1FB0BD567B00AA8637C14645
5424sysparvadl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\3[1]binary
MD5:82F3FF5835E2B77E42664E4E74FF32B3
SHA256:F0FE0585B5F0F62DC16E010E3E6A7831DBB144CA1FB0BD567B00AA8637C14645
5424sysparvadl.exeC:\Users\admin\AppData\Local\Temp\1805723035.exebinary
MD5:97575AB0211376DE58C2E309BF46CA5F
SHA256:D83A00E0A92C5999C906A3F3DCB6727B6243A52C6BFA710B45DF99A903DE2FAA
45765E2D.exeC:\Users\admin\AppData\Local\Temp\1861723657.exeexecutable
MD5:03045E36ACEECF393EE8E1B73B995484
SHA256:1507D9D4F99AF6A4601DA2B7C4B2C346411ED328919EFB103DA874D22A25E0A5
41922025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exeC:\Users\admin\AppData\Local\Temp\WINGDNG3.TTFbinary
MD5:9E2EE65661BEE40438D514FE592BFCF8
SHA256:AC9EE085920A3D8B076D5E0C61DC9DF42C4BAC28D1FC968344F9CEDDB3972F69
45765E2D.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\newtpp[1].exeexecutable
MD5:03045E36ACEECF393EE8E1B73B995484
SHA256:1507D9D4F99AF6A4601DA2B7C4B2C346411ED328919EFB103DA874D22A25E0A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
47
DNS requests
8
Threats
42

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4084
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4192
2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe
GET
200
45.141.233.6:80
http://45.141.233.6/32.exe
unknown
malicious
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5424
sysparvadl.exe
GET
404
176.46.157.47:80
http://176.46.157.47/2
unknown
5424
sysparvadl.exe
GET
200
45.141.233.6:80
http://45.141.233.6/2
unknown
malicious
5424
sysparvadl.exe
GET
45.141.233.6:80
http://45.141.233.6/2
unknown
malicious
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4576
5E2D.exe
GET
200
45.141.233.6:80
http://45.141.233.6/peinstall.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4084
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4192
2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex.exe
45.141.233.6:80
Euro Crypt EOOD
DE
malicious
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4084
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4084
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
www.update.microsoft.com
  • 132.196.74.18
whitelisted
self.events.data.microsoft.com
  • 51.11.192.49
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
A Network Trojan was detected
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
A Network Trojan was detected
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Phorpiex CnC Communication
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_0214b0a1455eb6210a15256e6e3df7cd_bkransomware_darkgate_elex