File name:

2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn

Full analysis: https://app.any.run/tasks/3370fb53-dea1-468c-8aa7-9cfa92fe67c9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 16:38:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

C8AF67DBBD81689CAD45A0F6F9640D7C

SHA1:

1379F2C3CB9F9D93519753D3F89D20734BD7C7D2

SHA256:

1DED3A261A6378B04233612E68F509FF34CA1D6B12C94B546E80331983A84180

SSDEEP:

98304:1cos0dvfCSyAnybAYMi/9CGS0TYYp/r2xfd1IVgQ3DBf14ryA3cKpEke75SffRbD:xoCZwN7E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe (PID: 1280)
      • explorer.exe (PID: 6388)
      • svchost.exe (PID: 1132)
      • icsys.icn.exe (PID: 5960)

    • Actions looks like stealing of personal data

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 6388)
      • svchost.exe (PID: 1132)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe (PID: 1280)

    • Executable content was dropped or overwritten

      • icsys.icn.exe (PID: 5960)
      • explorer.exe (PID: 6388)
      • spoolsv.exe (PID: 5544)
      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe (PID: 1280)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 5960)
      • spoolsv.exe (PID: 5544)

    • Starts itself from another location

      • icsys.icn.exe (PID: 5960)
      • explorer.exe (PID: 6388)
      • svchost.exe (PID: 1132)
      • spoolsv.exe (PID: 5544)
      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe (PID: 1280)

    • Reads Microsoft Outlook installation path

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)

    • Reads Internet Explorer settings

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)

    • Creates or modifies Windows services

      • svchost.exe (PID: 1132)

    • Reads security settings of Internet Explorer

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)

  • INFO

    • Reads the computer name

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)
      • svchost.exe (PID: 1132)

    • Create files in a temporary directory

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe (PID: 1280)
      • explorer.exe (PID: 6388)
      • spoolsv.exe (PID: 5544)
      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)
      • svchost.exe (PID: 1132)
      • spoolsv.exe (PID: 5344)
      • icsys.icn.exe (PID: 5960)

    • Checks supported languages

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)
      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe (PID: 1280)
      • icsys.icn.exe (PID: 5960)
      • spoolsv.exe (PID: 5544)
      • explorer.exe (PID: 6388)
      • svchost.exe (PID: 1132)
      • spoolsv.exe (PID: 5344)

    • The sample compiled with english language support

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe (PID: 1280)

    • Checks proxy server information

      • 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  (PID: 1760)
      • slui.exe (PID: 3300)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 6388)
      • svchost.exe (PID: 1132)

    • Reads the software policy settings

      • slui.exe (PID: 3300)

    • Manual execution by a user

      • explorer.exe (PID: 4696)
      • svchost.exe (PID: 6028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs explorer.exe no specs svchost.exe no specs slui.exe 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1132c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1280"C:\Users\admin\Desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe" C:\Users\admin\Desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1760c:\users\admin\desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe  C:\Users\admin\Desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe 
2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0
Modules
Images
c:\users\admin\desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3300C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4696"C:\Users\admin\Desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe" C:\Users\admin\Desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4696c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5344c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5544c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5960C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6028c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
4 434
Read events
4 409
Write events
21
Delete events
4

Modification events

(PID) Process:(1280) 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5960) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(1132) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(1132) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(1132) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(1132) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(1760) 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Media Get LLC\MediaGet2-systemScope\mediaget_info
Operation:writeName:hasDownloadedUpdate
Value:
false
(PID) Process:(1760) 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1760) 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1760) 2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
6
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
12802025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:AACEE4189FA88E13945DEB40DBDED0DE
SHA256:C45574FF7AB03EA6AAE94C174993448209E248B0D40599F163D7F19D9A89C301
12802025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exeC:\Users\admin\Desktop\2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe executable
MD5:4F8924342C66D328CE9D1ED7D5F4DE76
SHA256:C57AD9E1B2051B3AA65348D14DD7A06175CC023A5E7B864C4BB299A0FC7C7AD5
5344spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFD7240BDF953A4B2E.TMPbinary
MD5:BC77453F341CAC48C41F34741F306DC5
SHA256:F92F20CF344E3C812F42BEFCC288257B60E50E7C00B1B9B26E34D22205DE8CAF
6388explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:888D483C85D671E91CB5244BC3766154
SHA256:7F18752F6B15D36F9EB85000405AFF78CCA10A16909AA502177D89940972E89D
17602025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe C:\Users\admin\AppData\Local\Temp\mediaget-installer-tmp\Montserrat-Regular.eotbinary
MD5:2DD0A1DE870AF34D48D43B7CAD82B8D9
SHA256:057BC6C47C47AACCDF31ADC48A6B401F6090A02C28E354099EFF80907DC2AF32
5960icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:D5BB03873AF12082660BF39394264EB3
SHA256:A442048B3032AA907CEF593E79FC3B9BDE8042009E61A8A554721E1F24690F82
17602025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe C:\Users\admin\AppData\Local\Temp\mediaget-installer-tmp\translations.jsonbinary
MD5:6BA33F952140685737F59B236B151615
SHA256:A0B16ED98035F40086ACC8D8FE5684D9F0A82C8B875D967078FA59072C36FABB
12802025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DF26675C1CA6F7BC85.TMPbinary
MD5:7CE437C2D468EAF208F1E16E4D7638A8
SHA256:9302489F6A0D5EEC909E0B93FE46A3AA666C7DA6703261C4F3C945CF643D8BB7
5960icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF7FB01DED2931C54B.TMPbinary
MD5:A36F9B4BDA88AC1236054E39E7395803
SHA256:5ECA8AE9A2D533A91785DA48DCE84DE8080808FC402FAA7312F76544BBF7E48C
5544spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:EF85E4655425AD47FE6F4035C666B6A3
SHA256:00B88228365EC0A0F0DC7E6DDD7205E3422764B085FD7EEA93F395E9837F8E66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4996
RUXIMICS.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4996
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4996
RUXIMICS.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
4996
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1760
2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn.exe 
51.158.227.48:443
mediaget.com
Online S.a.s.
FR
suspicious
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
900
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
  • 23.48.23.156
  • 23.48.23.145
  • 23.48.23.158
  • 23.48.23.147
  • 23.48.23.160
  • 23.48.23.155
  • 23.48.23.168
  • 23.48.23.149
  • 23.48.23.157
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
mediaget.com
  • 51.158.227.48
  • 51.158.129.110
unknown
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_c8af67dbbd81689cad45a0f6f9640d7c_amadey_black-basta_coinminer_elex_luca-stealer_smoke-loader_swisyn