File name:

2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe

Full analysis: https://app.any.run/tasks/1e2e7b53-ae5c-4ea1-a199-019d967f297c
Verdict: Malicious activity
Analysis date: July 15, 2025, 04:38:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

A0FAD5AA33AF175D3A2DF5D971A495B4

SHA1:

A46D7773620C84649BC4DD488B57EA69572472BC

SHA256:

2ABECB9C076C4DFBC186D6B287ED24B86B825ED28CC20221E232B28E67B09AE2

SSDEEP:

196608:jBq3bsG/qhW7QyreqdxhUcNKpGV7CGD/vNsdG:jObFqwJreqjh4pGVGGDnmdG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe (PID: 424)
      • icsys.icn.exe (PID: 6400)
      • svchost.exe (PID: 1336)
      • explorer.exe (PID: 5116)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 5116)
      • svchost.exe (PID: 1336)

  • SUSPICIOUS

    • Starts itself from another location

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe (PID: 424)
      • icsys.icn.exe (PID: 6400)
      • explorer.exe (PID: 5116)
      • spoolsv.exe (PID: 5564)
      • svchost.exe (PID: 1336)

    • Starts application with an unusual extension

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe (PID: 424)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Executable content was dropped or overwritten

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe (PID: 424)
      • icsys.icn.exe (PID: 6400)
      • explorer.exe (PID: 5116)
      • spoolsv.exe (PID: 5564)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 6400)
      • spoolsv.exe (PID: 5564)

    • Process drops python dynamic module

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Process drops legitimate windows executable

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Application launched itself

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Reads the BIOS version

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 4528)

    • Loads Python modules

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 4528)

    • Creates or modifies Windows services

      • svchost.exe (PID: 1336)

    • The process drops C-runtime libraries

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

  • INFO

    • The sample compiled with english language support

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe (PID: 424)
      • icsys.icn.exe (PID: 6400)
      • explorer.exe (PID: 5116)
      • spoolsv.exe (PID: 5564)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Create files in a temporary directory

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe (PID: 424)
      • icsys.icn.exe (PID: 6400)
      • explorer.exe (PID: 5116)
      • spoolsv.exe (PID: 5564)
      • svchost.exe (PID: 1336)
      • spoolsv.exe (PID: 2632)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Checks supported languages

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe (PID: 424)
      • icsys.icn.exe (PID: 6400)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)
      • explorer.exe (PID: 5116)
      • spoolsv.exe (PID: 5564)
      • spoolsv.exe (PID: 2632)
      • svchost.exe (PID: 1336)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 4528)

    • Process checks whether UAC notifications are on

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 4528)

    • Reads the computer name

      • svchost.exe (PID: 1336)
      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Creates files in the program directory

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5720)

    • Manual execution by a user

      • svchost.exe (PID: 1036)
      • explorer.exe (PID: 952)
      • explorer.exe (PID: 684)

    • Launching a file from a Registry key

      • explorer.exe (PID: 5116)
      • svchost.exe (PID: 1336)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  (PID: 4528)

    • Checks proxy server information

      • slui.exe (PID: 1612)

    • Reads the software policy settings

      • slui.exe (PID: 1612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
14
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  #JEEFO icsys.icn.exe conhost.exe no specs #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  no specs explorer.exe no specs svchost.exe no specs explorer.exe no specs slui.exe 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\Users\admin\Desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
684c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
952c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1036c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1336c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1612C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2632c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4320"C:\Users\admin\Desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4528c:\users\admin\desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe  C:\Users\admin\Desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe 
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5060\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe 
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 142
Read events
4 123
Write events
15
Delete events
4

Modification events

(PID) Process:(424) 2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6400) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5116) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(5116) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(5116) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(5116) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(1336) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(1336) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(1336) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(1336) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
68
Suspicious files
11
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6400icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:4676A38F750EF888A5F122134EFE90E1
SHA256:80A47CDBC9FB168F17BB271E82CD873BEAC7D5112B000576151D4D887739BA83
5564spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:F8C90073C66708EE5928F5C85CAC402F
SHA256:88120C00E857CADE6DE5408B218BA7058827FE27AF3DAF098947A187C4C54E09
4242025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:6B0F617735A16B2950D01C3B2D862529
SHA256:175920B3115BE6079F7897FD8D89FCFB886F0B1AC54FB01B2D1D626D3CE9D271
57202025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe C:\ProgramData\mntempbinary
MD5:78C1F5C6378FC104058AEACDEC192ACD
SHA256:22E4B97415FEE1AA2BB7BEF2B44527F28AB4355F574F29E91A19610337255D7E
2632spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF79A5983EC866DFDD.TMPbinary
MD5:120FD4C9BCDB3CB34AC61F621DC2076F
SHA256:19C1BF536ED75CA96A258F5DACC060B7DD97234217D0D9398B0C3C0BE9741A7C
4242025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe executable
MD5:8D729B942ECE6A70E2918FF694195EBA
SHA256:4D3994F552DEAA0577CF21FD08FAEE0EF304F9FDC63CE890192AB0516C9C3EEE
5564spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF8D19626707DDB416.TMPbinary
MD5:963A8A6893A263E49C56E3EC97C54B57
SHA256:EA058C980A22571E8F9BE7F4F994BB8174E798F735F1FC72131A0848658EA022
57202025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe C:\Users\admin\AppData\Local\Temp\_MEI57202\_decimal.pydexecutable
MD5:F930B7550574446A015BC602D59B0948
SHA256:3B9AD1D2BC9EC03D37DA86135853DAC73B3FE851B164FE52265564A81EB8C544
57202025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe C:\Users\admin\AppData\Local\Temp\_MEI57202\_bz2.pydexecutable
MD5:59D60A559C23202BEB622021AF29E8A9
SHA256:706D4A0C26DD454538926CBB2FF6C64257C3D9BD48C956F7CABD6DEF36FFD13E
57202025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe C:\Users\admin\AppData\Local\Temp\_MEI57202\_hashlib.pydexecutable
MD5:B0262BD89A59A3699BFA75C4DCC3EE06
SHA256:4ADFBBD6366D9B55D902FC54D2B42E7C8C989A83016ED707BD7A302FC3FC7B67
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
27
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
40.69.42.241:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6176
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1612
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 104.208.16.89
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-15_a0fad5aa33af175d3a2df5d971a495b4_black-basta_elex_luca-stealer_swisyn.exe