File name:

2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/5d2bdac9-8c39-4ec4-b65c-b4d3c4cec1c6
Verdict: Malicious activity
Analysis date: May 15, 2025, 21:43:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

EA58C094981A3CA8D3113CBA65168472

SHA1:

A24D2BB39B349542C9DDB1E88AC60B397F94E2E3

SHA256:

5C5BD5476018FD1F40476EB9864F715A6C420465F202D107862EC96888A30ED9

SSDEEP:

98304:5cfLbkHLWqniKHqv1Y+YvHeLuwTTPiNmKUOfzbELtGyUZ1ahcqwpiVOmEGs59Anc:uq44

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe (PID: 7532)
      • icsys.icn.exe (PID: 7848)
      • explorer.exe (PID: 7868)
      • svchost.exe (PID: 7908)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 7868)
      • svchost.exe (PID: 7908)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7556)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe (PID: 7532)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • explorer.exe (PID: 7868)
      • icsys.icn.exe (PID: 7848)
      • spoolsv.exe (PID: 7888)
      • EAappInstaller.exe (PID: 4424)
      • EAappInstaller.exe (PID: 5408)

    • Starts application with an unusual extension

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe (PID: 7532)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7556)

    • Starts itself from another location

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7556)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe (PID: 7532)
      • icsys.icn.exe (PID: 7848)
      • explorer.exe (PID: 7868)
      • svchost.exe (PID: 7908)
      • spoolsv.exe (PID: 7888)
      • EAappInstaller.exe (PID: 4424)

    • Searches for installed software

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • EAappInstaller.exe (PID: 5408)

    • Reads Internet Explorer settings

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • EAappInstaller.exe (PID: 5408)

    • Reads security settings of Internet Explorer

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • EAappInstaller.exe (PID: 5408)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7848)
      • spoolsv.exe (PID: 7888)

    • Reads Microsoft Outlook installation path

      • EAappInstaller.exe (PID: 5408)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)

    • Creates or modifies Windows services

      • svchost.exe (PID: 7908)

  • INFO

    • The sample compiled with english language support

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe (PID: 7532)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7556)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • EAappInstaller.exe (PID: 4424)

    • Create files in a temporary directory

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe (PID: 7532)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • icsys.icn.exe (PID: 7848)
      • explorer.exe (PID: 7868)
      • spoolsv.exe (PID: 7888)
      • spoolsv.exe (PID: 7928)
      • svchost.exe (PID: 7908)
      • EAappInstaller.exe (PID: 5408)

    • Checks supported languages

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7556)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe (PID: 7532)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • icsys.icn.exe (PID: 7848)
      • explorer.exe (PID: 7868)
      • svchost.exe (PID: 7908)
      • spoolsv.exe (PID: 7928)
      • EAappInstaller.exe (PID: 4424)
      • spoolsv.exe (PID: 7888)
      • EAappInstaller.exe (PID: 5408)

    • Reads the computer name

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • svchost.exe (PID: 7908)
      • EAappInstaller.exe (PID: 5408)

    • Checks proxy server information

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • EAappInstaller.exe (PID: 5408)
      • slui.exe (PID: 496)

    • Process checks whether UAC notifications are on

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • EAappInstaller.exe (PID: 5408)

    • Reads the machine GUID from the registry

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
      • EAappInstaller.exe (PID: 5408)

    • Creates files or folders in the user directory

      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 7868)
      • svchost.exe (PID: 7908)

    • Reads the software policy settings

      • EAappInstaller.exe (PID: 5408)
      • slui.exe (PID: 496)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)

    • Manual execution by a user

      • svchost.exe (PID: 5728)
      • explorer.exe (PID: 5380)

    • Process checks computer location settings

      • EAappInstaller.exe (PID: 5408)
      • 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 7580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
14
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs eaappinstaller.exe eaappinstaller.exe svchost.exe no specs explorer.exe no specs slui.exe 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4424"C:\Users\admin\AppData\Local\Package Cache\{113f7eda-36fb-4606-ace7-5218c5a42829}\EAappInstaller.exe" -burn.related.update -burn.filehandle.self=2812 -burn.embedded BurnPipe.{09A423D2-B491-48C3-BEA2-19EF44FAF882} {13678C26-B006-49B4-AC2D-F948371B3571} 7580C:\Users\admin\AppData\Local\Package Cache\{113f7eda-36fb-4606-ace7-5218c5a42829}\EAappInstaller.exe
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
User:
admin
Company:
Electronic Arts
Integrity Level:
HIGH
Description:
EA app
Version:
13.464.0.5977
Modules
Images
c:\users\admin\appdata\local\package cache\{113f7eda-36fb-4606-ace7-5218c5a42829}\eaappinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5380c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5408"C:\WINDOWS\Temp\{0656529C-57F4-4FD7-B013-49D655F937C8}\.cr\EAappInstaller.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Package Cache\{113f7eda-36fb-4606-ace7-5218c5a42829}\EAappInstaller.exe" -burn.filehandle.attached=684 -burn.filehandle.self=712 -burn.related.update -burn.filehandle.self=2812 -burn.embedded BurnPipe.{09A423D2-B491-48C3-BEA2-19EF44FAF882} {13678C26-B006-49B4-AC2D-F948371B3571} 7580C:\Windows\Temp\{0656529C-57F4-4FD7-B013-49D655F937C8}\.cr\EAappInstaller.exe
EAappInstaller.exe
User:
admin
Company:
Electronic Arts
Integrity Level:
HIGH
Description:
EA app
Version:
13.464.0.5977
Modules
Images
c:\windows\temp\{0656529c-57f4-4fd7-b013-49d655f937c8}\.cr\eaappinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5728c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7420"C:\Users\admin\Desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7532"C:\Users\admin\Desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7556c:\users\admin\desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe  C:\Users\admin\Desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe
User:
admin
Company:
Electronic Arts
Integrity Level:
HIGH
Description:
EA app
Version:
12.158.0.5415
Modules
Images
c:\users\admin\desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7580"C:\WINDOWS\Temp\{F3811F79-B56C-4CF4-AD3A-815598B333B5}\.cr\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe " -burn.clean.room="c:\users\admin\desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe " -burn.filehandle.attached=236 -burn.filehandle.self=568 C:\Windows\Temp\{F3811F79-B56C-4CF4-AD3A-815598B333B5}\.cr\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
User:
admin
Company:
Electronic Arts
Integrity Level:
HIGH
Description:
EA app
Version:
12.158.0.5415
Modules
Images
c:\windows\temp\{f3811f79-b56c-4cf4-ad3a-815598b333b5}\.cr\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7848C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
10 931
Read events
10 906
Write events
21
Delete events
4

Modification events

(PID) Process:(7532) 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7580) 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7580) 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7580) 2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7848) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7908) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7908) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7908) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7908) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7868) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
Executable files
15
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
75322025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe executable
MD5:F70792D9452DF1FC6AFAA2568DC04BD1
SHA256:26989E9DAA143988D1F189A3B5555B74B0A2764CF5C3EA8264B0E179FE4A989D
75322025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:C8A73A7970DC46061D3223B0576C9297
SHA256:B0EB334A7318482275296CBACA0856CDE3C4ED5DD3C1F876AEFC844BF7B94DFA
75802025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe C:\Windows\Temp\{82862602-643F-478E-804A-A3A7203505B1}\.ba\BootstrapperApplicationData.xmlxml
MD5:10F32B21F8B92E111DC3E0F781305D84
SHA256:05397717AD549FE5DA5CF4EF679C660513ABE45B30D59CD6E65354DBD7ADCA23
7848icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:B92A0CE153C06EF6911F102F4CB727C4
SHA256:F3D510D1913B504B0EA522FEC67374BCD0913F67C821EC324859A8DA6A92EE6C
75802025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe C:\Windows\Temp\{82862602-643F-478E-804A-A3A7203505B1}\.ba\juno-bootstrapper-application.dllexecutable
MD5:0A0E157A6832DE4CCBD8C5DCDD16EB85
SHA256:435DB1B6C9589D873A8211D93C1A87798DFEF386F447EFCC75FF6F5292B11419
75802025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\globalConfig[1].jsonbinary
MD5:773569FDB7C18A8E5B80405408780CF4
SHA256:3C6AC7198437D8BCE9239742F040AB197C3EF6631AAF805D3E0134F642E693C5
75802025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\13.464.0[1].jsonbinary
MD5:1FEAA3074CC32423F17C3C1C303B08F3
SHA256:D82C1A8CF6C6CE6FE47D77BE49B614832DDDC62072E4CE3E4F09204A249F4283
75802025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe C:\Windows\Temp\{82862602-643F-478E-804A-A3A7203505B1}\.ba\version.dllexecutable
MD5:B0A366CD7B3AA13F872A2B9E15C79384
SHA256:6D375A08A56C5DAB08EB37587F108826F52401DACBC746689BDA236C59BAA076
75802025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe C:\Windows\Temp\{82862602-643F-478E-804A-A3A7203505B1}\.be\EAappInstaller.exeexecutable
MD5:F70792D9452DF1FC6AFAA2568DC04BD1
SHA256:26989E9DAA143988D1F189A3B5555B74B0A2764CF5C3EA8264B0E179FE4A989D
7888spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF20E6EE77D95B3188.TMPbinary
MD5:8A276FB316C17670773A4B4406AF7614
SHA256:F3A6068FC1D7A5D33A0C408822A4356D516117D37D75AF22F332A0C2D3544AB7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
46
DNS requests
19
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1912
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1912
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6388
SIHClient.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1912
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7580
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
104.102.62.251:443
desktop-config.juno.ea.com
AKAMAI-AS
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1912
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1912
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7580
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
44.196.168.104:443
pin-river.data.ea.com
AMAZON-AES
US
whitelisted
7580
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn.exe 
2.16.164.33:443
origin-a.akamaihd.net
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
desktop-config.juno.ea.com
  • 104.102.62.251
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
autopatch.juno.ea.com
  • 104.102.62.251
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 23.216.77.30
  • 23.216.77.22
  • 23.216.77.15
  • 23.216.77.29
  • 23.216.77.25
  • 23.216.77.18
  • 23.216.77.28
  • 23.216.77.4
  • 23.216.77.33
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 184.30.21.171
whitelisted
ratt.juno.ea.com
  • 104.102.62.251
whitelisted
pin-river.data.ea.com
  • 44.196.168.104
  • 3.229.196.45
  • 3.228.63.243
  • 44.223.204.5
  • 54.165.6.101
  • 44.217.223.236
  • 18.235.228.13
  • 34.198.78.231
whitelisted
origin-a.akamaihd.net
  • 2.16.164.33
  • 2.16.164.16
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_ea58c094981a3ca8d3113cba65168472_black-basta_coinminer_elex_hijackloader_luca-stealer_swisyn