File name:

2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta

Full analysis: https://app.any.run/tasks/fac55cca-3f6b-4dcb-b018-8c8ee7dade7c
Verdict: Malicious activity
Analysis date: May 16, 2025, 00:48:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

2BF135645CD8AD19994B0EAA3C3F2312

SHA1:

86100B6ED586989DD1580EBD2AFD1FC4B47CDC52

SHA256:

6D931D03FCF298E4E8AB9A9124FAAF84D6F426475425E6C750258976D4A1718B

SSDEEP:

98304:xYOKaSw75lDp9sNu+mxQZTKhx2Qd0IbDOSmfRTuI8Cz1LrNNwk5nTEFdwGkHEZA3:qRbL9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • FileCoAuth.exe (PID: 4428)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 1280)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • FileCoAuth.exe (PID: 4428)

    • Reads the date of Windows installation

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)

    • Reads security settings of Internet Explorer

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • FileCoAuth.exe (PID: 4428)

    • Mutex name with non-standard characters

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • FileCoAuth.exe (PID: 4428)

    • Starts CMD.EXE for commands execution

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7492)

    • Executes as Windows Service

      • vds.exe (PID: 7804)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 8036)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 4428)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 1280)

    • Uses WMIC.EXE

      • cmd.exe (PID: 8164)

    • Get information on the list of running processes

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7492)
      • cmd.exe (PID: 8164)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2656)

  • INFO

    • Create files in a temporary directory

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • FileCoAuth.exe (PID: 1280)

    • Process checks computer location settings

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • FileCoAuth.exe (PID: 4428)

    • Checks supported languages

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7492)
      • FileCoAuth.exe (PID: 1280)

    • Reads the computer name

      • 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7448)
      • FileCoAuth.exe (PID: 1280)

    • The sample compiled with english language support

      • FileCoAuth.exe (PID: 4428)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8052)
      • WMIC.exe (PID: 8180)
      • WMIC.exe (PID: 4220)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 1280)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 1280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (85.5)
.exe | Win32 Executable Delphi generic (4.6)
.scr | Windows screen saver (4.2)
.dll | Win32 Dynamic Link Library (generic) (2.1)
.exe | Win32 Executable (generic) (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
19
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe no specs conhost.exe no specs cmd.exe no specs diskpart.exe no specs diskpart.exe no specs diskpart.exe conhost.exe no specs vdsldr.exe no specs vds.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1072C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1280"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2656C:\WINDOWS\system32\cmd.exe /c wmic PATH Win32_ComputerSystem GET HypervisorPresent /VALUEC:\Windows\System32\cmd.exe2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4220wmic PATH Win32_ComputerSystem GET HypervisorPresent /VALUEC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4428C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7448"C:\Users\admin\Desktop\2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe" C:\Users\admin\Desktop\2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7492"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
7500\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7560C:\WINDOWS\system32\cmd.exe /c diskpart /?C:\Windows\System32\cmd.exe2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
999999999
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7576diskpart /?C:\Windows\System32\diskpart.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DiskPart
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\diskpart.exe
c:\windows\system32\ntdll.dll
Total events
8 044
Read events
8 036
Write events
8
Delete events
0

Modification events

(PID) Process:(7448) 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7448) 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7448) 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7448) 2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
9
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4428FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
74482025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeexecutable
MD5:FB2942BE0DC7C311FA1B8666A6675DF8
SHA256:2765AC777BE53D5C428018F2FCDDBE51CB8B101382810A7FC75D4B69DE2886E3
74482025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:1C0BE16E6ED8F5B6F0910650A25F4FA7
SHA256:3028F6A6A7A10DC5D63F256FEEB8275F3818BF3371EAF8B20A2D0BF2FCD5F4A9
74482025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:178B773B3FB050FCE26E40A9E8C2EE9A
SHA256:1E03573733F25B44004049A535E7E79366FD86FE953F6DFEDAAD05513B46A6C5
1280FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-16.0049.1280.1.odlbinary
MD5:18B2985EEB22557746E95B6887129B88
SHA256:016884CBDAA5A71B6964813CF002E9CDD769580C221051D2E99ED764EC24E337
74482025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
74482025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:13C2D5BF03C4A2B28E930F990CCC32DB
SHA256:12D24D0BC0E7CDC902E3540A3C6F7B755094F011A8EAD49A47A00563710B8F80
74482025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmpbinary
MD5:072319658A71177ADE537A9B87226C45
SHA256:54BCD6D4C0DFDDAC22472806325D0ECB4702253A4893A5C3A606F314BDB9ACAF
1280FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-16.0049.1280.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
74482025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
52
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4172
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1180
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4172
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1180
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4172
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4172
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4172
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.22
  • 20.190.160.17
  • 20.190.160.132
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.66
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_2bf135645cd8ad19994b0eaa3c3f2312_black-basta_elex_gcleaner_hijackloader_neshta