File name:

2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/c6db97c2-5f11-4736-8564-cd54e157f735
Verdict: Malicious activity
Analysis date: April 29, 2025, 16:17:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

EA55707D1AD08D6084E6437699077A3F

SHA1:

2FBAFC00992028C2C8F97FB5BF85F1302F08067F

SHA256:

729B6F6339CDB86ECC15D62023824DEA23782CCAB487A2E81D168BA34C98E9A1

SSDEEP:

98304:5c9Aulxsa4e2B+KLPmZbbnTpwyfy8QAq38pOPdzMGqoXlF0cgl95rQXcA3RGFOi1:2S8+enNsqQ3pCTdaMWkhUHdzUT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)
      • explorer.exe (PID: 5640)
      • icsys.icn.exe (PID: 960)
      • svchost.exe (PID: 6876)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 5640)
      • svchost.exe (PID: 6876)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5728)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 2320)
      • icsys.icn.exe (PID: 960)
      • explorer.exe (PID: 5640)
      • spoolsv.exe (PID: 2040)

    • Process drops legitimate windows executable

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5728)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)

    • Starts application with an unusual extension

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5728)

    • Starts a Microsoft application from unusual location

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5728)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 2320)

    • Searches for installed software

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 2320)

    • Starts itself from another location

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)
      • icsys.icn.exe (PID: 960)
      • explorer.exe (PID: 5640)
      • spoolsv.exe (PID: 2040)
      • svchost.exe (PID: 6876)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 960)
      • spoolsv.exe (PID: 2040)

    • Creates or modifies Windows services

      • svchost.exe (PID: 6876)

  • INFO

    • The sample compiled with english language support

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5728)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 2320)

    • Checks supported languages

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 5728)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 2320)
      • icsys.icn.exe (PID: 960)
      • explorer.exe (PID: 5640)
      • spoolsv.exe (PID: 2040)
      • spoolsv.exe (PID: 1240)
      • svchost.exe (PID: 6876)

    • Create files in a temporary directory

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 2320)
      • icsys.icn.exe (PID: 960)
      • explorer.exe (PID: 5640)
      • spoolsv.exe (PID: 2040)
      • svchost.exe (PID: 6876)
      • spoolsv.exe (PID: 1240)

    • Reads the computer name

      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  (PID: 2320)
      • svchost.exe (PID: 6876)
      • 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe (PID: 6416)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 5640)
      • svchost.exe (PID: 6876)

    • Manual execution by a user

      • explorer.exe (PID: 976)
      • svchost.exe (PID: 5376)
      • explorer.exe (PID: 4220)

    • Checks proxy server information

      • slui.exe (PID: 1676)

    • Reads the software policy settings

      • slui.exe (PID: 1676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
13
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #JEEFO 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe  #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs explorer.exe no specs svchost.exe no specs explorer.exe no specs slui.exe 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\Desktop\2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
960C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
976c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1240c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2040c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2320"C:\WINDOWS\Temp\{57AD276F-EF58-42D1-8F72-DD68B1DA15A4}\.cr\2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe " -burn.clean.room="c:\users\admin\desktop\2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe " -burn.filehandle.attached=556 -burn.filehandle.self=552 C:\Windows\Temp\{57AD276F-EF58-42D1-8F72-DD68B1DA15A4}\.cr\2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe 
2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe 
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.26.28720
Exit code:
1638
Version:
14.26.28720.3
Modules
Images
c:\windows\temp\{57ad276f-ef58-42d1-8f72-dd68b1da15a4}\.cr\2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4220c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5376c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5640c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
3 829
Read events
3 810
Write events
15
Delete events
4

Modification events

(PID) Process:(6416) 2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(960) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5640) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(5640) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(5640) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(5640) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(6876) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6876) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6876) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6876) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
7
Suspicious files
4
Text files
32
Unknown types
0

Dropped files

PID
Process
Filename
Type
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\wixstdba.dllexecutable
MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\1041\thm.wxlxml
MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\1031\thm.wxlxml
MD5:561F3F32DB2453647D1992D4D932E872
SHA256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\1031\license.rtftext
MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\license.rtftext
MD5:2EABBB391ACB89942396DF5C1CA2BAD8
SHA256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\1040\license.rtftext
MD5:9D98044BAC59684489C4CF66C3B34C85
SHA256:A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\1036\license.rtftext
MD5:F0FF747B85B1088A317399B0E11D2101
SHA256:4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\1041\license.rtftext
MD5:8C49936EC4CF0F64CA2398191C462698
SHA256:7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\1036\thm.wxlxml
MD5:7B46AE8698459830A0F9116BC27DE7DF
SHA256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
23202025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn.exe C:\Windows\Temp\{CDFF1736-17E5-4F03-8D5D-05802DF70A6F}\.ba\thm.wxlxml
MD5:FBFCBC4DACC566A3C426F43CE10907B6
SHA256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
46
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1040
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
40.69.42.241:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
1040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1040
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1040
SIHClient.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1040
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1040
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2920
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5392
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.3
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.14
  • 20.190.160.128
  • 20.190.160.5
  • 20.190.160.130
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_ea55707d1ad08d6084e6437699077a3f_black-basta_elex_luca-stealer_swisyn