File name:

2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/9910e2f4-d5c3-46c1-8051-7ce14e6f592e
Verdict: Malicious activity
Analysis date: June 21, 2025, 16:58:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adobeinstaller
installer
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

BF2BEF68B30287D180661BF5C83769D1

SHA1:

BE3D69BDF92B391E8731374683C00AAC3083ECC0

SHA256:

93CA97954A8CA4E21B9D93B6F42AE215DA64F2707E0B9D65F5220DE6ABB09435

SSDEEP:

98304:5cdHhuirZRjTIEgz5zov+8Cp3Ix4vGnCcds63hIVKicC8yfzgTyLv2KzufVjTIhI:Xg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe (PID: 5444)
      • icsys.icn.exe (PID: 7008)
      • explorer.exe (PID: 2632)
      • svchost.exe (PID: 7100)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 2632)
      • svchost.exe (PID: 7100)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe (PID: 5444)

    • Executable content was dropped or overwritten

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe (PID: 5444)
      • icsys.icn.exe (PID: 7008)
      • explorer.exe (PID: 2632)
      • spoolsv.exe (PID: 5496)

    • Reads security settings of Internet Explorer

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)

    • Starts itself from another location

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe (PID: 5444)
      • icsys.icn.exe (PID: 7008)
      • explorer.exe (PID: 2632)
      • spoolsv.exe (PID: 5496)
      • svchost.exe (PID: 7100)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7008)
      • spoolsv.exe (PID: 5496)

    • Creates or modifies Windows services

      • svchost.exe (PID: 7100)

  • INFO

    • Checks supported languages

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)
      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe (PID: 5444)
      • icsys.icn.exe (PID: 7008)
      • explorer.exe (PID: 2632)
      • spoolsv.exe (PID: 5496)
      • svchost.exe (PID: 7100)
      • spoolsv.exe (PID: 4748)

    • Create files in a temporary directory

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe (PID: 5444)
      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)
      • icsys.icn.exe (PID: 7008)
      • explorer.exe (PID: 2632)
      • spoolsv.exe (PID: 5496)
      • svchost.exe (PID: 7100)
      • spoolsv.exe (PID: 4748)

    • The sample compiled with english language support

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe (PID: 5444)
      • icsys.icn.exe (PID: 7008)
      • explorer.exe (PID: 2632)
      • spoolsv.exe (PID: 5496)

    • ADOBEINSTALLER mutex has been found

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)

    • Reads the machine GUID from the registry

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)

    • Reads the computer name

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)
      • svchost.exe (PID: 7100)

    • Reads the software policy settings

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)
      • slui.exe (PID: 3676)

    • Checks proxy server information

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)
      • slui.exe (PID: 3676)

    • Creates files or folders in the user directory

      • 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  (PID: 6960)

    • Launching a file from a Registry key

      • explorer.exe (PID: 2632)
      • svchost.exe (PID: 7100)

    • Manual execution by a user

      • svchost.exe (PID: 4552)
      • explorer.exe (PID: 1100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs explorer.exe no specs svchost.exe no specs slui.exe 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1100c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2044"C:\Users\admin\Desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2632c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
3676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4552c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4748c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5444"C:\Users\admin\Desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5496c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6960c:\users\admin\desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe  C:\Users\admin\Desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe 
2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
HIGH
Description:
Adobe Installer
Exit code:
1
Version:
5.3.1.470
Modules
Images
c:\users\admin\desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7008C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
7 204
Read events
7 185
Write events
15
Delete events
4

Modification events

(PID) Process:(5444) 2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7008) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(2632) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(2632) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(2632) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2632) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7100) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7100) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7100) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7100) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
5
Suspicious files
8
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
69602025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44Dbinary
MD5:0AA62A4C251E86FD83E71561E35FEF9A
SHA256:D04BC1EA91955F6BDD9D8E04667BD0DFCD10639847509F8FA68F684682EAFE3F
54442025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe executable
MD5:41F159509017D234E08EB4F820BAB935
SHA256:4460DD8114B5609EA4E9644A659DE0F5B188696D27DC8846D633628B3ADE7C31
5496spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF731A9D28F80528BE.TMPbinary
MD5:212B3539B8175E014B6995138A7A3B1F
SHA256:6109FB61B9507156B1EBF6B401EE1DB50F7372D7A80ECE6C8FB2E367A68F165E
69602025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_EA01B8AC2C0BE6E5850A0487D704D929binary
MD5:B6AA43920C39A43F14839BF0BEC2412B
SHA256:F1629C827275F0E80B30DD2496F2999E29C823A8E329D0EB68CB3CD9E9B0B520
69602025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44Dbinary
MD5:90A5B8154D661FA0F4E8BC29B79FF77F
SHA256:673D96FC221EB313C354C39E47647356EB22B8B8A76D51C62C2B6D4DA2466174
69602025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_EA01B8AC2C0BE6E5850A0487D704D929binary
MD5:D2BE0A0EA43A260B2E0BCDC8249824DA
SHA256:80736829E1B49F390E2F6FF0144586D691C662A5464E5F85F2C89C73D5308E51
7008icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF38D988CA9B0FEA39.TMPbinary
MD5:CFDFC70CBD26F2D165BD525F759109C3
SHA256:52A8A4D3F05F04C293552EB60EB05C12A6D0A93A9DB8351896D8C18912B6C9B3
4748spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF0FA33320D3343A72.TMPbinary
MD5:212B3539B8175E014B6995138A7A3B1F
SHA256:6109FB61B9507156B1EBF6B401EE1DB50F7372D7A80ECE6C8FB2E367A68F165E
54442025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DF0D0FA319BAD5C481.TMPbinary
MD5:27B77B26CCC526361090F454C12C8BB3
SHA256:B8A6EAA535F942E766BA18EA1CEC95733B5C76568AF5F9EB20C81B0DB1B6C940
5496spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:51B74D8822FB4497D4429AB938937AA2
SHA256:99F99EC9916B8F4DE7EB4F1323887BECDCC98DB41375AF2EF6581BE3D196C0F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
43
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6960
2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe 
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6960
2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe 
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAbyTZ9NsHvX7K0Gf17ibCk%3D
unknown
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4844
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4844
RUXIMICS.exe
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6960
2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn.exe 
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 184.25.50.10
  • 184.25.50.8
  • 23.55.104.172
  • 23.55.104.190
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.67
  • 40.126.31.71
  • 40.126.31.130
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.128
  • 40.126.31.2
  • 20.190.159.4
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_bf2bef68b30287d180661bf5c83769d1_amadey_black-basta_darkgate_elex_luca-stealer_swisyn