File name:

2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn

Full analysis: https://app.any.run/tasks/aae54d2e-ba5f-411b-a6e3-ed2af0d45817
Verdict: Malicious activity
Analysis date: May 15, 2025, 11:29:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

1EF8F91A0FC0D1E4169E823661B296E2

SHA1:

60BB4F106ED302F4B7B95DD585A7F91A92BFA03B

SHA256:

C76A190910CDA7D0AD6E0C346E40BBD1FCD391CCE4A2FFCB7E63FFBE93F9DE70

SSDEEP:

12288:5cPNvtVVVEuW/CO+/04j6iZGSAqV48ZshGj84ZKk6Qr/pLZMZVVVVVVVVVAtVVVD:5cPNEuhM0wq9ZKk6k/p1MlvP45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • icsys.icn.exe (PID: 7740)
      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe (PID: 7692)
      • explorer.exe (PID: 7764)
      • svchost.exe (PID: 7828)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 7764)
      • svchost.exe (PID: 7828)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe (PID: 7692)

    • Executable content was dropped or overwritten

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe (PID: 7692)
      • explorer.exe (PID: 7764)
      • icsys.icn.exe (PID: 7740)
      • spoolsv.exe (PID: 7800)

    • Starts itself from another location

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe (PID: 7692)
      • explorer.exe (PID: 7764)
      • icsys.icn.exe (PID: 7740)
      • svchost.exe (PID: 7828)
      • spoolsv.exe (PID: 7800)

    • Reads the date of Windows installation

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)

    • The process creates files with name similar to system file names

      • spoolsv.exe (PID: 7800)
      • icsys.icn.exe (PID: 7740)

    • Reads security settings of Internet Explorer

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)

    • Creates or modifies Windows services

      • svchost.exe (PID: 7828)

  • INFO

    • The sample compiled with english language support

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe (PID: 7692)

    • Checks supported languages

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe (PID: 7692)
      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)
      • spoolsv.exe (PID: 7800)
      • explorer.exe (PID: 7764)
      • icsys.icn.exe (PID: 7740)
      • svchost.exe (PID: 7828)
      • spoolsv.exe (PID: 7860)

    • Create files in a temporary directory

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe (PID: 7692)
      • spoolsv.exe (PID: 7800)
      • icsys.icn.exe (PID: 7740)
      • explorer.exe (PID: 7764)
      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)
      • svchost.exe (PID: 7828)
      • spoolsv.exe (PID: 7860)

    • Reads the computer name

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)
      • svchost.exe (PID: 7828)

    • Process checks computer location settings

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)

    • Reads Microsoft Office registry keys

      • 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  (PID: 7716)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 7764)
      • svchost.exe (PID: 7828)

    • Manual execution by a user

      • explorer.exe (PID: 7188)
      • svchost.exe (PID: 7192)

    • Checks proxy server information

      • slui.exe (PID: 4692)

    • Reads the software policy settings

      • slui.exe (PID: 4692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe mspaint.exe no specs #JEEFO svchost.exe spoolsv.exe no specs slui.exe explorer.exe no specs svchost.exe no specs 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4692C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7188c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7192c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7608"C:\Users\admin\Desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7692"C:\Users\admin\Desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7716c:\users\admin\desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe  C:\Users\admin\Desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7740C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7764c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7800c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7820"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\bitcoin.png"C:\Windows\System32\mspaint.exe2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe 
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
5 232
Read events
5 212
Write events
16
Delete events
4

Modification events

(PID) Process:(7692) 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7764) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7764) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7764) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7764) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7716) 2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids
Operation:writeName:pngfile
Value:
(PID) Process:(7740) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7828) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7828) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7828) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
Executable files
5
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7740icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:B10EE16F3E448776BC420356B034BC00
SHA256:42480A739972E093967F437676B8C26592C8D98B657BFA21C3453FEF8FBE62B2
76922025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exeC:\Users\admin\Desktop\2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe executable
MD5:4F75637EDD327A60AD7F9DAFF4461466
SHA256:1DC2E628975B2997156EF986DFB5E40B75B4D66EF1682898A42275B63DD8A6F3
7800spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:B27CB35CCACC00658EBF18F8F644AD53
SHA256:85A919111C4848878ACE07BF403D6305AED0413E4426FD2A8627E4DD734E66C5
77162025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exe C:\Users\admin\AppData\Local\Temp\RarSFX0\bitcoin.pngimage
MD5:7F74F97107667279D7C77D688699699A
SHA256:B6031CD8233648276BA0E53A1F30735BAB1BE4FE300F8D8BA3680DEF6B9B9CA8
76922025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DFE1B22779DD5D01DE.TMPbinary
MD5:75DD32A511584DEA7099BE831BD59977
SHA256:409DF7C2FEFA24F0C36B71F95E184CEC7C8AC8AA25DEFDEC5CFDC77850D3150E
76922025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:979CF9366D81FE8F2D08E4D40573C421
SHA256:3FB3F62B96F3F977AB01A9DF349B2F47E0F7C9049370142D22D449A69F0246DB
7740icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF7D5A6F4C6CECFA72.TMPbinary
MD5:617FE4F7E2742F91890DD8AD8E52F9B4
SHA256:553A3AFAB243B74499AD59529FD88C1B5DF3DDB946E7039EE7EC52AF6F9E5229
7860spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFCCD6D93393FE56D2.TMPbinary
MD5:D7D9AB2B378BF9A5FD9915A80B5F2DB6
SHA256:0FB5E249CC92211567B771AFDFF1116E6E76F9A4B5BEF7C01725C079872F4E21
7800spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFCE114ABBB66199DA.TMPbinary
MD5:9B74750D9EADD592AF5C241FFE9EA6A1
SHA256:0A7CBFB93B936559B25F9C04FE78C0D1BCAFC75ED11CC5D7618694E75B301F64
7764explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:A5F0EEE115524907334C3A13428DD531
SHA256:E721CCB129D40AF4F7DAE62B98EB5BDDC53277A35013FBB5B96CD661346575AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
51
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5112
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5112
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5112
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.128
  • 20.190.159.4
  • 40.126.31.130
  • 40.126.31.0
  • 20.190.159.2
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.160.65
  • 20.190.160.132
  • 20.190.160.67
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.74
  • 20.190.160.64
  • 40.126.32.136
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_1ef8f91a0fc0d1e4169e823661b296e2_black-basta_cobalt-strike_elex_swisyn