File name:

2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/d795e911-6daf-47b5-934d-e3f06c3a567e
Verdict: Malicious activity
Analysis date: May 15, 2025, 18:44:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
neshta
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

82072ED4BE37E00173450EF2C82C2408

SHA1:

CE00BB9C23E7B899D0996E1B525FB9D4CE3040CC

SHA256:

C83998E848ED7131C11F2B7B80C1A3920DC8B7568AB56C13734D0692261381A7

SSDEEP:

24576:95FxcPN8PKz+q4ebGVdcNqF0uOt/0l+rm:9TxcKSz+q4ebGVdcNqF0uOt/0l+rm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • JEEFO has been detected

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • explorer.exe (PID: 7792)
      • svchost.exe (PID: 7836)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 7792)
      • svchost.exe (PID: 7836)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Mutex name with non-standard characters

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Starts itself from another location

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • explorer.exe (PID: 7792)
      • spoolsv.exe (PID: 7816)
      • svchost.exe (PID: 7836)

    • Executable content was dropped or overwritten

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • explorer.exe (PID: 7792)
      • spoolsv.exe (PID: 7816)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Starts application with an unusual extension

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7660)
      • spoolsv.exe (PID: 7816)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

  • INFO

    • Create files in a temporary directory

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • explorer.exe (PID: 7792)
      • spoolsv.exe (PID: 7860)
      • spoolsv.exe (PID: 7816)
      • svchost.exe (PID: 7836)

    • Checks supported languages

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe  (PID: 7652)
      • explorer.exe (PID: 7792)
      • spoolsv.exe (PID: 7816)
      • svchost.exe (PID: 7836)
      • spoolsv.exe (PID: 7860)

    • Reads the computer name

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)
      • icsys.icn.exe (PID: 7660)
      • svchost.exe (PID: 7836)

    • Process checks computer location settings

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 7792)
      • svchost.exe (PID: 7836)

    • Manual execution by a user

      • svchost.exe (PID: 1012)
      • explorer.exe (PID: 856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (93.8)
.dll | Win32 Dynamic Link Library (generic) (2.3)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)
.exe | Generic Win/DOS Executable (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe no specs #JEEFO 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe  no specs #JEEFO icsys.icn.exe conhost.exe no specs #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs svchost.exe no specs explorer.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
856c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1012c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5380C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7484"C:\Users\admin\Desktop\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7528"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7624"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7652c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe  C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
4.1.0.1
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll
7660C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7792c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
4 047
Read events
4 028
Write events
15
Delete events
4

Modification events

(PID) Process:(7660) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7624) 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
12
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
76242025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:0A3FB16ACCD1E7439BC939276947B1CD
SHA256:C6D66B60CACE2473598EDDDEAA6F79EEAD1CA98A05779F8CE8FFF1A48F3ED344
74842025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeexecutable
MD5:D9C8B62BF33463A1D9B8147EF9D71D0A
SHA256:513A196FA38BF7D2D60D9797EECA63F21767FEE4845A89771E6F19EE6AEB3208
7660icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:7A7936BE703BFC8E1D870C58EC4436C1
SHA256:C292B3AB14E76B1E327490738195FF2F84BA12B246B2B3FBDFB056CD818DD324
7816spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:2C4747AFE097FCD7F8FD765A909C8011
SHA256:C89725B9E6951E5FEA7B71AADB6630A21ABD982BC5043654A700BE66D365BD9E
7860spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF44C19B57DC0F8BAF.TMPbinary
MD5:56953BD0965141862B307FFB21AF7D97
SHA256:B5DA6C7321044DC3CD4F4A780C1689428567EFF1E28DC3C3DEB95D8AD37009FF
76242025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe executable
MD5:473D99E2258F1B49EADFA74ED9D98C9E
SHA256:AAD9314318668B26FC29B637521894BF3AF1634D64B83DD6D022FD3079C17F02
7792explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:1B3AD756601A7A1136FC87E7FBA95420
SHA256:0379F93C804973EC00D91CA49A0D8E5A5D857476AC5ED06A09F959B22BC4D36C
74842025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:1C0BE16E6ED8F5B6F0910650A25F4FA7
SHA256:3028F6A6A7A10DC5D63F256FEEB8275F3818BF3371EAF8B20A2D0BF2FCD5F4A9
74842025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
74842025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
64
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
88.221.110.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
88.221.110.114:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.64
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.132
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 88.221.110.114
  • 88.221.110.122
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta