File name:

2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/d795e911-6daf-47b5-934d-e3f06c3a567e
Verdict: Malicious activity
Analysis date: May 15, 2025, 18:44:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
neshta
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

82072ED4BE37E00173450EF2C82C2408

SHA1:

CE00BB9C23E7B899D0996E1B525FB9D4CE3040CC

SHA256:

C83998E848ED7131C11F2B7B80C1A3920DC8B7568AB56C13734D0692261381A7

SSDEEP:

24576:95FxcPN8PKz+q4ebGVdcNqF0uOt/0l+rm:9TxcKSz+q4ebGVdcNqF0uOt/0l+rm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • JEEFO has been detected

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • svchost.exe (PID: 7836)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)
      • explorer.exe (PID: 7792)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 7792)
      • svchost.exe (PID: 7836)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Mutex name with non-standard characters

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Executable content was dropped or overwritten

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • spoolsv.exe (PID: 7816)
      • explorer.exe (PID: 7792)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Starts application with an unusual extension

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)

    • Starts itself from another location

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • explorer.exe (PID: 7792)
      • svchost.exe (PID: 7836)
      • spoolsv.exe (PID: 7816)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7660)
      • spoolsv.exe (PID: 7816)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

  • INFO

    • Create files in a temporary directory

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • explorer.exe (PID: 7792)
      • spoolsv.exe (PID: 7816)
      • svchost.exe (PID: 7836)
      • spoolsv.exe (PID: 7860)

    • Reads the computer name

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)
      • icsys.icn.exe (PID: 7660)
      • svchost.exe (PID: 7836)

    • Checks supported languages

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7624)
      • icsys.icn.exe (PID: 7660)
      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe  (PID: 7652)
      • explorer.exe (PID: 7792)
      • spoolsv.exe (PID: 7816)
      • svchost.exe (PID: 7836)
      • spoolsv.exe (PID: 7860)

    • Process checks computer location settings

      • 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7484)

    • Manual execution by a user

      • svchost.exe (PID: 1012)
      • explorer.exe (PID: 856)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 7792)
      • svchost.exe (PID: 7836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (93.8)
.dll | Win32 Dynamic Link Library (generic) (2.3)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)
.exe | Generic Win/DOS Executable (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe no specs #JEEFO 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe  no specs #JEEFO icsys.icn.exe conhost.exe no specs #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs svchost.exe no specs explorer.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
856c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1012c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5380C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7484"C:\Users\admin\Desktop\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7528"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7624"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7652c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe  C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
4.1.0.1
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll
7660C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7792c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
4 047
Read events
4 028
Write events
15
Delete events
4

Modification events

(PID) Process:(7660) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7624) 2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7836) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7792) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
12
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
74842025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeexecutable
MD5:D9C8B62BF33463A1D9B8147EF9D71D0A
SHA256:513A196FA38BF7D2D60D9797EECA63F21767FEE4845A89771E6F19EE6AEB3208
7816spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF9081BB2AC1C373D8.TMPbinary
MD5:AC466F264A6A3AC799093E8D62595D86
SHA256:7869BEAB056E4900FAB7A8D18B4D8AAC92524024623C3A7F728E28B3D5EEAB66
74842025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
76242025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:0A3FB16ACCD1E7439BC939276947B1CD
SHA256:C6D66B60CACE2473598EDDDEAA6F79EEAD1CA98A05779F8CE8FFF1A48F3ED344
76242025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe executable
MD5:473D99E2258F1B49EADFA74ED9D98C9E
SHA256:AAD9314318668B26FC29B637521894BF3AF1634D64B83DD6D022FD3079C17F02
7660icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF5DE39D8510E9A79E.TMPbinary
MD5:5EE651F3A2D57187D148AA6E312863D2
SHA256:354EAA8A3A6E6890945FECB29B7E448FD46BB735F0C1249B274DB958B27C0CF0
74842025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
7792explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:1B3AD756601A7A1136FC87E7FBA95420
SHA256:0379F93C804973EC00D91CA49A0D8E5A5D857476AC5ED06A09F959B22BC4D36C
76242025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\~DF1A419A4F833E3BA4.TMPbinary
MD5:6002F031CF7829F34C0AF26B647A7F27
SHA256:97780CA4878818EAC8E0AF1382AB29F56FA1EC8384EE6690C5F6F9555C6BC9AF
7660icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:7A7936BE703BFC8E1D870C58EC4436C1
SHA256:C292B3AB14E76B1E327490738195FF2F84BA12B246B2B3FBDFB056CD818DD324
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
64
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
88.221.110.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8104
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
88.221.110.114:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.64
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.132
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 88.221.110.114
  • 88.221.110.122
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_82072ed4be37e00173450ef2c82c2408_amadey_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta