File name:

2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/0a8676f2-f0e9-4240-a9b5-e00ec59596a2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 15:57:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

57B417CF99F871B53209476C2E249433

SHA1:

AB47A7D68F1F36C389B4CD8918D1BEB887E21D8D

SHA256:

D55D6A447E10D0B71CB2AEBDD040AAD3F8C6BC98AAD9C4CAE8C849CA0EDC08EE

SSDEEP:

49152:5cp0C/tggalp5PkXiiqeNtEFYqdYmz9uNMTGtOw0yxe5CiB5xj/lFv4AzAdjDuAQ:5c6WtgVFPEiiZNmCMzz9ugWe5C65xDHz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • explorer.exe (PID: 5344)
      • 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 3156)
      • icsys.icn.exe (PID: 4224)
      • svchost.exe (PID: 5512)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 5344)
      • svchost.exe (PID: 5512)
      • setup.exe (PID: 6136)

  • SUSPICIOUS

    • Starts itself from another location

      • icsys.icn.exe (PID: 4224)
      • 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 3156)
      • explorer.exe (PID: 5344)
      • spoolsv.exe (PID: 6388)
      • svchost.exe (PID: 5512)

    • Executable content was dropped or overwritten

      • 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 3156)
      • icsys.icn.exe (PID: 4224)
      • spoolsv.exe (PID: 6388)
      • explorer.exe (PID: 5344)
      • setup.exe (PID: 6136)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 4776)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 4224)
      • spoolsv.exe (PID: 6388)

    • Starts application with an unusual extension

      • 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 3156)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 4776)

    • Creates or modifies Windows services

      • svchost.exe (PID: 5512)

    • Application launched itself

      • setup.exe (PID: 4740)
      • setup.exe (PID: 6136)

    • Searches for installed software

      • setup.exe (PID: 6136)

    • Creates a software uninstall entry

      • setup.exe (PID: 6136)

    • There is functionality for taking screenshot (YARA)

      • GoogleUpdate.exe (PID: 1660)

  • INFO

    • The sample compiled with english language support

      • 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 3156)
      • svchost.exe (PID: 4776)
      • setup.exe (PID: 6136)

    • Create files in a temporary directory

      • svchost.exe (PID: 4776)
      • icsys.icn.exe (PID: 4224)
      • explorer.exe (PID: 5344)
      • 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 3156)
      • spoolsv.exe (PID: 1276)
      • spoolsv.exe (PID: 6388)
      • svchost.exe (PID: 5512)

    • Checks supported languages

      • icsys.icn.exe (PID: 4224)
      • explorer.exe (PID: 5344)
      • 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 3156)
      • svchost.exe (PID: 5512)
      • spoolsv.exe (PID: 1276)
      • spoolsv.exe (PID: 6388)
      • setup.exe (PID: 4728)
      • setup.exe (PID: 4740)
      • setup.exe (PID: 1388)
      • setup.exe (PID: 6136)
      • GoogleUpdateOnDemand.exe (PID: 680)
      • GoogleUpdate.exe (PID: 5596)
      • elevation_service.exe (PID: 4228)

    • Reads the computer name

      • svchost.exe (PID: 5512)
      • setup.exe (PID: 6136)
      • setup.exe (PID: 4740)
      • GoogleUpdate.exe (PID: 5596)
      • elevation_service.exe (PID: 4228)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 5344)
      • svchost.exe (PID: 5512)
      • setup.exe (PID: 6136)

    • Creates files in the program directory

      • setup.exe (PID: 6136)
      • setup.exe (PID: 4740)

    • Manual execution by a user

      • svchost.exe (PID: 1388)
      • explorer.exe (PID: 1096)
      • chrmstp.exe (PID: 5232)

    • Executes as Windows Service

      • elevation_service.exe (PID: 4228)

    • Application launched itself

      • chrmstp.exe (PID: 2392)
      • chrmstp.exe (PID: 5232)
      • chrome.exe (PID: 5988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
57
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #JEEFO 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  no specs googleupdate.exe no specs svchost.exe #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs svchost.exe no specs explorer.exe no specs slui.exe setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs googleupdateondemand.exe no specs googleupdate.exe no specs chrome.exe chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1928,i,8235830084687865106,16374499849612974208,262144 --variations-seed-version --mojo-platform-channel-handle=3300 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
135.0.7049.115
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
680"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe" -EmbeddingC:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exesvchost.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Update
Exit code:
0
Version:
1.3.36.371
Modules
Images
c:\program files (x86)\google\update\1.3.36.372\googleupdateondemand.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
780"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1928,i,8235830084687865106,16374499849612974208,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.115
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
896"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=1928,i,8235830084687865106,16374499849612974208,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.115
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=1928,i,8235830084687865106,16374499849612974208,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.115
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1096c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1276c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=1928,i,8235830084687865106,16374499849612974208,262144 --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.115
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1388c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1388"C:\Program Files (x86)\Google\Update\Install\{00C78092-C941-47FA-AA26-8968DCF02D0A}\CR_7FF27.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=135.0.7049.115 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff70a1c95f8,0x7ff70a1c9604,0x7ff70a1c9610C:\Program Files (x86)\Google\Update\Install\{00C78092-C941-47FA-AA26-8968DCF02D0A}\CR_7FF27.tmp\setup.exesetup.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome Installer
Exit code:
0
Version:
135.0.7049.115
Modules
Images
c:\program files (x86)\google\update\install\{00c78092-c941-47fa-aa26-8968dcf02d0a}\cr_7ff27.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
18 750
Read events
18 598
Write events
142
Delete events
10

Modification events

(PID) Process:(3156) 2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(4224) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5344) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(5344) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(5344) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(5344) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(5512) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(5512) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(5512) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(5512) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
10
Suspicious files
116
Text files
63
Unknown types
3

Dropped files

PID
Process
Filename
Type
4776svchost.exeC:\Users\admin\AppData\Local\Temp\BITD7B4.tmp
MD5:
SHA256:
4776svchost.exeC:\Users\admin\AppData\Local\Temp\{A3E49241-A1C4-4209-93BE-A10784A58B74}-135.0.7049.115_chrome_installer.exe
MD5:
SHA256:
6136setup.exe
MD5:
SHA256:
6136setup.exeC:\Program Files\Google\Chrome\Application\135.0.7049.115\Installer\chrome.7z
MD5:
SHA256:
5344explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:D74C2D8754CD45586DF215B281A8E02A
SHA256:3D35ADA7C2E850FA3767618B8D0AB77F1FE62733BD82B516C511E7AEC71ACA34
4776svchost.exeC:\ProgramData\Microsoft\Network\Downloader\qmgr.dbbinary
MD5:5CED121086E8C43175CD7FB1333CE41A
SHA256:691859F0CF3D8BEDF8B88304C7F9C451E26D925E1C1E95B81C1AA51D2A54EA91
31562025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:8C0A205A22A81EBBDD1F7C682F9AD548
SHA256:A1CCA96B246641DA5FAD7D3D28096D2C762EC367CD4CD3EA76D74840DBD68E4F
31562025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe executable
MD5:B85C99E8B6121E7D1CE9A78A2C7F8F6D
SHA256:053C8FD7A2E5622E248BD0C7A42CACFF577D139E8F6FEA9545921E0967388691
4224icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:2CA2B06DFCFCEC1150FBBD3F0D34C6AD
SHA256:27109C0DFA0E9B025FF9A5FDF81A36E3D4875477A07A4652B552ECFC3CF8C11E
31562025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DFED3D88A45DB9B392.TMPbinary
MD5:35A0BCD845404A73B7E2BEE1CE94E13E
SHA256:6ED26DFE63220EF906F547E704AAECF3923F9330CD9D51BFE313B1B1CB2F5B41
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
83
DNS requests
46
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4776
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome/ackxpvrm3yhql4zsr7kcxuakkwkq_135.0.7049.115/135.0.7049.115_chrome_installer.exe
unknown
whitelisted
4776
svchost.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome/ackxpvrm3yhql4zsr7kcxuakkwkq_135.0.7049.115/135.0.7049.115_chrome_installer.exe
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5756
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
23.216.77.4:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
23.216.77.4:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
142.250.185.67:443
update.googleapis.com
GOOGLE
US
whitelisted
142.250.185.238:443
dl.google.com
GOOGLE
US
whitelisted
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 23.216.77.4
  • 23.216.77.8
  • 23.216.77.39
  • 23.216.77.30
  • 23.216.77.10
  • 23.216.77.11
  • 23.216.77.36
  • 23.216.77.6
  • 23.216.77.25
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
update.googleapis.com
  • 142.250.185.67
  • 142.250.186.99
whitelisted
dl.google.com
  • 142.250.185.238
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.134
  • 20.190.160.130
  • 40.126.32.68
  • 20.190.160.65
  • 20.190.160.20
  • 20.190.160.5
  • 20.190.160.66
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

PID
Process
Class
Message
4776
svchost.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
4776
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4776
svchost.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_57b417cf99f871b53209476c2e249433_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn