File name:

2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn

Full analysis: https://app.any.run/tasks/392b0ccb-dfbe-499d-9a27-357306fbeedd
Verdict: Malicious activity
Analysis date: May 12, 2025, 03:30:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

1BDBCC06FCFCA0B2E1450DD7806E8636

SHA1:

F3211C046902368AAD21A8A6C88E6A97963A8BEA

SHA256:

FDBD5EC0B1E92DFB693DB9B4B2E6C8EC751A9450D53379F6C413A67A6125EE25

SSDEEP:

98304:5cC2d240HRy5S6g/LzM1DXbTRe0hBSLyoovRWf6Sz1i0hAVUlGisxod1lifQ+keV:nWUuQmcJ2J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe (PID: 5680)
      • icsys.icn.exe (PID: 5988)
      • svchost.exe (PID: 1324)
      • explorer.exe (PID: 4040)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 4040)
      • svchost.exe (PID: 1324)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe (PID: 5680)

    • Starts itself from another location

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe (PID: 5680)
      • icsys.icn.exe (PID: 5988)
      • explorer.exe (PID: 4040)
      • spoolsv.exe (PID: 1228)
      • svchost.exe (PID: 1324)

    • Executable content was dropped or overwritten

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe (PID: 5680)
      • icsys.icn.exe (PID: 5988)
      • spoolsv.exe (PID: 1228)
      • explorer.exe (PID: 4040)
      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 5988)
      • spoolsv.exe (PID: 1228)

    • Reads Internet Explorer settings

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)

    • Reads Microsoft Outlook installation path

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)

    • Reads security settings of Internet Explorer

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)
      • Uninstall.exe (PID: 2616)

    • Reads the date of Windows installation

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)
      • Uninstall.exe (PID: 2616)

    • Drops 7-zip archiver for unpacking

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)

    • Creates a software uninstall entry

      • Uninstall.exe (PID: 2616)

    • Creates/Modifies COM task schedule object

      • Uninstall.exe (PID: 2616)

    • Searches for installed software

      • Uninstall.exe (PID: 2616)

    • Start notepad (likely ransomware note)

      • Uninstall.exe (PID: 2616)

    • There is functionality for taking screenshot (YARA)

      • Uninstall.exe (PID: 2616)

    • Creates or modifies Windows services

      • svchost.exe (PID: 1324)

  • INFO

    • Checks supported languages

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)
      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe (PID: 5680)
      • icsys.icn.exe (PID: 5988)
      • explorer.exe (PID: 4040)
      • spoolsv.exe (PID: 1228)
      • svchost.exe (PID: 1324)
      • spoolsv.exe (PID: 6272)
      • Uninstall.exe (PID: 2616)

    • The sample compiled with english language support

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe (PID: 5680)
      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)

    • Create files in a temporary directory

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe (PID: 5680)
      • icsys.icn.exe (PID: 5988)
      • explorer.exe (PID: 4040)
      • spoolsv.exe (PID: 1228)
      • svchost.exe (PID: 1324)
      • spoolsv.exe (PID: 6272)

    • Reads the computer name

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)
      • svchost.exe (PID: 1324)
      • Uninstall.exe (PID: 2616)

    • Checks proxy server information

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)
      • slui.exe (PID: 6148)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 4040)
      • svchost.exe (PID: 1324)

    • The sample compiled with russian language support

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)

    • Creates files in the program directory

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)
      • Uninstall.exe (PID: 2616)

    • Process checks computer location settings

      • 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  (PID: 5156)
      • Uninstall.exe (PID: 2616)

    • Manual execution by a user

      • explorer.exe (PID: 6032)
      • svchost.exe (PID: 1532)

    • Creates files or folders in the user directory

      • Uninstall.exe (PID: 2616)

    • Reads Microsoft Office registry keys

      • Uninstall.exe (PID: 2616)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5720)

    • Reads the software policy settings

      • slui.exe (PID: 6148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
13
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs uninstall.exe no specs svchost.exe no specs explorer.exe no specs notepad.exe no specs slui.exe 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1324c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1532c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2616"C:\Program Files\WinRAR\uninstall.exe" /setupC:\Program Files\WinRAR\Uninstall.exe2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe 
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
Uninstall WinRAR
Version:
7.11.0
Modules
Images
c:\program files\winrar\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4040c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5156c:\users\admin\desktop\2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe  C:\Users\admin\Desktop\2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe 
2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR
Exit code:
0
Version:
7.11.0
Modules
Images
c:\users\admin\desktop\2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5680"C:\Users\admin\Desktop\2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe" C:\Users\admin\Desktop\2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5720"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\License.txtC:\Windows\System32\notepad.exeUninstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5988C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6032c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 435
Read events
5 329
Write events
98
Delete events
8

Modification events

(PID) Process:(5680) 2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5988) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(4040) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(4040) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(4040) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(4040) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(1324) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(1324) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(1324) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(1324) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
18
Suspicious files
15
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
56802025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:ACFC95999E39D3FA63FC63B48FA2B8FE
SHA256:B01AC43B391E267AEC85E1695C24DF982C10AA36B4998803FB9D9B41B80B9066
51562025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe 
MD5:
SHA256:
5988icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:7761B3993DFFE8ED3B1640EAB5E0CC58
SHA256:D994A2BD26857F052B5DAAF61032234EBE3A11AB0643F0E3895CFCFFF7AD2C6E
51562025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe C:\Program Files\WinRAR\RarFiles.lsttext
MD5:6CC00DFAE2BE18311BB961F4E07BB18E
SHA256:9CC712F36C3B6DBF8970DE9522ED9A44A2C018BAC291193A89AECF9567A3C7C9
51562025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe C:\Program Files\WinRAR\Descript.iontext
MD5:56D8D7ECD474F6385AE105D9C4E7CB52
SHA256:EDA37E8880F577F714E8BF35ABB82DFD41C6D294E6A5134030DC9228C06CEFC4
1228spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:D7CD8FD1B43D7B05737458EA5B9726AC
SHA256:F034E0547BC8B60AF820E00790035B85893CCF6821B3EA530E736DC4367B38F9
6272spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF95D43A276F1DEC21.TMPbinary
MD5:327FC278B47DFE2AA3EEDF51479B534D
SHA256:BEA0186364AE6CB0FA5BA17F885F3BEC4800435CC4CA32FA828700330687C0F9
1228spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFFEB14E23580088BB.TMPbinary
MD5:327FC278B47DFE2AA3EEDF51479B534D
SHA256:BEA0186364AE6CB0FA5BA17F885F3BEC4800435CC4CA32FA828700330687C0F9
51562025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exe C:\Program Files\WinRAR\ReadMe.txttext
MD5:00D0A57A6D64EE3DE8F4D5529D6C6447
SHA256:FCD13E1B97AF47B8B923BA97AE15E9731C66093609667C3171D5DD24A6F7F2E6
56802025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DF420F32D94E713DB4.TMPbinary
MD5:D9ABB75698C62E336EF55C0F2DE68100
SHA256:241841C2387DD369404CBE989647583777D2F12D7D725EC27EB05BAC30783978
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4172
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4172
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4172
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4172
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
4172
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
896
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-12_1bdbcc06fcfca0b2e1450dd7806e8636_black-basta_elex_hijackloader_swisyn