File name:

2025-08-04_94ad3864c2046c21b56b476004646bd2_amadey_black-basta_coinminer_darkgate_darpapox_elex_hijackloader_icedid_luca.exe

Full analysis: https://app.any.run/tasks/b8505406-c6d1-4d3e-aedf-3f56d2532159
Verdict: Malicious activity
Analysis date: August 04, 2025, 22:35:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

94AD3864C2046C21B56B476004646BD2

SHA1:

89D3B9775F622576FA9299394D2A96211FC4AE92

SHA256:

00B276D62DA5779E984DF81FE808856460A0524ACC359BF1FFE2B8295D2BD692

SSDEEP:

98304:LFs0VxGAat6Ky0DxYEa2d7id1BmZKgfM6zYQG7J8tr1fR9UFotGKaG8BZLiM4nZx:KCUDj3J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • mscaps.exe (PID: 3624)
      • mscaps.exe (PID: 6264)
      • launch.exe (PID: 6304)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 2732)
      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)
      • wtmps.exe (PID: 6648)
      • mscaps.exe (PID: 3624)
      • mscaps.exe (PID: 6264)

    • Process drops legitimate windows executable

      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)

    • Executing commands from a ".bat" file

      • @AEE951.tmp.exe (PID: 6756)
      • launch.exe (PID: 6304)
      • WdExt.exe (PID: 1612)

    • Reads security settings of Internet Explorer

      • @AEE951.tmp.exe (PID: 6756)
      • launch.exe (PID: 6304)
      • WdExt.exe (PID: 1612)

    • Starts CMD.EXE for commands execution

      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)
      • launch.exe (PID: 6304)

    • The executable file from the user directory is run by the CMD process

      • launch.exe (PID: 6304)
      • wtmps.exe (PID: 6648)

    • Detected use of alternative data streams (AltDS)

      • mscaps.exe (PID: 6264)

  • INFO

    • The sample compiled with english language support

      • b8505406-c6d1-4d3e-aedf-3f56d2532159.exe (PID: 5968)
      • explorer.exe (PID: 2732)
      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)

    • Checks supported languages

      • b8505406-c6d1-4d3e-aedf-3f56d2532159.exe (PID: 5968)
      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)
      • wtmps.exe (PID: 6648)
      • launch.exe (PID: 6304)
      • mscaps.exe (PID: 3624)
      • mscaps.exe (PID: 6264)
      • launch.exe (PID: 6732)

    • Create files in a temporary directory

      • explorer.exe (PID: 2732)
      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)
      • mscaps.exe (PID: 3624)
      • mscaps.exe (PID: 6264)

    • Creates files or folders in the user directory

      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)
      • wtmps.exe (PID: 6648)
      • mscaps.exe (PID: 3624)
      • mscaps.exe (PID: 6264)
      • launch.exe (PID: 6304)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 2732)

    • Checks proxy server information

      • @AEE951.tmp.exe (PID: 6756)
      • slui.exe (PID: 4688)

    • Process checks computer location settings

      • @AEE951.tmp.exe (PID: 6756)
      • WdExt.exe (PID: 1612)
      • launch.exe (PID: 6304)

    • Reads the computer name

      • @AEE951.tmp.exe (PID: 6756)
      • launch.exe (PID: 6304)

    • Launching a file from a Registry key

      • launch.exe (PID: 6304)
      • mscaps.exe (PID: 3624)
      • mscaps.exe (PID: 6264)

    • Manual execution by a user

      • mscaps.exe (PID: 6264)
      • launch.exe (PID: 6732)

    • Reads the software policy settings

      • slui.exe (PID: 4688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:03:05 08:37:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 2560
InitializedDataSize: 3526144
UninitializedDataSize: -
EntryPoint: 0x167f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 111.0.3.308
ProductVersionNumber: 111.0.3.308
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Zoho Corporation
FileDescription: Zoho Assist
FileVersion: 111.0.3.308
InternalName: ZohoAssist
LegalCopyright: Copyright (C) 2025 Zoho Corporation
OriginalFileName: ZohoAssist.exe
ProductName: Zoho Assist
ProductVersion: 111.0.3.308
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
15
Malicious processes
3
Suspicious processes
5

Behavior graph

Click at the process to see the details
start b8505406-c6d1-4d3e-aedf-3f56d2532159.exe no specs explorer.exe @aee951.tmp.exe b8505406-c6d1-4d3e-aedf-3f56d2532159.exe no specs cmd.exe no specs conhost.exe no specs wdext.exe no specs launch.exe no specs cmd.exe no specs conhost.exe no specs wtmps.exe mscaps.exe mscaps.exe launch.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
892C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\admin0.bat" "C:\Windows\SysWOW64\cmd.exe@AEE951.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
1612"C:\Users\admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe" C:\Users\admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Defender Extension
Exit code:
1
Version:
6.1.7600.16385
Modules
Images
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\wldp.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\uxtheme.dll
1740"C:\Users\admin\Desktop\b8505406-c6d1-4d3e-aedf-3f56d2532159.exe" C:\Users\admin\Desktop\b8505406-c6d1-4d3e-aedf-3f56d2532159.exeexplorer.exe
User:
admin
Company:
Zoho Corporation
Integrity Level:
MEDIUM
Description:
Zoho Assist
Exit code:
3222601730
Version:
111.0.3.308
Modules
Images
c:\users\admin\desktop\b8505406-c6d1-4d3e-aedf-3f56d2532159.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2732explorer.exeC:\Windows\SysWOW64\explorer.exe
b8505406-c6d1-4d3e-aedf-3f56d2532159.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
3624"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /C:\Users\admin\AppData\Local\Temp\wtmps.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe
wtmps.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\protect\setup\mscaps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4688C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4768\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5436C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\admin0.bat" "C:\Windows\SysWOW64\cmd.exelaunch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5968"C:\Users\admin\Desktop\b8505406-c6d1-4d3e-aedf-3f56d2532159.exe" C:\Users\admin\Desktop\b8505406-c6d1-4d3e-aedf-3f56d2532159.exeexplorer.exe
User:
admin
Company:
Zoho Corporation
Integrity Level:
MEDIUM
Description:
Zoho Assist
Exit code:
1
Version:
111.0.3.308
Modules
Images
c:\users\admin\desktop\b8505406-c6d1-4d3e-aedf-3f56d2532159.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 290
Read events
5 287
Write events
3
Delete events
0

Modification events

(PID) Process:(6304) launch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Defender Extension
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exe"
(PID) Process:(3624) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
(PID) Process:(6264) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
Executable files
16
Suspicious files
11
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6756@AEE951.tmp.exeC:\Users\admin\AppData\Roaming\Temp\mydll.dllexecutable
MD5:FC4A6145DDD1B64983E8700601C71FC6
SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6
2732explorer.exeC:\Users\admin\AppData\Local\Temp\@AEE951.tmp.exeexecutable
MD5:A1C65DCEF74A974B09F5E7EF0D4E4E9C
SHA256:3778CE7C3839BE6DBD41FFDDCAE2B1E68380EB21D33DE3504BAC23B0F7EEC718
1612WdExt.exeC:\Users\admin\AppData\Local\Temp\tmpEF20.tmpexecutable
MD5:1FCC5B3ED6BC76D70CFA49D051E0DFF6
SHA256:B0C0C49EED934E6D2ED990913D4C71108F6104352D23F72D3EF0A3EF4074D92E
1612WdExt.exeC:\Users\admin\AppData\Local\Temp\tmpEEF0.tmpexecutable
MD5:FFFA05401511AD2A89283C52D0C86472
SHA256:41A712FD2111C5DDEC6FE58A29C80F19923CC72E88B4508D5A3DAEB236DDF1B8
1612WdExt.exeC:\Users\admin\AppData\Roaming\Microsoft\Shared\Modules\fil.dllbinary
MD5:F37924DCFCD6103F858EE56843B04196
SHA256:C6D2401C2DBD928DB2DAA7508F5E8CDEE4C1F958E8C7F8DBA383FB48AEE5204C
6756@AEE951.tmp.exeC:\Users\admin\AppData\Roaming\Temp\admin1.battext
MD5:954B5EC73B94B71FD2D3077CECA38C3F
SHA256:DB33737539BAB6D9B9C41C2882D4979A3180191DA228C8AC8405F67EDDC6D1E7
1612WdExt.exeC:\Users\admin\AppData\Roaming\Temp\mydll.dllexecutable
MD5:FC4A6145DDD1B64983E8700601C71FC6
SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6
1612WdExt.exeC:\Users\admin\AppData\Local\Temp\tmpEEB0.tmpexecutable
MD5:2D9DF706D1857434FCAA014DF70D1C66
SHA256:126593B3672E6985FE4E4903D656040E16A69264FAF91B1A416EF00565E17E7C
6756@AEE951.tmp.exeC:\Users\admin\AppData\Local\Temp\SeECBE.tmpbinary
MD5:2FB5693CE81387830FBB381D5682D29E
SHA256:3103D361BF677AE1C588F24A3CA0F5CD899B6E05F467DDDBBFE02068C8807865
1612WdExt.exeC:\Users\admin\AppData\Roaming\Microsoft\Identities\admin\arc.dllbinary
MD5:8501E1FAEFA7B184FD627F822F53697C
SHA256:70E0437A0E6E9E00F1100EA438F95BA871EC51C55FBF2355B693F368596F605F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
52
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
193.108.153.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
472
RUXIMICS.exe
GET
200
193.108.153.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
193.108.153.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
472
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
472
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
193.108.153.169:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
472
RUXIMICS.exe
193.108.153.169:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
193.108.153.169:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
472
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 193.108.153.169
  • 193.108.153.153
  • 193.108.153.155
  • 193.108.153.170
  • 193.108.153.168
  • 193.108.153.163
  • 193.108.153.159
  • 193.108.153.171
  • 193.108.153.165
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.138
whitelisted
windowsupdate.microsoft.com
  • 128.85.102.70
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 20.42.65.85
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-08-04_94ad3864c2046c21b56b476004646bd2_amadey_black-basta_coinminer_darkgate_darpapox_elex_hijackloader_icedid_luca.exe