File name:

2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer

Full analysis: https://app.any.run/tasks/cdf74c27-b29f-4adc-b413-880e5ee8e3d6
Verdict: Malicious activity
Analysis date: May 17, 2025, 03:57:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

E1C24E86E2F51F261E2B7AB99F19B9DF

SHA1:

B96B812DF20F3DA93B341519583BC38BF812ED9B

SHA256:

32061368948EC108D9A33CB9577CADA47D26AB6B3E55588EA27BE3915FE692D0

SSDEEP:

98304:0Qs0JiJlvUkvGuPBxbhSlDCvygHwxa1VracIfDtpy6zqd/KR9sPfKWuv1sBnS9fH:X0RZRDRmJ4Ve

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • FileCoAuth.exe (PID: 7936)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 7980)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7580)
      • FileCoAuth.exe (PID: 7936)

    • Mutex name with non-standard characters

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • FileCoAuth.exe (PID: 7936)

    • Application launched itself

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)

    • Executable content was dropped or overwritten

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • FileCoAuth.exe (PID: 7936)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 7936)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 7980)

  • INFO

    • Create files in a temporary directory

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7580)
      • FileCoAuth.exe (PID: 7980)

    • Checks supported languages

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7580)
      • FileCoAuth.exe (PID: 7980)

    • Reads the computer name

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7580)
      • FileCoAuth.exe (PID: 7980)

    • Process checks computer location settings

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • FileCoAuth.exe (PID: 7936)

    • The sample compiled with english language support

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7356)
      • FileCoAuth.exe (PID: 7936)

    • Reads the machine GUID from the registry

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7580)
      • FileCoAuth.exe (PID: 7980)

    • Checks proxy server information

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7580)

    • Reads the software policy settings

      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7580)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 7980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (85.5)
.exe | Win32 Executable Delphi generic (4.6)
.scr | Windows screen saver (4.2)
.dll | Win32 Dynamic Link Library (generic) (2.1)
.exe | Win32 Executable (generic) (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x8178
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7204C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7356"C:\Users\admin\Desktop\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe" C:\Users\admin\Desktop\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7400"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
User:
admin
Company:
Roblox Corporation
Integrity Level:
MEDIUM
Description:
Roblox
Exit code:
4294967295
Version:
1, 6, 0, 6620538
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7580C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe --crashpad --no-rate-limit --database=C:\Users\admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=db56083435e9c81681642a4a769f6fffb411b52d --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=0 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x8b0,0x8b4,0x8b8,0x88c,0x8c0,0x100daf8,0x100db08,0x100db18C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
User:
admin
Company:
Roblox Corporation
Integrity Level:
MEDIUM
Description:
Roblox
Exit code:
0
Version:
1, 6, 0, 6620538
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7936C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7980"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
11 229
Read events
11 223
Write events
6
Delete events
0

Modification events

(PID) Process:(7400) 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7400) 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7400) 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7580) 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7580) 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7580) 2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
9
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
74002025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\crashpad_roblox\settings.datbinary
MD5:1BD85B02D7B91EA595B73A92F1DF1919
SHA256:A095D16F626BC2A77A65FB80D61D1BE5048CEE80A3113C1A3A07956A6E7976D8
73562025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeexecutable
MD5:DA74008663BDB327DD7E4138FD585388
SHA256:211B69A3C0CEF556EAE5218846C5BB44810ACB140B41BC18807529D30046FFF9
73562025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:5AD18D4DCE1261D22EEE787EF3ACA521
SHA256:6675AC4E0DC6A36D3F684EE9B2FB17D597989E2CB7C28955A5530E7800D2C505
73562025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:62B17C396323A05211FCB806947C9A73
SHA256:ADD9754D24558AD5692521CFE97E9F1E71144F41E4E99D984BEE71F697D25F55
73562025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:12A15C2EAF14CAE8B2B42AA74ADCE267
SHA256:091E59D43AF2C3784BC7F1F853DC5262888ECF340C15A81864E10A506281F65B
73562025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:21DA59CE25A2391BD3B0032B2CACDA60
SHA256:25A12C3598CFE9705928B3110FA40E36E885BEDEEB51F405B063E806D3A4FA4B
73562025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:DA208322FA12146ECCAFB2CBED567F21
SHA256:09BB93A4C010AF9F607006EFA76D5D3A7435864A513BEF9AF0FFA665A3B18440
7936FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
73562025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:94E1E168BEE17E7F56089D3092646594
SHA256:1916FB8FD06CAF423A4B9EE94AAC6E54A9A7C23051C8052DA958024A4235AEBC
7980FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-17.0357.7980.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
60
DNS requests
32
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1852
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7400
2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
23.60.195.90:443
clientsettingscdn.roblox.com
AKAMAI-AS
DE
whitelisted
7400
2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
128.116.44.3:443
ephemeralcounters.api.roblox.com
ROBLOX-PRODUCTION
US
whitelisted
7580
2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe
23.60.195.90:443
clientsettingscdn.roblox.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.130
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.128
  • 40.126.31.71
whitelisted
clientsettingscdn.roblox.com
  • 23.60.195.90
whitelisted
ephemeralcounters.api.roblox.com
  • 128.116.44.3
whitelisted
setup.rbxcdn.qq.com
  • 0.0.0.1
whitelisted
clientsettingscdn.roblox.qq.com
  • 0.0.0.1
whitelisted
setup.rbxcdn.com
  • 2.19.11.100
  • 2.19.11.108
whitelisted
setup-ak.rbxcdn.com
  • 2.19.11.100
  • 2.19.11.108
whitelisted
setup-ll.rbxcdn.com
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_e1c24e86e2f51f261e2b7ab99f19b9df_amadey_black-basta_coinminer_darkgate_elex_gcleaner_hijackloader_luca-stealer