File name:

2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/6ab01f2b-e338-4386-b683-b37ae85daf56
Verdict: Malicious activity
Analysis date: June 13, 2025, 13:11:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

E3FF2ABCAD9098323366B63BDC5C3FA7

SHA1:

B5BFE37607577963DA0A05152AEB9E0557F41389

SHA256:

3F44DBF558914CD2F11099D2EC03088825CA0634A43052223402E84CEB95077C

SSDEEP:

98304:J6JR4dhdAXOHfYFRQ8zPky6o5mLVVlsmmsAjYKdfufAhN+ZiBQwH6F/HCPElCAVA:0YwiQWU9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 7048)

    • Changes the autorun value in the registry

      • setup.exe (PID: 6200)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • awqliaruhh.exe (PID: 2512)
      • zkohafgbfv.exe (PID: 1880)
      • awqliaruhh.exe (PID: 6748)
      • updater.exe (PID: 3624)
      • updater.exe (PID: 2716)
      • 137.0.7151.104_chrome_installer.exe (PID: 7060)
      • setup.exe (PID: 6200)
      • updater.exe (PID: 8604)
      • updater.exe (PID: 1508)

    • Reads security settings of Internet Explorer

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • awqliaruhh.exe (PID: 2512)
      • zkohafgbfv.exe (PID: 1880)
      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 2212)
      • updater.exe (PID: 3624)

    • Process drops legitimate windows executable

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • awqliaruhh.exe (PID: 6748)

    • Starts a Microsoft application from unusual location

      • awqliaruhh.exe (PID: 2512)
      • awqliaruhh.exe (PID: 6748)

    • Application launched itself

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 2212)
      • updater.exe (PID: 3624)
      • updater.exe (PID: 2716)
      • updater.exe (PID: 6688)
      • setup.exe (PID: 6200)
      • setup.exe (PID: 7744)
      • updater.exe (PID: 1508)
      • updater.exe (PID: 8604)

    • Executes as Windows Service

      • updater.exe (PID: 6688)
      • updater.exe (PID: 2716)
      • updater.exe (PID: 1508)

    • Executing commands from a ".bat" file

      • awqliaruhh.exe (PID: 6748)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4168)

    • Starts CMD.EXE for commands execution

      • awqliaruhh.exe (PID: 6748)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7092)

    • Uses pipe srvsvc via SMB (transferring data)

      • bindsvc.exe (PID: 7000)

    • Searches for installed software

      • setup.exe (PID: 6200)

    • Creates a software uninstall entry

      • setup.exe (PID: 6200)

  • INFO

    • Process checks computer location settings

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • awqliaruhh.exe (PID: 2512)
      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 2212)
      • zkohafgbfv.exe (PID: 1880)

    • Checks supported languages

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • zkohafgbfv.exe (PID: 1880)
      • awqliaruhh.exe (PID: 2512)
      • NCiQp4XD.exe (PID: 620)
      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 2212)
      • awqliaruhh.exe (PID: 6748)
      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 4460)
      • updater.exe (PID: 5628)
      • updater.exe (PID: 3624)
      • updater.exe (PID: 2716)
      • updater.exe (PID: 1296)
      • updater.exe (PID: 4120)
      • updater.exe (PID: 6688)
      • bindsvc.exe (PID: 7000)
      • 137.0.7151.104_chrome_installer.exe (PID: 7060)
      • setup.exe (PID: 7184)
      • setup.exe (PID: 6200)
      • setup.exe (PID: 7744)
      • setup.exe (PID: 7764)
      • elevation_service.exe (PID: 8076)

    • Create files in a temporary directory

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • updater.exe (PID: 3624)
      • awqliaruhh.exe (PID: 6748)

    • Reads the computer name

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • awqliaruhh.exe (PID: 2512)
      • NCiQp4XD.exe (PID: 620)
      • zkohafgbfv.exe (PID: 1880)
      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 2212)
      • awqliaruhh.exe (PID: 6748)
      • updater.exe (PID: 2716)
      • updater.exe (PID: 6688)
      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 4460)
      • updater.exe (PID: 3624)
      • 137.0.7151.104_chrome_installer.exe (PID: 7060)
      • setup.exe (PID: 6200)
      • bindsvc.exe (PID: 7000)
      • setup.exe (PID: 7744)
      • elevation_service.exe (PID: 8076)

    • The sample compiled with english language support

      • 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe (PID: 3748)
      • zkohafgbfv.exe (PID: 1880)
      • awqliaruhh.exe (PID: 6748)
      • updater.exe (PID: 3624)
      • updater.exe (PID: 2716)
      • 137.0.7151.104_chrome_installer.exe (PID: 7060)
      • setup.exe (PID: 6200)

    • Creates files in the program directory

      • awqliaruhh.exe (PID: 2512)
      • SearchIndexer.exe (PID: 4688)
      • updater.exe (PID: 2716)
      • updater.exe (PID: 3624)
      • updater.exe (PID: 6688)
      • setup.exe (PID: 6200)
      • setup.exe (PID: 7744)

    • Reads the machine GUID from the registry

      • NCiQp4XD.exe (PID: 620)
      • updater.exe (PID: 3624)
      • updater.exe (PID: 6688)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 7048)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 4688)
      • elevation_service.exe (PID: 8076)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3624)
      • updater.exe (PID: 2716)
      • updater.exe (PID: 6688)

    • Creates files or folders in the user directory

      • updater.exe (PID: 3624)
      • bindsvc.exe (PID: 7000)

    • Reads the software policy settings

      • updater.exe (PID: 3624)
      • updater.exe (PID: 6688)

    • UPX packer has been detected

      • awqliaruhh.exe (PID: 6748)
      • bindsvc.exe (PID: 7000)

    • Checks proxy server information

      • updater.exe (PID: 3624)

    • Launching a file from a Registry key

      • setup.exe (PID: 6200)

    • Manual execution by a user

      • chrome.exe (PID: 7848)
      • chrmstp.exe (PID: 9024)

    • Application launched itself

      • chrome.exe (PID: 7848)
      • chrmstp.exe (PID: 9192)
      • chrmstp.exe (PID: 9024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (29.1)
.exe | Win32 Executable MS Visual C++ (generic) (21.8)
.exe | Win64 Executable (generic) (19.3)
.exe | UPX compressed Win32 Executable (18.9)
.dll | Win32 Dynamic Link Library (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:04 08:51:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 50688
InitializedDataSize: 35328
UninitializedDataSize: -
EntryPoint: 0x7b1f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
215
Monitored processes
78
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe zkohafgbfv.exe awqliaruhh.exe nciqp4xd.exe CMSTPLUA awqliaruhh.exe 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe no specs searchindexer.exe no specs 2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe updater.exe updater.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs bindsvc.exe no specs 137.0.7151.104_chrome_installer.exe setup.exe setup.exe no specs setup.exe no specs setup.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe searchprotocolhost.exe no specs searchfilterhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs updater.exe updater.exe no specs updatersetup.exe no specs updater.exe updater.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --force-high-res-timeticks=disabled --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=2004,i,12493995204079547281,10160196144416024349,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
137.0.7151.104
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\137.0.7151.104\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
620"C:\ProgramData\Temp\NCiQp4XD.exe" C:\Users\admin\AppData\Local\Temp\awqliaruhh.exe gQ9VOe5m8zP6C:\ProgramData\Temp\NCiQp4XD.exe
awqliaruhh.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\programdata\temp\nciqp4xd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1296"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2ac,0x2b0,0x2b4,0x22c,0x2b8,0x101c460,0x101c46c,0x101c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1508"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --system --windows-service --service=updateC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1880"C:\Users\admin\AppData\Local\Temp\zkohafgbfv.exe" "C:\Users\admin\AppData\Local\Temp\vuumoxinbh.exe" "C:\Users\admin\Desktop\2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe"C:\Users\admin\AppData\Local\Temp\zkohafgbfv.exe
2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\zkohafgbfv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2212"C:\Users\admin\Desktop\2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exezkohafgbfv.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Installer
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\users\admin\desktop\2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2296C:\WINDOWS\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\6FtSZVi6.bat"C:\Windows\System32\cmd.exeawqliaruhh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
2512C:\Users\admin\AppData\Local\Temp\awqliaruhh.exeC:\Users\admin\AppData\Local\Temp\awqliaruhh.exe
2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Digitizer to Monitor Mapping Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\awqliaruhh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2716"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --system --windows-service --service=update-internalC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
39 065
Read events
38 807
Write events
215
Delete events
43

Modification events

(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex
Operation:writeName:{2F5C5E72-85A9-11EB-90A8-9A9B76358421}
Value:
2395186608
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0
Operation:writeName:LastOnlineTime
Value:
0000000000000000
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1
Operation:writeName:LastOnlineTime
Value:
0000000000000000
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache\C:
Operation:writeName:DriveType
Value:
3
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache\C:
Operation:writeName:VolumeLabel
Value:
(PID) Process:(7048) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:

(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Operation:delete valueName:000003eb
Value:
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:

(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Operation:delete valueName:000003f5
Value:
Executable files
26
Suspicious files
164
Text files
72
Unknown types
9

Dropped files

PID
Process
Filename
Type
4688SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
MD5:
SHA256:
44602025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exeC:\Windows\SystemTemp\Google4460_1950873009\UPDATER.PACKED.7Z
MD5:
SHA256:
6748awqliaruhh.exeC:\Windows\SysWOW64\bindsvc.exeexecutable
MD5:7C5B397FB54D5AA06BD2A6FB99C62FEE
SHA256:D032BDC64C9451BBB653B346C5BD6AC9F83A91EDEB0155497F098C8D6182DDEE
6748awqliaruhh.exeC:\Windows\SysWOW64\wideshut.exeexecutable
MD5:2C2029588AD8B86759C17B7AE885EE03
SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290
37482025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\zkohafgbfv.exeexecutable
MD5:E48B89715BF5E4C55EB5A1FED67865D9
SHA256:C25D90168FC2026D8ED2A69C066BD5A7E11004C3899928A7DB24CB7636FC4D9E
2512awqliaruhh.exeC:\ProgramData\Temp\NCiQp4XD.exeexecutable
MD5:B2B51A85BDAD70FF19534CD013C07F24
SHA256:885540B5A42FE845FFADA109B4EF7EB1E07C158255AC315910DFB333EC85D513
37482025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\vuumoxinbh.exeexecutable
MD5:CD9E2A0AF25FB1C1C65AC8FE607F0318
SHA256:E0F2C7420C6C052FE9BD1D362FBEEFDF0832A65AA1ED7ED52E3C76CE57D2FD04
37482025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\awqliaruhh.exeexecutable
MD5:2C2029588AD8B86759C17B7AE885EE03
SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290
1880zkohafgbfv.exeC:\Users\admin\Desktop\2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader.exeexecutable
MD5:CD9E2A0AF25FB1C1C65AC8FE607F0318
SHA256:E0F2C7420C6C052FE9BD1D362FBEEFDF0832A65AA1ED7ED52E3C76CE57D2FD04
6748awqliaruhh.exeC:\Windows\SysWOW64\wimsvc.exeexecutable
MD5:2C2029588AD8B86759C17B7AE885EE03
SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
99
TCP/UDP connections
111
DNS requests
65
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4156
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4156
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.1:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
40.126.31.1:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
172.217.23.99:443
https://update.googleapis.com/service/update2/json?cup2key=14:zrWrIeQf6XsxxGocmYjW_XHyIjTmmwYDZaD2qsnH1G4&cup2hreq=3760a35858f4ee82256d8315487a7228f4d2ef09e4693d93c20ce4d19c315d26
unknown
text
728 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4156
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.2
  • 40.126.32.136
  • 40.126.32.76
  • 20.190.160.131
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.64
whitelisted
update.googleapis.com
  • 142.250.185.99
whitelisted
dl.google.com
  • 172.217.16.206
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

PID
Process
Class
Message
8068
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8068
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
NCiQp4XD.exe
lpszParam = gQ9VOe5m8zP6
NCiQp4XD.exe
We will start with normal mode!
NCiQp4XD.exe
lpszPath = C:\Users\admin\AppData\Local\Temp\awqliaruhh.exe
chrome.exe
I0000 00:00:1749820339.013104 7964 voice_transcription.cc:58] Registering VoiceTranscriptionCapability
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-13_e3ff2abcad9098323366b63bdc5c3fa7_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_lynx_rhadamanthys_smoke-loader