File name:

2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe

Full analysis: https://app.any.run/tasks/245071ff-b535-4339-9473-320184d389b4
Verdict: Malicious activity
Analysis date: August 01, 2025, 02:38:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

7492CCCD9B720A877D372EC235308E13

SHA1:

E4F9EF6097F440F32D1EAD6179D3BD7C41256AFE

SHA256:

5D9D5A1744F4A05ADBA578A0EDA00B20E966812C027A5D2962428F3FD1174A0E

SSDEEP:

98304:jlwPW+3s+N2+SqaqaxozN7J7eRVPmI18RzGU1386JPpd50U4tfDLdh227XlYMWS+:o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • 2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe (PID: 1592)

  • SUSPICIOUS

    • Executes application which crashes

      • 2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe (PID: 1592)

  • INFO

    • The sample compiled with english language support

      • 2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe (PID: 1592)

    • Checks proxy server information

      • slui.exe (PID: 2384)

    • Checks supported languages

      • 2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe (PID: 1592)

    • Reads the computer name

      • 2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe (PID: 1592)

    • Creates files or folders in the user directory

      • 2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe (PID: 1592)

    • Reads the software policy settings

      • slui.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:03:27 05:00:00+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 1613312
InitializedDataSize: 1517568
UninitializedDataSize: -
EntryPoint: 0x15f390
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 1.70.3879.400
ProductVersionNumber: 1.70.3879.400
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Tencent
FileDescription: QQBrowser
FileVersion: 1.70.3879.400
InternalName: nacl64_exe
LegalCopyright: Copyright 2018 Tencent. All rights reserved.
OriginalFileName: nacl64.exe
ProductName: QQBrowser
ProductVersion: 1.70.3879.400
CompanyShortName: Tencent
ProductShortName: QQBrowser
LastChange: b4ce371876a3dcbfef2affeee4ea9c9163d4628c-refs/branch-heads/3538@{#516}
OfficialBuild: 1
SpecialBuild: 1023
PrivateBuild: 10016
KernelBuild: 129
ExpressBuild: 1
KernelVersion: 70.0.3538.25
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV 2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1592"C:\Users\admin\Desktop\2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe" C:\Users\admin\Desktop\2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
QQBrowser
Exit code:
2147483651
Version:
1.70.3879.400
Modules
Images
c:\users\admin\desktop\2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6332C:\WINDOWS\system32\WerFault.exe -u -p 1592 -s 716C:\Windows\System32\WerFault.exe2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
Total events
5 981
Read events
5 981
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
6332WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-08-01_7492c_e0ae4c22168ed10a651fa90a28f49db867648f_f866e299_8301c91f-56fd-4e36-9faa-a55da4d4a185\Report.wer
MD5:
SHA256:
6332WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE27B.tmp.dmpdmp
MD5:571739423326F171FE905BB0A7871EEB
SHA256:186FB7EA6737DCB4CDB109100331F42C584C43AAE16D541F48B0E1341920AC26
6332WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe.1592.dmpdmp
MD5:B5E07D63D83FFFA4EC87E78E2CB32115
SHA256:3103EB1C533D68EB1B8A1B43D6FB431EE1B8B238F4CF358A56771350E0EFEFE4
6332WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE31A.tmp.xmlxml
MD5:B18301456A08AEDE89B7DFE6F0B733F4
SHA256:55E03582B8B1BCAC30CC4E27F8CBF9B06561E8B168140417684A8C8C304B0522
15922025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:38E6496547D8A883FD2A879B5A2C133E
SHA256:E2013F60B65937E783ACC8623D289B673C5ADA37440239A2C692C01644B726E1
6332WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE2EA.tmp.WERInternalMetadata.xmlxml
MD5:61A57BEBC4443C0468980677EE9A059C
SHA256:8EE146768EDF07A5D00DAE17179EA37725C23518A64FB6D361408F6582BF24CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
19
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2992
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2940
svchost.exe
GET
200
72.246.169.163:80
http://x1.c.lencr.org/
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2992
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2992
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
watson.events.data.microsoft.com
  • 135.233.45.223
whitelisted
pywolwnvd.biz
  • 44.244.22.128
malicious
self.events.data.microsoft.com
  • 20.42.73.25
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 72.246.169.163
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-08-01_7492cccd9b720a877d372ec235308e13_black-basta_ryuk_vidar.exe