File name:

2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer

Full analysis: https://app.any.run/tasks/eb2aa845-d20f-42b1-bd65-5af807260d78
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 17:39:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
webdav
python
arch-exec
arch-doc
auto-startup
xworm
asyncrat
netreactor
purehvnc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

88931B509928B4A90937387D8A52B46C

SHA1:

D4EC0A3B6EE63F9040EB691E0CB0646CB4EAF87A

SHA256:

67CC5C7C166AA2B7A2F27E6518DB1E231FFB5BBC5186CBA17693A12EF6CD7947

SSDEEP:

24576:5PPkzemDuoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtIkM:5PPkzemqoSut3Jh4+QQ/btosJwIA4hHR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 1272)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 7800)

    • XWORM has been detected (YARA)

      • iexpress.exe (PID: 7316)

    • PUREHVNC has been detected (YARA)

      • notepad.exe (PID: 7380)

    • Create files in the Startup directory

      • powershell.exe (PID: 7884)

    • ASYNCRAT has been detected (YARA)

      • notepad.exe (PID: 2560)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)

    • Executing commands from a ".bat" file

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)
      • cmd.exe (PID: 7488)
      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 1272)

    • Starts CMD.EXE for commands execution

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)
      • cmd.exe (PID: 7488)
      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 1272)

    • Application launched itself

      • cmd.exe (PID: 7488)

    • Starts process via Powershell

      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 1272)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7568)
      • cmd.exe (PID: 7800)
      • cmd.exe (PID: 5008)

    • Remote file execution via WebDAV

      • net.exe (PID: 7864)

    • Starts NET.EXE to map network drives

      • cmd.exe (PID: 7800)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 7900)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 7900)

    • The process drops C-runtime libraries

      • cmd.exe (PID: 7800)
      • svchost.exe (PID: 7900)
      • powershell.exe (PID: 516)
      • powershell.exe (PID: 4696)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 7800)
      • powershell.exe (PID: 516)
      • powershell.exe (PID: 4696)

    • The process hides Powershell's copyright startup banner

      • cmd.exe (PID: 7800)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7800)

    • Process drops python dynamic module

      • powershell.exe (PID: 516)
      • powershell.exe (PID: 4696)

    • The executable file from the user directory is run by the CMD process

      • python.exe (PID: 4300)
      • python.exe (PID: 7284)
      • python.exe (PID: 5776)
      • python.exe (PID: 6132)
      • python.exe (PID: 7528)
      • python.exe (PID: 7692)
      • python.exe (PID: 2420)
      • python.exe (PID: 2552)

    • Loads Python modules

      • python.exe (PID: 4300)
      • python.exe (PID: 7284)
      • python.exe (PID: 5776)
      • python.exe (PID: 6132)
      • python.exe (PID: 7528)
      • python.exe (PID: 7692)
      • python.exe (PID: 2552)
      • python.exe (PID: 2420)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 516)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 516)
      • powershell.exe (PID: 4696)

    • Connects to unusual port

      • iexpress.exe (PID: 7316)
      • notepad.exe (PID: 7764)
      • notepad.exe (PID: 5260)
      • RuntimeBroker.exe (PID: 8000)
      • notepad.exe (PID: 7548)
      • notepad.exe (PID: 2560)

    • There is functionality for taking screenshot (YARA)

      • iexpress.exe (PID: 7316)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7884)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7800)

  • INFO

    • Checks supported languages

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)
      • python.exe (PID: 7284)
      • python.exe (PID: 4300)
      • python.exe (PID: 5776)
      • python.exe (PID: 6132)
      • python.exe (PID: 7692)
      • python.exe (PID: 7528)
      • python.exe (PID: 2552)
      • python.exe (PID: 2420)

    • Reads mouse settings

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)

    • The sample compiled with english language support

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)
      • cmd.exe (PID: 7800)
      • svchost.exe (PID: 7900)
      • powershell.exe (PID: 516)
      • powershell.exe (PID: 4696)

    • Checks proxy server information

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)
      • net.exe (PID: 7864)
      • powershell.exe (PID: 7884)

    • Reads the machine GUID from the registry

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)

    • Reads the computer name

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)

    • Reads the software policy settings

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)
      • net.exe (PID: 7864)

    • Creates files or folders in the user directory

      • 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe (PID: 7412)
      • python.exe (PID: 4300)

    • Reads security settings of Internet Explorer

      • net.exe (PID: 7864)
      • notepad.exe (PID: 7380)
      • notepad.exe (PID: 7816)
      • notepad.exe (PID: 7704)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 516)

    • Python executable

      • python.exe (PID: 7240)
      • python.exe (PID: 4300)
      • python.exe (PID: 7284)
      • python.exe (PID: 6132)
      • pythonw.exe (PID: 7432)
      • python.exe (PID: 5776)
      • python.exe (PID: 7692)
      • python.exe (PID: 2420)
      • python.exe (PID: 7528)
      • python.exe (PID: 2552)
      • python.exe (PID: 6944)

    • Manual execution by a user

      • python.exe (PID: 7240)
      • iexpress.exe (PID: 7316)
      • notepad.exe (PID: 2560)
      • pythonw.exe (PID: 7432)
      • notepad.exe (PID: 7548)
      • cmd.exe (PID: 7492)
      • notepad.exe (PID: 7380)
      • notepad.exe (PID: 7704)
      • notepad.exe (PID: 7816)
      • WinRAR.exe (PID: 7852)
      • iexpress.exe (PID: 7788)
      • notepad.exe (PID: 7764)
      • RuntimeBroker.exe (PID: 8000)
      • notepad.exe (PID: 5260)
      • python.exe (PID: 6944)
      • OpenWith.exe (PID: 5048)
      • cmd.exe (PID: 5008)
      • rundll32.exe (PID: 2980)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 516)

    • .NET Reactor protector has been detected

      • notepad.exe (PID: 7380)

    • Disables trace logs

      • powershell.exe (PID: 7884)

    • Auto-launch of the file from Startup directory

      • powershell.exe (PID: 7884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(7316) iexpress.exe
C2Welcome to the Adventure Game!:You are in a dark forest. Do you:
Keys
AES1. Go left
Options
Splitter2. Go right
USB drop name1
MutexYou walk left and find a treasure chest. Do you:

AsyncRat

(PID) Process(2560) notepad.exe
C2 (3)collegefordlincoln-gmbh.xyz
aserja.twilightparadox.com
laserjan.duckdns.org
Ports (1)2011
Version
Options
AutoRunfalse
MutexuQq6nfZ斯B5Δ6K德GqשΖy7aty
InstallFolder%AppData%
Certificates
Cert1MIICKTCCAZKgAwIBAgIVALuTRehVEwwhbWBlTN2tjQJuaebxMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwOTE1MTA0ODM0WhcNMzQwNjI0MTA0ODM0WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA...
Server_SignatureQOu7GUl12Y8SVS+BP7TYAnD+JXHGp/uy0uqm8QcIe9Rl0gZBPxheDu8NZ07OkBEwsu7HiU4fwe9k8uR5RTts0dJbVH8NHMl2biHdu6hBCKT4SFLZPiWbphrnsc9wySHfhxJO0cLu7iXIVTeWv4dG1osBDPG3mpdTgpWY0uetX9E=
Keys
AESf0ef87dd49da3a47d56fc8025bca56af45b0be75b2a26be4e67c66be5ecbc568
SaltDcRatByqwqdanchun
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:26 11:13:59+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 633856
InitializedDataSize: 282112
UninitializedDataSize: -
EntryPoint: 0x20577
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
52
Malicious processes
9
Suspicious processes
5

Behavior graph

Click at the process to see the details
start 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs net.exe svchost.exe powershell.exe python.exe no specs #XWORM iexpress.exe python.exe no specs conhost.exe no specs python.exe no specs #ASYNCRAT notepad.exe python.exe no specs #PUREHVNC notepad.exe no specs python.exe no specs pythonw.exe no specs notepad.exe cmd.exe no specs conhost.exe no specs python.exe no specs notepad.exe notepad.exe no specs notepad.exe no specs python.exe no specs iexpress.exe no specs winrar.exe no specs python.exe no specs notepad.exe python.exe no specs rundll32.exe no specs runtimebroker.exe slui.exe powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe openwith.exe no specs python.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs net.exe no specs rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
516powershell -nologo -noprofile -command "Expand-Archive -Path 'C:\Users\admin\AppData\Roaming\pyembed\ThunderB.zip' -DestinationPath 'C:\Users\admin\AppData\Roaming\pyembed' -Force"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1272powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NFC.bat' -ArgumentList 'hidden' -WindowStyle Hidden"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2420"C:\Users\admin\AppData\Roaming\pyembed\Python312\python.exe" "C:\Users\admin\AppData\Roaming\pyembed\Python312\dCybx.py" ::7C:\Users\admin\AppData\Roaming\pyembed\python312\python.execmd.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.12.10
Modules
Images
c:\users\admin\appdata\roaming\pyembed\python312\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\pyembed\python312\python312.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
2552"C:\Users\admin\AppData\Roaming\pyembed\Python312\python.exe" "C:\Users\admin\AppData\Roaming\pyembed\Python312\aV35pCybx.py" ::8C:\Users\admin\AppData\Roaming\pyembed\python312\python.execmd.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.12.10
Modules
Images
c:\users\admin\appdata\roaming\pyembed\python312\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\pyembed\python312\python312.dll
c:\windows\system32\ws2_32.dll
c:\users\admin\appdata\roaming\pyembed\python312\vcruntime140.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2560C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
AsyncRat
(PID) Process(2560) notepad.exe
C2 (3)collegefordlincoln-gmbh.xyz
aserja.twilightparadox.com
laserjan.duckdns.org
Ports (1)2011
Version
Options
AutoRunfalse
MutexuQq6nfZ斯B5Δ6K德GqשΖy7aty
InstallFolder%AppData%
Certificates
Cert1MIICKTCCAZKgAwIBAgIVALuTRehVEwwhbWBlTN2tjQJuaebxMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwOTE1MTA0ODM0WhcNMzQwNjI0MTA0ODM0WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA...
Server_SignatureQOu7GUl12Y8SVS+BP7TYAnD+JXHGp/uy0uqm8QcIe9Rl0gZBPxheDu8NZ07OkBEwsu7HiU4fwe9k8uR5RTts0dJbVH8NHMl2biHdu6hBCKT4SFLZPiWbphrnsc9wySHfhxJO0cLu7iXIVTeWv4dG1osBDPG3mpdTgpWY0uetX9E=
Keys
AESf0ef87dd49da3a47d56fc8025bca56af45b0be75b2a26be4e67c66be5ecbc568
SaltDcRatByqwqdanchun
2980"C:\WINDOWS\system32\rundll32.exe" cryptext.dll,CryptExtOpenCAT C:\Users\admin\Desktop\python.catC:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4300"C:\Users\admin\AppData\Roaming\pyembed\Python312\python.exe" "C:\Users\admin\AppData\Roaming\pyembed\Python312\vv.py" ::1C:\Users\admin\AppData\Roaming\pyembed\python312\python.execmd.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.12.10
Modules
Images
c:\users\admin\appdata\roaming\pyembed\python312\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\pyembed\python312\vcruntime140.dll
c:\users\admin\appdata\roaming\pyembed\python312\python312.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrt4.dll
4696powershell -nologo -noprofile -command "Expand-Archive -Path 'C:\Users\admin\Contacts\wab\Startup.zip' -DestinationPath 'C:\Users\admin\Contacts\wab' -Force"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4988C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NFC.bat" hidden "C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
46 780
Read events
46 736
Write events
37
Delete events
7

Modification events

(PID) Process:(7412) 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7412) 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7412) 2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7864) net.exeKey:HKEY_CURRENT_USER\Network\R
Operation:writeName:RemotePath
Value:
\\upgrades-huntington-shared-mil.trycloudflare.com@SSL\DavWWWRoot
(PID) Process:(7864) net.exeKey:HKEY_CURRENT_USER\Network\R
Operation:writeName:UserName
Value:
anonymous
(PID) Process:(7864) net.exeKey:HKEY_CURRENT_USER\Network\R
Operation:writeName:ProviderName
Value:
Web Client Network
(PID) Process:(7864) net.exeKey:HKEY_CURRENT_USER\Network\R
Operation:writeName:ProviderType
Value:
3014656
(PID) Process:(7864) net.exeKey:HKEY_CURRENT_USER\Network\R
Operation:writeName:ConnectionType
Value:
1
(PID) Process:(7864) net.exeKey:HKEY_CURRENT_USER\Network\R
Operation:writeName:ConnectFlags
Value:
0
(PID) Process:(7864) net.exeKey:HKEY_CURRENT_USER\Network\R
Operation:writeName:DeferFlags
Value:
1
Executable files
64
Suspicious files
19
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
74122025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\cso[1].battext
MD5:E370F0BE8A9805D0FFE3444B62B6A681
SHA256:263BE77B71FE1943F195FCD1C40FA4DA2D3BBA4A1B2860A50FA7F88D40DBDDE4
74122025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exeC:\Users\admin\Contacts\chess\onScreen_file.battext
MD5:E370F0BE8A9805D0FFE3444B62B6A681
SHA256:263BE77B71FE1943F195FCD1C40FA4DA2D3BBA4A1B2860A50FA7F88D40DBDDE4
516powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_43sslsxu.wwt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7900svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\{48E5B4F0-2CE6-423B-8968-DFDA3EDB54A7}.zipcompressed
MD5:B38E36CA6B76879D335ABFBD0C22B11C
SHA256:25A9FD99F59495B5976F74F5190E6055E5EDAE0DA0AB6F124C31E78644540E33
7644powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:1D101683348CD4AF9CE486ACB5D8E498
SHA256:EA36FA9699D811825A5AB65F278FE5BFAAB3EED7950E520987585D44C31DAC4D
516powershell.exeC:\Users\admin\AppData\Roaming\pyembed\python312\_bz2.pydexecutable
MD5:2BE172C3086EFE56C7E1D3279142295A
SHA256:7F20792D8600203F7AC0C229E1387E8D40328F9DA22D2ACBA95B3761B5E49950
516powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_an4rssyo.ul3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
516powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0kwr31n3.2lf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7644powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fnujpdvu.vfy.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
516powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_113ssg5i.1u3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
90
DNS requests
44
Threats
67

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.16.230.132:443
https://towers-railroad-tion-opportunity.trycloudflare.com/cso.bat
unknown
text
600 Kb
whitelisted
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1196
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
OPTIONS
200
104.16.231.132:443
https://upgrades-huntington-shared-mil.trycloudflare.com/
unknown
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1196
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7412
2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe
104.16.230.132:443
towers-railroad-tion-opportunity.trycloudflare.com
CLOUDFLARENET
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1196
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
towers-railroad-tion-opportunity.trycloudflare.com
  • 104.16.230.132
  • 104.16.231.132
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.2
  • 20.190.159.131
  • 20.190.159.23
  • 20.190.159.0
  • 40.126.31.129
  • 40.126.31.2
  • 20.190.159.64
whitelisted
upgrades-huntington-shared-mil.trycloudflare.com
  • 104.16.231.132
  • 104.16.230.132
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
7412
2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
7412
2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunnel (TryCloudflare)
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2196
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
2196
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunnel (TryCloudflare)
7864
net.exe
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
7864
net.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-26_88931b509928b4a90937387d8a52b46c_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_hijackloader_luca-stealer