File name:

2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer

Full analysis: https://app.any.run/tasks/c18150ad-a2f7-41af-b064-33f29b874c0e
Verdict: Malicious activity
Analysis date: July 06, 2025, 03:23:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

FA06D2E9D0FD19E8065212DACBEBFF71

SHA1:

495CBF299FB38A8A4D790BF7D8665FBA9CE7438B

SHA256:

87367F86250E221FA26EDC31037D0C4D9965FDAC18F1C2D7C75D99A27D634C3A

SSDEEP:

49152:e5pvabCxZQYomEbgMBOGti6iUS3GhPK66BK/tqzwzSxZQYomEbgMBOGti6iUS3GN:e5pCcWYomEbgMBOG06ivGaK/tGWYomEl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)

    • Executing commands from a ".bat" file

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)

    • Executable content was dropped or overwritten

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)

    • Starts CMD.EXE for commands execution

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)

    • There is functionality for taking screenshot (YARA)

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)

    • Application launched itself

      • updater.exe (PID: 2648)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2648)

  • INFO

    • Reads the computer name

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)
      • updater.exe (PID: 2648)

    • Checks supported languages

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)
      • mode.com (PID: 6572)
      • updater.exe (PID: 2648)
      • updater.exe (PID: 6336)

    • Create files in a temporary directory

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)

    • Process checks computer location settings

      • 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe (PID: 5712)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6572)

    • Checks proxy server information

      • slui.exe (PID: 632)

    • Reads the software policy settings

      • slui.exe (PID: 632)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:04:07 14:39:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201728
InitializedDataSize: 1058304
UninitializedDataSize: -
EntryPoint: 0x1ed60
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe cmd.exe no specs conhost.exe no specs mode.com no specs slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2532C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\Install.bat" "C:\Windows\SysWOW64\cmd.exe2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2648"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5712"C:\Users\admin\Desktop\2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe" C:\Users\admin\Desktop\2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
6336"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6572Mode 30, 11C:\Windows\SysWOW64\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mode.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 879
Read events
3 879
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
57122025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Light X1.nipxml
MD5:95470DD956DC8D99AB7E55ADC0B3A1CB
SHA256:887A0D843DB13C247E56DA85D28570961DE81F458B711765BCE6C8FC399C7F6B
57122025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Light X3.nipxml
MD5:4AE32DDFB7B3C033C819B416BD5A0D91
SHA256:1015DA2EEA40838186D6716523B76702DF97569DCE8062B6D701FBA6AB4A245F
57122025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Install.battext
MD5:B91BEA60990C3F62BC75897851AF9D6F
SHA256:AA69838CEC246C593D3A53C1CA6561A770916108F65F1E8547305B2D51729EC6
57122025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Light X2.nipxml
MD5:2DC425E0CFD35B94FA2059F7B43B35F6
SHA256:B949B7643D20AC2ACB5780FA80A44C4BE0443E7B1AB494E7A77ADC443A175E3A
57122025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\nvidiaProfileInspector.exeexecutable
MD5:FF5F39370B67A274CB58BA7E2039D2E2
SHA256:1233487EA4DB928EE062F12B00A6EDA01445D001AB55566107234DEA4DC65872
57122025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Light Res.nipxml
MD5:21637CEB85C7223729694FB2C68A1D0B
SHA256:C3AFF9AB2D8D9646937030AC53DAF86864453828D13AF8A3DC1E994825ACE83B
6336updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:D64141B37A4D60FA1F2A477592F1861A
SHA256:B0006DA7C0EA398B8A379E94186462D7F7788224BC7752450824B3B98DB41567
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
41
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4832
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4832
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.134:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4832
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4832
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.4
  • 20.190.160.128
  • 20.190.160.66
  • 40.126.32.76
  • 20.190.160.132
  • 40.126.32.140
  • 40.126.32.134
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_fa06d2e9d0fd19e8065212dacbebff71_black-basta_cryptbot_darkgate_elex_hawkeye_luca-stealer