File name:

2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_

Full analysis: https://app.any.run/tasks/9242f858-041f-4323-81b4-c533a2eaf65e
Verdict: Malicious activity
Analysis date: July 06, 2025, 03:54:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

A2D25533434F0A55703A7BADD0C0687A

SHA1:

1AA72D12D7A5E8B02135DC9A8AD4994FD73FD0BD

SHA256:

8A37D05A6E994135D1810C6FA1424B5602AE1D3F539E4FBD8B287E2896E21662

SSDEEP:

24576:wBHpAxCEbgKO90c5bI2tYW0uBiDoeb6kX0aTKVZ:9CEbgKO90c5bI2tYW0uBiUiDX0aTKVZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Process drops legitimate windows executable

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Executable content was dropped or overwritten

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

  • INFO

    • Checks supported languages

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa (PID: 2044)
      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Reads the computer name

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa (PID: 2044)

    • Creates files or folders in the user directory

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • The sample compiled with english language support

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Reads the software policy settings

      • slui.exe (PID: 4528)

    • Creates files in the program directory

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Checks proxy server information

      • slui.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:02:20 04:42:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 32768
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x3d57
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2044C:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usaC:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4528C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5884"C:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe" C:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 514
Read events
3 514
Write events
0
Delete events
0

Modification events

No data
Executable files
24
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usaexecutable
MD5:C9F853DE1E78FC0DEDFED88E35F127F8
SHA256:2AD0DEDCDA48A899960F06B90B0FB9D08C83FEF416F616CE359340FCE4886EB4
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.usaexecutable
MD5:CF1A1B2A6F227D5B06AB0B3C8B88618B
SHA256:1FD250A499B2912B1ACEC31A03CAA32F1B328F2861E1383E94F23386F724FB36
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\UsaShohdi.asuexecutable
MD5:A2D25533434F0A55703A7BADD0C0687A
SHA256:8A37D05A6E994135D1810C6FA1424B5602AE1D3F539E4FBD8B287E2896E21662
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.usaexecutable
MD5:6280AC1831E499B972405890FFF0B5AF
SHA256:1650105226B7E52E26E98A467BA83F58333F9BB72EA2274B2ABABE598AEF8D65
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:7A1E4E12276D318D2BA7C7F90ABA24AA
SHA256:FFC756CE691AC0155C8737F7B2DC75C59E4DF85F4676DEF363036A7B0B0EB127
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.usaexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:0E86580F3131B7112A4177B4A054D1E6
SHA256:350DDEA6EAB1DE8A1A2107742C39C586BE87CE93F4E7BB9C077BFDE77014384A
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.usaexecutable
MD5:20EA602903CFBE6A29F3DE5195DD968D
SHA256:3C1FA2C7CC8B895612265CFD3CC19CD44FFD0F26CDBB6AB6CD14EC34B0B5C736
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:8C1360772E010C47D33F2A5D7CA3A387
SHA256:89F57FA57F2D00CEEF3765688316EE2948692FF08DDDFC5704B6FE0066C28218
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.usaexecutable
MD5:F3D599FCE8EDED3BDFD228836270813C
SHA256:24E76FE67435E9C7C1AA9EC22D736DE3873FBD2E880D8AE716DFFEC0E146FC53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
592
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
592
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
592
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
592
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_