File name:

2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_

Full analysis: https://app.any.run/tasks/9242f858-041f-4323-81b4-c533a2eaf65e
Verdict: Malicious activity
Analysis date: July 06, 2025, 03:54:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

A2D25533434F0A55703A7BADD0C0687A

SHA1:

1AA72D12D7A5E8B02135DC9A8AD4994FD73FD0BD

SHA256:

8A37D05A6E994135D1810C6FA1424B5602AE1D3F539E4FBD8B287E2896E21662

SSDEEP:

24576:wBHpAxCEbgKO90c5bI2tYW0uBiDoeb6kX0aTKVZ:9CEbgKO90c5bI2tYW0uBiUiDX0aTKVZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Executable content was dropped or overwritten

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Process drops legitimate windows executable

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

  • INFO

    • Reads the computer name

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa (PID: 2044)

    • Checks supported languages

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)
      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa (PID: 2044)

    • Creates files or folders in the user directory

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • The sample compiled with english language support

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Creates files in the program directory

      • 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe (PID: 5884)

    • Checks proxy server information

      • slui.exe (PID: 4528)

    • Reads the software policy settings

      • slui.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:02:20 04:42:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 32768
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x3d57
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe 2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2044C:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usaC:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.usa
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4528C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5884"C:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe" C:\Users\admin\Desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 514
Read events
3 514
Write events
0
Delete events
0

Modification events

No data
Executable files
24
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\UsaShohdi.asuexecutable
MD5:A2D25533434F0A55703A7BADD0C0687A
SHA256:8A37D05A6E994135D1810C6FA1424B5602AE1D3F539E4FBD8B287E2896E21662
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.usaexecutable
MD5:BDFF068C4C23E586A2013708D6A75C9A
SHA256:7C965138CD0AAC6920C9C7E2E68F2432A0F32F6B6CC0210E44E4CE7CA4B2C59B
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:8C1360772E010C47D33F2A5D7CA3A387
SHA256:89F57FA57F2D00CEEF3765688316EE2948692FF08DDDFC5704B6FE0066C28218
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.usaexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:945EBD42817BAFDDB023CD0BAE12D09C
SHA256:40026409546B818C0E955D67872268D7F5AB56B065FCE7147AC29AC38007775A
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.usaexecutable
MD5:CF1A1B2A6F227D5B06AB0B3C8B88618B
SHA256:1FD250A499B2912B1ACEC31A03CAA32F1B328F2861E1383E94F23386F724FB36
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.usaexecutable
MD5:F3D599FCE8EDED3BDFD228836270813C
SHA256:24E76FE67435E9C7C1AA9EC22D736DE3873FBD2E880D8AE716DFFEC0E146FC53
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:0E86580F3131B7112A4177B4A054D1E6
SHA256:350DDEA6EAB1DE8A1A2107742C39C586BE87CE93F4E7BB9C077BFDE77014384A
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:741E67971FA8E56F7E64BB5F3078D226
SHA256:9707E82E7BE18DFAD850A0CA9DFA3680B3A5EA32FBC8CC8FB74ACAA9C220F8FA
58842025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.usaexecutable
MD5:6039A40224EDB54E2FBAB1849AA5D46B
SHA256:52AC5B3521FA67D44A28EE889091641CC2E86F17F27A7AFED44230FA98CD62D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
592
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
592
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
592
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
592
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_a2d25533434f0a55703a7badd0c0687a_amadey_black-basta_cloudeye_cobalt-strike_darkgate_elex_luca-stealer_nymaim_