File name:

2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys

Full analysis: https://app.any.run/tasks/80390468-0ac7-4519-85f1-8a9a89ad1da3
Verdict: Malicious activity
Analysis date: June 14, 2025, 12:42:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

322FA8180D20B58AA16BE2BF69E2ACEA

SHA1:

1C8E31455DB6E743A981191B755BA14CCFAC5267

SHA256:

9CC1A3D66CC4297C1EC29ABE703787EBF8357B7BAA07B02A76986D00D81697F8

SSDEEP:

98304:2Rty55Ccn7Q21t1p2JTjI1oBz9ou1/PdISdbc+kI14sepRPmcW3FQPQVEdK6p7M+:RDx3l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 5616)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 6360)

    • Loads dropped or rewritten executable

      • @AE692A.tmp.exe (PID: 1604)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 5616)
      • explorer.exe (PID: 3976)
      • WdExt.exe (PID: 4172)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 6360)

    • Changes the autorun value in the registry

      • launch.exe (PID: 4836)
      • mscaps.exe (PID: 4224)
      • mscaps.exe (PID: 6516)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 3976)
      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)
      • wtmps.exe (PID: 6892)
      • mscaps.exe (PID: 4224)
      • mscaps.exe (PID: 6516)

    • Process drops legitimate windows executable

      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)

    • Starts CMD.EXE for commands execution

      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)
      • launch.exe (PID: 4836)

    • Executing commands from a ".bat" file

      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)
      • launch.exe (PID: 4836)

    • The executable file from the user directory is run by the CMD process

      • WdExt.exe (PID: 4172)
      • launch.exe (PID: 4836)
      • wtmps.exe (PID: 6892)

    • Application launched itself

      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 5616)

    • Reads security settings of Internet Explorer

      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)
      • launch.exe (PID: 4836)

    • Detected use of alternative data streams (AltDS)

      • mscaps.exe (PID: 6516)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 3976)

    • Create files in a temporary directory

      • explorer.exe (PID: 3976)
      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)
      • mscaps.exe (PID: 4224)
      • mscaps.exe (PID: 6516)

    • Checks supported languages

      • @AE692A.tmp.exe (PID: 1604)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 3780)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 5616)
      • WdExt.exe (PID: 4172)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 6360)
      • wtmps.exe (PID: 6892)
      • launch.exe (PID: 4836)
      • mscaps.exe (PID: 4224)
      • mscaps.exe (PID: 6516)
      • launch.exe (PID: 3148)

    • The sample compiled with english language support

      • explorer.exe (PID: 3976)
      • @AE692A.tmp.exe (PID: 1604)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 3780)
      • WdExt.exe (PID: 4172)
      • chrome.exe (PID: 2144)

    • Reads the computer name

      • WdExt.exe (PID: 4172)
      • 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe (PID: 5616)
      • @AE692A.tmp.exe (PID: 1604)
      • launch.exe (PID: 4836)

    • Checks proxy server information

      • @AE692A.tmp.exe (PID: 1604)
      • slui.exe (PID: 6508)

    • Creates files or folders in the user directory

      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)
      • launch.exe (PID: 4836)
      • mscaps.exe (PID: 4224)
      • wtmps.exe (PID: 6892)
      • mscaps.exe (PID: 6516)

    • Process checks computer location settings

      • @AE692A.tmp.exe (PID: 1604)
      • WdExt.exe (PID: 4172)
      • launch.exe (PID: 4836)

    • Launching a file from a Registry key

      • launch.exe (PID: 4836)
      • mscaps.exe (PID: 4224)
      • mscaps.exe (PID: 6516)

    • Application launched itself

      • chrome.exe (PID: 1496)
      • chrmstp.exe (PID: 5012)
      • chrmstp.exe (PID: 2160)

    • Manual execution by a user

      • mscaps.exe (PID: 6516)
      • launch.exe (PID: 3148)

    • Reads the software policy settings

      • slui.exe (PID: 6508)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:03:05 08:37:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 2560
InitializedDataSize: 443392
UninitializedDataSize: -
EntryPoint: 0x167f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 109.0.5414.120
ProductVersionNumber: 109.0.5414.120
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Google LLC
FileDescription: Google Chrome Installer
FileVersion: 109.0.5414.120
InternalName: setup
LegalCopyright: Copyright 2023 Google LLC. All rights reserved.
ProductName: Google Chrome Installer
ProductVersion: 109.0.5414.120
CompanyShortName: Google
ProductShortName: Chrome Installer
LastChange: 772095164c7d5d4e73160f858efed3b5e87eca83-refs/branch-heads/5414@{#1458}
OfficialBuild: 1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
62
Malicious processes
7
Suspicious processes
5

Behavior graph

Click at the process to see the details
start 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe no specs explorer.exe @ae692a.tmp.exe 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe no specs 2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe no specs chrome.exe chrome.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wdext.exe cmd.exe no specs conhost.exe no specs launch.exe cmd.exe no specs conhost.exe no specs wtmps.exe mscaps.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs mscaps.exe launch.exe no specs chrome.exe no specs chrome.exe no specs chrmstp.exe no specs chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5100,i,3429963104971743440,16218919325435356763,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=5524 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
316C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\admin0.bat" "C:\Windows\SysWOW64\cmd.exe@AE692A.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
420"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=5784,i,3429963104971743440,16218919325435356763,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=6036 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1028"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=4556,i,3429963104971743440,16218919325435356763,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4564 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1356"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6068,i,3429963104971743440,16218919325435356763,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=5564 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1496"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-runC:\Program Files\Google\Chrome\Application\chrome.exe
2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1520"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5424,i,3429963104971743440,16218919325435356763,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=6124 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1604"C:\Users\admin\AppData\Local\Temp\@AE692A.tmp.exe" C:\Users\admin\AppData\Local\Temp\@AE692A.tmp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\@ae692a.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1700C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\admin0.bat" "C:\Windows\SysWOW64\cmd.exelaunch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1712"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=4940,i,3429963104971743440,16218919325435356763,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4968 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
19 650
Read events
19 606
Write events
36
Delete events
8

Modification events

(PID) Process:(1496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4836) launch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Defender Extension
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exe"
(PID) Process:(1496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4224) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
(PID) Process:(1496) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(1496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
121
(PID) Process:(6516) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
(PID) Process:(1496) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings
Operation:delete keyName:(default)
Value:
Executable files
22
Suspicious files
487
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
1604@AE692A.tmp.exeC:\Users\admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exeexecutable
MD5:AF92FBD81B0050F2BE1FFF0506974E4A
SHA256:F1AF5B6A608C979B8AD0DF0F338D92C496676C2985D1CAC76D7BE3412AF7CACB
3976explorer.exeC:\Users\admin\AppData\Local\Temp\@AE692A.tmp.exeexecutable
MD5:AF92FBD81B0050F2BE1FFF0506974E4A
SHA256:F1AF5B6A608C979B8AD0DF0F338D92C496676C2985D1CAC76D7BE3412AF7CACB
1604@AE692A.tmp.exeC:\Users\admin\AppData\Roaming\Temp\admin1.battext
MD5:767BD5DC7A36839A0FD6EA3A431C3859
SHA256:2F443947E20CE3B22550B24994B928587123DF2B1168FD4FC8C55ED5527889BE
1604@AE692A.tmp.exeC:\Users\admin\AppData\Roaming\Temp\admin0.battext
MD5:F2D4F8A8491F3A5151B05D92F283EBEF
SHA256:CCC42E2A79C7DFE395EB6BD21CAD4D44D526C5A361953175573DB7B59BE57EBC
1604@AE692A.tmp.exeC:\Users\admin\AppData\Roaming\Temp\mydll.dllexecutable
MD5:FC4A6145DDD1B64983E8700601C71FC6
SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6
1604@AE692A.tmp.exeC:\Users\admin\AppData\Local\Temp\Sp6BDA.tmpbinary
MD5:D4DB698147DB342E9D577C30B8491A42
SHA256:09E2F844B9D58ACA3C969F6FD5BDB5E9E6E62F370082052D949ADB0E55DBB564
1604@AE692A.tmp.exeC:\Users\admin\AppData\Local\Temp\tmp6B1E.tmpexecutable
MD5:25B585D6D671DE30C9AFB6EF86AE7CAA
SHA256:0F98A0A2F55AF3CE7D967E95ACCB1EF322EE75FBC6E61EC78DC6CBD528EFB0FA
56162025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:FC81892AC822DCBB09441D3B58B47125
SHA256:FB077C966296D02D50CCBF7F761D2A3311A206A784A7496F331C2B0D6AD205C8
1604@AE692A.tmp.exeC:\Users\admin\AppData\Local\Temp\tmp6BDC.tmpbinary
MD5:D879FDCDC245D8059F41359438036564
SHA256:58ECEF4AE1D424661D93E4D1B4E1DEC30D0D7275ADDE1319BF6FEBA0C8848C7E
4172WdExt.exeC:\Users\admin\AppData\Roaming\Temp\mydll.dllexecutable
MD5:FC4A6145DDD1B64983E8700601C71FC6
SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
41
DNS requests
34
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5708
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5708
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
142.250.27.94:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
unknown
compressed
58.4 Kb
whitelisted
GET
200
142.250.102.139:443
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=133.0.6943.127&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEB%26ping%3Dr%253D-1%2526e%253D1
unknown
xml
812 b
whitelisted
GET
200
142.250.27.95:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
binary
41 b
whitelisted
POST
200
142.250.27.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
unknown
text
17 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5708
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5708
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
windowsupdate.microsoft.com
  • 128.85.102.70
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
clients2.google.com
  • 142.250.102.139
  • 142.250.102.113
  • 142.250.102.100
  • 142.250.102.138
  • 142.250.102.102
  • 142.250.102.101
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.102.95
  • 142.250.27.95
whitelisted
clientservices.googleapis.com
  • 142.250.27.94
whitelisted
update.googleapis.com
  • 142.250.27.94
whitelisted
accounts.google.com
  • 142.250.27.84
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-14_322fa8180d20b58aa16be2bf69e2acea_amadey_black-basta_darkgate_darpapox_elex_hijackloader_luca-stealer_nymaim_rhadamanthys