File name:

2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer

Full analysis: https://app.any.run/tasks/e378c678-38ce-4230-b781-d61378370788
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 01:24:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

E077D373831C86327724DD517038034A

SHA1:

7BEF746D6EDA0CDDAF36DBDC8D6769FBD8A37DBC

SHA256:

B478A4BE858FDEAD86D3B5725C50684F6EDA7792A8C8B1A04A174B7F27FA43C0

SSDEEP:

98304:Oyi35qtz1nrAs8ROlzc9Ew7VY2w9YcAt7UfA/E3ZI4D0wbhL7XdD0i8IpFq06ZE/:vqi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2356)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2356)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2356)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Executable content was dropped or overwritten

      • refNetsvc.exe (PID: 4868)
      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2356)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • The process creates files with name similar to system file names

      • refNetsvc.exe (PID: 4868)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 5924)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 5612)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 2664)
      • cmd.exe (PID: 5952)

    • Reads the date of Windows installation

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 5924)
      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 2664)
      • cmd.exe (PID: 5952)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 5612)

    • The process executes via Task Scheduler

      • updater.exe (PID: 1812)

    • Application launched itself

      • updater.exe (PID: 1812)

  • INFO

    • Checks supported languages

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • chcp.com (PID: 1132)
      • dllhost.exe (PID: 2804)
      • chcp.com (PID: 7004)
      • dllhost.exe (PID: 6732)
      • chcp.com (PID: 5928)
      • dllhost.exe (PID: 2216)
      • chcp.com (PID: 3864)
      • updater.exe (PID: 1812)
      • updater.exe (PID: 2632)
      • dllhost.exe (PID: 1180)
      • chcp.com (PID: 5352)
      • dllhost.exe (PID: 5188)
      • chcp.com (PID: 3584)
      • dllhost.exe (PID: 5168)
      • chcp.com (PID: 3108)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • chcp.com (PID: 4836)
      • chcp.com (PID: 2612)
      • dllhost.exe (PID: 3880)
      • chcp.com (PID: 2140)
      • dllhost.exe (PID: 864)
      • chcp.com (PID: 5924)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)
      • chcp.com (PID: 5184)
      • chcp.com (PID: 5244)

    • Reads the computer name

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • updater.exe (PID: 1812)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Process checks computer location settings

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Reads the machine GUID from the registry

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Create files in a temporary directory

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)

    • Reads Environment values

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Failed to create an executable file in Windows directory

      • refNetsvc.exe (PID: 4868)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 5924)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 5612)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 2664)
      • cmd.exe (PID: 5952)

    • Disables trace logs

      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Checks proxy server information

      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • slui.exe (PID: 6528)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1812)

    • Reads the software policy settings

      • slui.exe (PID: 6528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 261632
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
72
Malicious processes
28
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT refnetsvc.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs updater.exe no specs updater.exe no specs slui.exe #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Users\admin\Desktop\2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\bridgeFontperfdll\dllhost.exe" C:\bridgeFontperfdll\dllhost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\bridgefontperfdll\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1036\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1180"C:\bridgeFontperfdll\dllhost.exe" C:\bridgeFontperfdll\dllhost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\bridgefontperfdll\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1632ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
1812"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1948ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
1976"C:\bridgeFontperfdll\dllhost.exe" C:\bridgeFontperfdll\dllhost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\bridgefontperfdll\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
39 545
Read events
39 528
Write events
17
Delete events
0

Modification events

(PID) Process:(316) 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(4868) refNetsvc.exeKey:HKEY_CURRENT_USER\SOFTWARE\2355bf15ac53784bef35d88b37dc8dc649f063c0
Operation:writeName:6a3d8c714fb562a4ac0c25b850ed51e7c7bc9b71
Value:
H4sIAAAAAAAEAItWcraKiUkqykxJT3XLzyspSC1KS8nJiYkpzszILy7RS61IVdLBpSa4JLGoxDc1r9S1AiiWmZqXnOpBUFNIakWJZ15BaQlhpUACzRHhmXkp+eXFMTElRYnJmXnpQDXlufgNKUpN80stKS5LBiuLBQDg+d8T8QAAAA==
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
97
Suspicious files
1
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
3162025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\bridgeFontperfdll\HAHxtU7EoFLnEUfWfdHtKMv1ENU9OpbzTm3Y.vbebinary
MD5:2551505E94497CA66B45558DBAAB3C38
SHA256:7B5221C7A14D9A5F584769EBC380781DA8C97ADF0E22DC9BF3C470BDA8BA566E
3162025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\bridgeFontperfdll\refNetsvc.exeexecutable
MD5:F3E7836A3396C1F2637BA1DC6093FBD0
SHA256:1322F1F22B6DA0C854FBA86FC021C1F62F25CCD36DF42DA880998FA52646A746
3162025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\bridgeFontperfdll\utJR7iIdo4p5Icn9RZAQpGdYFbIUGTGEdEjSHui.battext
MD5:6A83D8C723CD3C8D15BF765642A8D8EA
SHA256:6A58125892F7D094D508762CF1F5748547EBA3116CA08827980CA6AD6DCDECFD
4868refNetsvc.exeC:\Users\admin\Desktop\ZxKFGtQi.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
4868refNetsvc.exeC:\Users\admin\Desktop\bulNctfc.logexecutable
MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
4868refNetsvc.exeC:\Users\admin\Desktop\RMSxsQav.logexecutable
MD5:2D6975FD1CC3774916D8FF75C449EE7B
SHA256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
4868refNetsvc.exeC:\Users\admin\Desktop\HdyhIoUN.logexecutable
MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
4868refNetsvc.exeC:\Users\admin\Desktop\tHNTwOAr.logexecutable
MD5:E9CE850DB4350471A62CC24ACB83E859
SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
4868refNetsvc.exeC:\Users\admin\Desktop\SRdYszPv.logexecutable
MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
4868refNetsvc.exeC:\bridgeFontperfdll\4ad1e611c32875text
MD5:079D67E2DD2ED6153F6E9CC2A87DE73E
SHA256:4E5931B0D468E8A8F72D76BD912EFE414D884797B3505DD5E1345AD92D3ED6EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
38
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4400
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4400
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.69:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.69:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4400
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4400
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.22
  • 20.190.160.4
  • 40.126.32.140
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.130
  • 20.190.160.67
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
277035cm.nyashvibe.ru
unknown
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer