File name:

2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer

Full analysis: https://app.any.run/tasks/e378c678-38ce-4230-b781-d61378370788
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 01:24:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

E077D373831C86327724DD517038034A

SHA1:

7BEF746D6EDA0CDDAF36DBDC8D6769FBD8A37DBC

SHA256:

B478A4BE858FDEAD86D3B5725C50684F6EDA7792A8C8B1A04A174B7F27FA43C0

SSDEEP:

98304:Oyi35qtz1nrAs8ROlzc9Ew7VY2w9YcAt7UfA/E3ZI4D0wbhL7XdD0i8IpFq06ZE/:vqi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2356)

    • DCRAT mutex has been found

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Reads security settings of Internet Explorer

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2356)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2356)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2356)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Reads the date of Windows installation

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 5924)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 5612)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 2664)
      • cmd.exe (PID: 5952)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 5924)
      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 5952)
      • cmd.exe (PID: 2664)

    • The process creates files with name similar to system file names

      • refNetsvc.exe (PID: 4868)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 5612)

    • The process executes via Task Scheduler

      • updater.exe (PID: 1812)

    • Application launched itself

      • updater.exe (PID: 1812)

  • INFO

    • Checks supported languages

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • chcp.com (PID: 1132)
      • dllhost.exe (PID: 2804)
      • chcp.com (PID: 7004)
      • dllhost.exe (PID: 6732)
      • chcp.com (PID: 5928)
      • dllhost.exe (PID: 2216)
      • chcp.com (PID: 3864)
      • updater.exe (PID: 1812)
      • updater.exe (PID: 2632)
      • dllhost.exe (PID: 1180)
      • chcp.com (PID: 5352)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • chcp.com (PID: 3584)
      • dllhost.exe (PID: 1976)
      • chcp.com (PID: 4836)
      • chcp.com (PID: 3108)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • chcp.com (PID: 2612)
      • chcp.com (PID: 2140)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • chcp.com (PID: 5184)
      • chcp.com (PID: 5924)
      • dllhost.exe (PID: 2288)
      • chcp.com (PID: 5244)

    • Reads the computer name

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • dllhost.exe (PID: 2804)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • updater.exe (PID: 1812)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)

    • Process checks computer location settings

      • 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 316)
      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Reads the machine GUID from the registry

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Reads Environment values

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 5924)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 5612)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4760)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 2664)
      • cmd.exe (PID: 5952)

    • Failed to create an executable file in Windows directory

      • refNetsvc.exe (PID: 4868)

    • Create files in a temporary directory

      • refNetsvc.exe (PID: 4868)
      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Checks proxy server information

      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • slui.exe (PID: 6528)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Disables trace logs

      • dllhost.exe (PID: 2804)
      • dllhost.exe (PID: 2216)
      • dllhost.exe (PID: 6732)
      • dllhost.exe (PID: 1180)
      • dllhost.exe (PID: 5188)
      • dllhost.exe (PID: 5168)
      • dllhost.exe (PID: 1976)
      • dllhost.exe (PID: 6264)
      • dllhost.exe (PID: 3880)
      • dllhost.exe (PID: 864)
      • dllhost.exe (PID: 5060)
      • dllhost.exe (PID: 2288)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1812)

    • Reads the software policy settings

      • slui.exe (PID: 6528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 261632
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
72
Malicious processes
28
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT refnetsvc.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs updater.exe no specs updater.exe no specs slui.exe #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Users\admin\Desktop\2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\bridgeFontperfdll\dllhost.exe" C:\bridgeFontperfdll\dllhost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\bridgefontperfdll\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1036\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1180"C:\bridgeFontperfdll\dllhost.exe" C:\bridgeFontperfdll\dllhost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\bridgefontperfdll\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1632ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
1812"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1948ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
1976"C:\bridgeFontperfdll\dllhost.exe" C:\bridgeFontperfdll\dllhost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\bridgefontperfdll\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
39 545
Read events
39 528
Write events
17
Delete events
0

Modification events

(PID) Process:(316) 2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(4868) refNetsvc.exeKey:HKEY_CURRENT_USER\SOFTWARE\2355bf15ac53784bef35d88b37dc8dc649f063c0
Operation:writeName:6a3d8c714fb562a4ac0c25b850ed51e7c7bc9b71
Value:
H4sIAAAAAAAEAItWcraKiUkqykxJT3XLzyspSC1KS8nJiYkpzszILy7RS61IVdLBpSa4JLGoxDc1r9S1AiiWmZqXnOpBUFNIakWJZ15BaQlhpUACzRHhmXkp+eXFMTElRYnJmXnpQDXlufgNKUpN80stKS5LBiuLBQDg+d8T8QAAAA==
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2804) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dllhost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
97
Suspicious files
1
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
4868refNetsvc.exeC:\Users\admin\Desktop\SRdYszPv.logexecutable
MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
4868refNetsvc.exeC:\Users\admin\Desktop\ZxKFGtQi.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
4868refNetsvc.exeC:\Users\admin\Desktop\bulNctfc.logexecutable
MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
4868refNetsvc.exeC:\Users\admin\Desktop\jYuDMmuK.logexecutable
MD5:F4B38D0F95B7E844DD288B441EBC9AAF
SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
4868refNetsvc.exeC:\Users\admin\Desktop\RMSxsQav.logexecutable
MD5:2D6975FD1CC3774916D8FF75C449EE7B
SHA256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
4868refNetsvc.exeC:\bridgeFontperfdll\4ad1e611c32875text
MD5:079D67E2DD2ED6153F6E9CC2A87DE73E
SHA256:4E5931B0D468E8A8F72D76BD912EFE414D884797B3505DD5E1345AD92D3ED6EB
4868refNetsvc.exeC:\Windows\tracing\dwm.exeexecutable
MD5:F3E7836A3396C1F2637BA1DC6093FBD0
SHA256:1322F1F22B6DA0C854FBA86FC021C1F62F25CCD36DF42DA880998FA52646A746
4868refNetsvc.exeC:\Users\admin\Desktop\HdyhIoUN.logexecutable
MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
4868refNetsvc.exeC:\Windows\tracing\6cb0b6c459d5d3text
MD5:EEE7C3569E3B84872BED237F87865224
SHA256:882424461667D439BB9D6FDE1EECCD493D6D3FF09DE1692594154CE776984FD7
4868refNetsvc.exeC:\bridgeFontperfdll\5940a34987c991text
MD5:339FC1F888CF90D1A6BD3F02FAD031BB
SHA256:041A7FA1B5B5B22B8EF90D03BA3F84B54DF11D4128D8BE60AAF2A4F56892B4C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
38
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4400
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4400
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.69:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.69:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4400
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4400
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.22
  • 20.190.160.4
  • 40.126.32.140
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.130
  • 20.190.160.67
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
277035cm.nyashvibe.ru
unknown
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_e077d373831c86327724dd517038034a_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer