File name:

2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx

Full analysis: https://app.any.run/tasks/ac0dcae5-fae4-4acb-a07f-378ddfbac050
Verdict: Malicious activity
Analysis date: May 25, 2025, 15:53:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
idm
tool
auto
generic
qrcode
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

A597F0F910336931AA0725EC9BEF560A

SHA1:

B5228DB12F3C76996E8CD8378B115F4971C59363

SHA256:

B483201C1AF77D3E7625AC432DA96829CFBC4824E4C8E07305110C0F064522A8

SSDEEP:

98304:Q53MvTN5M0vzM8ZBhKCxwxCsuj3ZzeDESpNEzudey8MaTdwt2l4M/yrpKACT7tY/:PbQNp2YuFkgidhOlO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • IDMan.exe (PID: 8004)
      • IDMan.exe (PID: 8044)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 7752)
      • rundll32.exe (PID: 7200)
      • InfDefaultInstall.exe (PID: 7732)
      • rundll32.exe (PID: 4448)

    • GENERIC has been found (auto)

      • rundll32.exe (PID: 7752)
      • rundll32.exe (PID: 7200)
      • drvinst.exe (PID: 4688)

    • Starts NET.EXE for service management

      • Uninstall.exe (PID: 8180)
      • net.exe (PID: 896)
      • net.exe (PID: 5984)
      • Uninstall.exe (PID: 5408)
      • net.exe (PID: 7268)
      • net.exe (PID: 8248)
      • net.exe (PID: 8156)
      • net.exe (PID: 8344)
      • net.exe (PID: 7768)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Uninstall.exe (PID: 8180)
      • Uninstall.exe (PID: 5408)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exe (PID: 7496)
      • IDMan.exe (PID: 8004)
      • IDMan.exe (PID: 8044)
      • Uninstall.exe (PID: 8180)
      • Uninstall.exe (PID: 5408)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 7752)
      • IDMan.exe (PID: 8004)
      • rundll32.exe (PID: 7200)
      • drvinst.exe (PID: 4688)

    • Drops a system driver (possible attempt to evade defenses)

      • rundll32.exe (PID: 7752)
      • rundll32.exe (PID: 7200)
      • drvinst.exe (PID: 4688)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7772)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exe (PID: 7496)
      • IDMIntegrator64.exe (PID: 8104)

    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 7752)

    • Creates a software uninstall entry

      • rundll32.exe (PID: 7752)

    • Creates/Modifies COM task schedule object

      • IDMan.exe (PID: 8004)
      • IDMIntegrator64.exe (PID: 8116)
      • regsvr32.exe (PID: 7052)
      • regsvr32.exe (PID: 8476)

    • Uses RUNDLL32.EXE to load library

      • Uninstall.exe (PID: 8180)
      • Uninstall.exe (PID: 5408)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4688)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 5164)
      • Uninstall.exe (PID: 8180)
      • Uninstall.exe (PID: 5408)
      • drvinst.exe (PID: 7716)

  • INFO

    • Checks supported languages

      • 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exe (PID: 7496)
      • IDMan.exe (PID: 8044)
      • IDMan.exe (PID: 8004)
      • Uninstall.exe (PID: 8180)
      • drvinst.exe (PID: 4688)
      • drvinst.exe (PID: 5164)
      • drvinst.exe (PID: 7716)
      • IDMIntegrator64.exe (PID: 8104)
      • Uninstall.exe (PID: 5408)
      • IDMIntegrator64.exe (PID: 8116)

    • Reads the computer name

      • 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exe (PID: 7496)
      • IDMan.exe (PID: 8004)
      • IDMan.exe (PID: 8044)
      • IDMIntegrator64.exe (PID: 8104)
      • Uninstall.exe (PID: 8180)
      • drvinst.exe (PID: 5164)
      • drvinst.exe (PID: 4688)
      • drvinst.exe (PID: 7716)
      • Uninstall.exe (PID: 5408)

    • The sample compiled with russian language support

      • rundll32.exe (PID: 7752)

    • Creates files in the program directory

      • rundll32.exe (PID: 7752)
      • IDMan.exe (PID: 8004)

    • Create files in a temporary directory

      • 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exe (PID: 7496)
      • IDMan.exe (PID: 8004)
      • IDMan.exe (PID: 8044)
      • rundll32.exe (PID: 7200)

    • Auto-launch of the file from Registry key

      • rundll32.exe (PID: 7752)
      • rundll32.exe (PID: 7200)
      • InfDefaultInstall.exe (PID: 7732)
      • rundll32.exe (PID: 4448)

    • Reads the machine GUID from the registry

      • IDMan.exe (PID: 8004)
      • IDMan.exe (PID: 8044)
      • drvinst.exe (PID: 4688)

    • The sample compiled with english language support

      • rundll32.exe (PID: 7752)
      • IDMan.exe (PID: 8004)
      • rundll32.exe (PID: 7200)
      • drvinst.exe (PID: 4688)

    • Reads the software policy settings

      • IDMan.exe (PID: 8044)
      • IDMan.exe (PID: 8004)
      • drvinst.exe (PID: 4688)

    • INTERNETDOWNLOADMANAGER mutex has been found

      • IDMan.exe (PID: 8044)
      • IDMan.exe (PID: 8004)
      • IDMIntegrator64.exe (PID: 8116)
      • IDMIntegrator64.exe (PID: 8104)

    • Manual execution by a user

      • IDMan.exe (PID: 8044)
      • grpconv.exe (PID: 7464)
      • wscript.exe (PID: 8716)
      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2092)
      • rundll32.exe (PID: 2780)
      • rundll32.exe (PID: 2552)
      • wscript.exe (PID: 3800)

    • Disables trace logs

      • IDMan.exe (PID: 8044)
      • IDMan.exe (PID: 8004)

    • Checks proxy server information

      • IDMan.exe (PID: 8004)
      • IDMan.exe (PID: 8044)
      • 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exe (PID: 7496)

    • Process checks computer location settings

      • IDMan.exe (PID: 8044)
      • IDMan.exe (PID: 8004)
      • Uninstall.exe (PID: 8180)
      • Uninstall.exe (PID: 5408)

    • Creates files or folders in the user directory

      • IDMan.exe (PID: 8044)
      • IDMan.exe (PID: 8004)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 6268)
      • runonce.exe (PID: 6724)
      • runonce.exe (PID: 7696)

    • Reads the time zone

      • runonce.exe (PID: 6268)
      • runonce.exe (PID: 6724)

    • Application launched itself

      • firefox.exe (PID: 6564)
      • msedge.exe (PID: 6632)
      • firefox.exe (PID: 960)
      • firefox.exe (PID: 4724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:12 14:02:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.42
CodeSize: 248320
InitializedDataSize: 180736
UninitializedDataSize: -
EntryPoint: 0x26560
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
122
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exe no specs infdefaultinstall.exe #GENERIC rundll32.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs idman.exe idman.exe idmintegrator64.exe no specs idmintegrator64.exe no specs uninstall.exe no specs #GENERIC rundll32.exe #GENERIC drvinst.exe drvinst.exe no specs runonce.exe no specs grpconv.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs firefox.exe no specs firefox.exe uninstall.exe no specs uninstall.exe runonce.exe no specs firefox.exe no specs rundll32.exe firefox.exe no specs drvinst.exe no specs runonce.exe no specs grpconv.exe no specs grpconv.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs firefox.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs net.exe no specs conhost.exe no specs msedge.exe net1.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs grpconv.exe no specs msedge.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs msedge.exe msedge.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs slui.exe firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wscript.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs firefox.exe no specs wscript.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6600 --field-trial-handle=2344,i,10249507281583930761,14368409378917406296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
896"C:\Windows\System32\net.exe" start IDMWFPC:\Windows\SysWOW64\net.exeUninstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
960"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.htmlC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1056"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"C:\Windows\SysWOW64\regsvr32.exeUninstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1116"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4864 --field-trial-handle=2344,i,10249507281583930761,14368409378917406296,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5632 --field-trial-handle=2344,i,10249507281583930761,14368409378917406296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5532 --field-trial-handle=2344,i,10249507281583930761,14368409378917406296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5604 --field-trial-handle=2344,i,10249507281583930761,14368409378917406296,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
48 525
Read events
47 743
Write events
727
Delete events
55

Modification events

(PID) Process:(7496) 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inf\OpenWithProgids
Operation:writeName:inffile
Value:
(PID) Process:(7496) 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\InfDefaultInstall.exe.FriendlyAppName
Value:
INF Default Install
(PID) Process:(7496) 2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\InfDefaultInstall.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(7752) rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Internet Download Manager
Operation:writeName:AdvIntDriverEnabled2
Value:
1
(PID) Process:(7752) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\DownloadManager
Operation:writeName:bShLc2
Value:
1
(PID) Process:(7752) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\DownloadManager
Operation:writeName:NewConnType
Value:
3
(PID) Process:(7752) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\DownloadManager\netApps
Operation:writeName:00002action
Value:
turn_off
(PID) Process:(7752) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\DownloadManager
Operation:writeName:bHDIShwd
Value:
1
(PID) Process:(7752) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\DownloadManager
Operation:writeName:TrayIcon
Value:
1
(PID) Process:(7752) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\DownloadManager
Operation:writeName:nDESC8
Value:
1
Executable files
149
Suspicious files
476
Text files
501
Unknown types
1

Dropped files

PID
Process
Filename
Type
74962025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\IDM.cab
MD5:
SHA256:
7752rundll32.exeC:\Program Files (x86)\Internet Download Manager\Toolbar\SETD59C.tmpimage
MD5:94812DF1B1C5EB32CDD953BFFF6FE508
SHA256:D1E37D43E9DFA1BC8CC5B9ABBFBF8368A3D7FC9DB9B2BABCFCE2433EF7260BB7
74962025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Crack.7zcompressed
MD5:D8C108DDA129D83C26C503CF6644A75A
SHA256:0DF3ADA5FDBF3315B3E61812E42429F923E30DF3A157B556DD8CA4FDA0CAF7A3
7752rundll32.exeC:\Program Files (x86)\Internet Download Manager\Toolbar\SETD508.tmpimage
MD5:0DC0B394953344D464B60D6FA520F2AB
SHA256:EDA9A334B8B18B02809537441BE62656445A4BFB01E19EFEDF415514CDA84476
74962025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\CyberMania.urlurl
MD5:9994A4E0CDEF79EA6A8180AEA7CD6FEB
SHA256:4A40F4593F87FDA18590179C240DA85A4A895D774BADA80F6CE33D82A7AF0D1B
7752rundll32.exeC:\Program Files (x86)\Internet Download Manager\Toolbar\SETD528.tmpimage
MD5:F88DE65FE9E4E5E535AA756660909ADA
SHA256:9B6DC7965ADC42116ECB2673E626DD9A6718C18EE9AF7BEC257DAE7C4349CE99
7752rundll32.exeC:\Program Files (x86)\Internet Download Manager\Toolbar\SETD4B7.tmpimage
MD5:DEDDE6DA418C816B65BC4EE76302BD82
SHA256:2C07B067A6B06C7D87D408E16F7047615B098DB2328515E92166FDD6422E7099
7752rundll32.exeC:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3.bmpimage
MD5:DEDDE6DA418C816B65BC4EE76302BD82
SHA256:2C07B067A6B06C7D87D408E16F7047615B098DB2328515E92166FDD6422E7099
7752rundll32.exeC:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3_hdpi15.bmpimage
MD5:0DC0B394953344D464B60D6FA520F2AB
SHA256:EDA9A334B8B18B02809537441BE62656445A4BFB01E19EFEDF415514CDA84476
7752rundll32.exeC:\Program Files (x86)\Internet Download Manager\Toolbar\SETD4F7.tmpimage
MD5:0DC0B394953344D464B60D6FA520F2AB
SHA256:EDA9A334B8B18B02809537441BE62656445A4BFB01E19EFEDF415514CDA84476
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
585
TCP/UDP connections
226
DNS requests
246
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
151.101.3.19:443
https://spocs.getpocket.com/spocs
unknown
binary
1.15 Kb
whitelisted
GET
200
34.160.144.191:443
https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2024-03-20-10-07-03.chain
unknown
text
5.23 Kb
whitelisted
GET
204
151.101.3.19:443
https://contile.services.mozilla.com/v1/tiles
unknown
GET
101
34.107.243.93:443
https://push.services.mozilla.com/
unknown
GET
302
169.61.27.133:443
https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
unknown
html
260 b
whitelisted
960
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
960
firefox.exe
169.61.27.133:443
secure.internetdownloadmanager.com
SOFTLAYER
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
test.internetdownloadmanager.com
  • 185.80.221.18
whitelisted
secure.internetdownloadmanager.com
  • 169.61.27.133
whitelisted
www.internetdownloadmanager.com
  • 169.61.27.133
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8216
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8216
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8216
msedge.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
8216
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8216
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-25_a597f0f910336931aa0725ec9bef560a_amadey_black-basta_cryptbot_elex_luca-stealer_lynx