File name:

2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer

Full analysis: https://app.any.run/tasks/6007c850-e2b0-46dc-bf84-40b6302f8bea
Verdict: Malicious activity
Analysis date: April 07, 2025, 04:40:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

8D295B9BCD55FE2AEC91CB6CA5AD99E5

SHA1:

83603A22E7B986BBDE30E6EF61A627F30CCEE7C1

SHA256:

CD03958AC79BDDA675AFA2B37CE895D6E28CAAAA04EFBCF68341B71BC0E3D72A

SSDEEP:

98304:byi3/tuCJcoKogj0YjbdDXayrZrRQQk1XB2EX5RfW6atOc4utMRF73J4sHRDJw+8:vgBQFxg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 5608)
      • NSudoLG.exe (PID: 7864)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 7864)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5608)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)

    • Executable content was dropped or overwritten

      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)
      • 7z.exe (PID: 8036)
      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • Unlocker.exe (PID: 7840)
      • cmd.exe (PID: 5608)

    • Reads security settings of Internet Explorer

      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)
      • 25.exe (PID: 7868)
      • 25.exe (PID: 8048)
      • 25.exe (PID: 1760)
      • Unlocker.exe (PID: 8024)
      • Unlocker.exe (PID: 7816)
      • 25.exe (PID: 6988)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • ShellExperienceHost.exe (PID: 5964)
      • Unlocker.exe (PID: 4896)

    • Drops 7-zip archiver for unpacking

      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)

    • Starts CMD.EXE for commands execution

      • 25.exe (PID: 7868)
      • cmd.exe (PID: 7920)
      • 25.exe (PID: 8048)
      • cmd.exe (PID: 5552)
      • 25.exe (PID: 6988)
      • cmd.exe (PID: 5608)
      • Unlocker.exe (PID: 8024)
      • Unlocker.exe (PID: 7816)
      • 25.exe (PID: 1760)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 4896)

    • Application launched itself

      • cmd.exe (PID: 7920)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 5608)

    • Executing commands from a ".bat" file

      • 25.exe (PID: 7868)
      • 25.exe (PID: 8048)
      • 25.exe (PID: 1760)
      • 25.exe (PID: 6988)

    • The executable file from the user directory is run by the CMD process

      • 25.exe (PID: 8048)
      • 25.exe (PID: 6988)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 5608)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 5608)

    • Get information on the list of running processes

      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7020)

    • Starts POWERSHELL.EXE for commands execution

      • NSudoLG.exe (PID: 7864)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 7864)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 7936)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5608)

    • Reads the date of Windows installation

      • Unlocker.exe (PID: 8024)
      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • Unlocker.exe (PID: 4896)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 6964)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 7236)
      • cmd.exe (PID: 7932)
      • cmd.exe (PID: 2096)
      • cmd.exe (PID: 8084)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 7584)
      • cmd.exe (PID: 5048)
      • cmd.exe (PID: 1324)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5552)
      • sc.exe (PID: 7192)
      • sc.exe (PID: 5008)
      • sc.exe (PID: 1676)
      • sc.exe (PID: 7592)
      • sc.exe (PID: 5164)
      • sc.exe (PID: 8016)
      • sc.exe (PID: 8136)
      • sc.exe (PID: 6800)
      • sc.exe (PID: 7644)
      • sc.exe (PID: 4400)
      • sc.exe (PID: 7684)
      • sc.exe (PID: 8168)
      • sc.exe (PID: 8152)
      • sc.exe (PID: 744)
      • sc.exe (PID: 6876)
      • sc.exe (PID: 7304)
      • sc.exe (PID: 7992)
      • sc.exe (PID: 8072)
      • sc.exe (PID: 8004)
      • sc.exe (PID: 7936)
      • sc.exe (PID: 5868)
      • sc.exe (PID: 8028)
      • sc.exe (PID: 1276)
      • sc.exe (PID: 7876)
      • sc.exe (PID: 5428)
      • sc.exe (PID: 5056)
      • sc.exe (PID: 6540)
      • sc.exe (PID: 680)
      • sc.exe (PID: 7592)
      • sc.exe (PID: 5008)
      • sc.exe (PID: 7180)
      • sc.exe (PID: 5328)
      • sc.exe (PID: 4724)
      • sc.exe (PID: 5800)
      • sc.exe (PID: 4620)
      • sc.exe (PID: 5360)
      • sc.exe (PID: 7560)
      • sc.exe (PID: 7724)
      • sc.exe (PID: 7784)
      • sc.exe (PID: 7516)
      • sc.exe (PID: 7244)
      • sc.exe (PID: 3900)
      • sc.exe (PID: 4068)
      • sc.exe (PID: 920)
      • sc.exe (PID: 5800)
      • sc.exe (PID: 7352)
      • sc.exe (PID: 5212)
      • sc.exe (PID: 660)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6132)
      • cmd.exe (PID: 6344)
      • cmd.exe (PID: 1096)
      • cmd.exe (PID: 6036)
      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 6040)
      • cmd.exe (PID: 3768)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • Unlocker.exe (PID: 8172)

    • Creates or modifies Windows services

      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • Unlocker.exe (PID: 7840)

    • Stops a currently running service

      • sc.exe (PID: 7676)
      • sc.exe (PID: 8036)
      • sc.exe (PID: 5956)
      • sc.exe (PID: 2800)
      • sc.exe (PID: 5968)
      • sc.exe (PID: 2552)
      • sc.exe (PID: 8160)
      • sc.exe (PID: 8036)
      • sc.exe (PID: 7960)
      • sc.exe (PID: 6028)
      • sc.exe (PID: 780)
      • sc.exe (PID: 8100)
      • sc.exe (PID: 5408)
      • sc.exe (PID: 6108)
      • sc.exe (PID: 5212)
      • sc.exe (PID: 4068)
      • sc.exe (PID: 7652)
      • sc.exe (PID: 7684)
      • sc.exe (PID: 7636)
      • sc.exe (PID: 7804)
      • sc.exe (PID: 5956)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5608)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 7964)
      • schtasks.exe (PID: 7904)
      • schtasks.exe (PID: 7892)
      • schtasks.exe (PID: 7944)
      • schtasks.exe (PID: 7864)

  • INFO

    • The sample compiled with english language support

      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)
      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • cmd.exe (PID: 5608)

    • Reads the computer name

      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)
      • 25.exe (PID: 7868)
      • 25.exe (PID: 8048)
      • NSudoLG.exe (PID: 7228)
      • 25.exe (PID: 1760)
      • 25.exe (PID: 6988)
      • NSudoLG.exe (PID: 7864)
      • 7z.exe (PID: 8036)
      • Unlocker.exe (PID: 8024)
      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • ShellExperienceHost.exe (PID: 5964)
      • Unlocker.exe (PID: 4896)
      • IObitUnlocker.exe (PID: 5508)

    • Create files in a temporary directory

      • 25.exe (PID: 7868)
      • 25.exe (PID: 8048)
      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)
      • 7z.exe (PID: 8036)

    • Process checks computer location settings

      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)
      • 25.exe (PID: 7868)
      • 25.exe (PID: 8048)

    • Checks supported languages

      • 25.exe (PID: 7868)
      • 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe (PID: 7808)
      • 25.exe (PID: 8048)
      • chcp.com (PID: 8156)
      • NSudoLG.exe (PID: 7228)
      • 25.exe (PID: 1760)
      • 25.exe (PID: 6988)
      • mode.com (PID: 7052)
      • chcp.com (PID: 5204)
      • NSudoLG.exe (PID: 7864)
      • Unlocker.exe (PID: 8024)
      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 8172)
      • 7z.exe (PID: 8036)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • ShellExperienceHost.exe (PID: 5964)
      • Unlocker.exe (PID: 4896)
      • IObitUnlocker.exe (PID: 5508)

    • Changes the display of characters in the console

      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 5608)

    • Checks operating system version

      • cmd.exe (PID: 5608)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7052)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7936)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7936)

    • Reads the machine GUID from the registry

      • Unlocker.exe (PID: 8024)
      • Unlocker.exe (PID: 7816)
      • Unlocker.exe (PID: 8172)
      • Unlocker.exe (PID: 7840)
      • Unlocker.exe (PID: 5640)
      • Unlocker.exe (PID: 6640)
      • Unlocker.exe (PID: 4896)

    • Creates files in the program directory

      • IObitUnlocker.exe (PID: 5508)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 8168)

    • Manual execution by a user

      • OpenWith.exe (PID: 8168)
      • IObitUnlocker.exe (PID: 7712)
      • IObitUnlocker.exe (PID: 5508)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 8168)

    • Application launched itself

      • Acrobat.exe (PID: 7916)
      • AcroCEF.exe (PID: 2228)

    • Checks proxy server information

      • slui.exe (PID: 5400)

    • Reads the software policy settings

      • slui.exe (PID: 5400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 77312
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
372
Monitored processes
243
Malicious processes
14
Suspicious processes
11

Behavior graph

Click at the process to see the details
start 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe 25.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs 25.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs 25.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs 25.exe no specs cmd.exe conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs sc.exe no specs sc.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs timeout.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs timeout.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs timeout.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs timeout.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs shellexperiencehost.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs iobitunlocker.exe no specs iobitunlocker.exe openwith.exe no specs slui.exe acrobat.exe no specs acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs 2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516taskkill /f /pid "4896"C:\Windows\System32\taskkill.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
660reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
660sc delete "webthreatdefusersvc" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
680sc config "webthreatdefusersvc" start= disabled C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
732"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1520 --field-trial-handle=1572,i,1773485491306749916,13364572437870331097,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
744sc delete "WinDefend" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
780sc stop "webthreatdefsvc" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
896timeout /t 2 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
920sc config "SgrmAgent" start= disabled C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
33 217
Read events
32 956
Write events
123
Delete events
138

Modification events

(PID) Process:(6476) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(5800) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(8024) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\DK
Operation:writeName:CurrentDiskSize
Value:
228901273600
(PID) Process:(7816) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Type
Value:
1
(PID) Process:(7816) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Start
Value:
3
(PID) Process:(7816) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(7816) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:ImagePath
Value:
C:\WINDOWS\TEMP\IObitUnlocker\IObitUnlocker.sys
(PID) Process:(7840) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Type
Value:
1
(PID) Process:(7840) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Start
Value:
3
(PID) Process:(7840) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:ErrorControl
Value:
1
Executable files
25
Suspicious files
113
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
78082025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\Work\7z.exeexecutable
MD5:426CCB645E50A3143811CFA0E42E2BA6
SHA256:CF878BFBD9ED93DC551AC038AFF8A8BBA4C935DDF8D48E62122BDDFDB3E08567
78082025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\Work\DKTolz.zipcompressed
MD5:B4163C2AF1EBA60ECDD85C4DCBA6BEEE
SHA256:8EA3DEBBC3EEE93B37B27188477BB573EAF0868BC33ECAF27DABC5D6DF39F3B1
176025.exeC:\Windows\Temp\C6DC.tmp\C6DD.tmp\C6DE.battext
MD5:CAC46347349227726D0BA597BC162B83
SHA256:5E5DA7514CF9B3E44AE4862CD81D7ECE47673C2026688FB9A941689A026664F3
78082025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\25.exeexecutable
MD5:87FA6883F60EAD8AB996B42314060FF7
SHA256:A2CCB2AD0C77FCF5F418B7A9BE2B88A657CD22019DBED44C125DA3CBF659E8E4
78082025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\Work\cecho.exeexecutable
MD5:E783BC59D0ED6CFBD8891F94AE23D1B3
SHA256:5C1211559DDA10592CFEDD57681F18F4A702410816D36EDA95AEE6C74E3C6A47
786825.exeC:\Users\admin\AppData\Local\Temp\C2A6.tmp\C2A7.tmp\C2A8.battext
MD5:CAC46347349227726D0BA597BC162B83
SHA256:5E5DA7514CF9B3E44AE4862CD81D7ECE47673C2026688FB9A941689A026664F3
80367z.exeC:\Users\admin\AppData\Local\Temp\Work\Unlocker.exeexecutable
MD5:49C7A62751050E4B46822CE25AF57E6F
SHA256:2EA997FB5896EBD2CBBCDEA7995DBB871F2358BF0BFF9470801845879506CE44
78082025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\Work\NSudoLG.exeexecutable
MD5:423129DDB24FB923F35B2DD5787B13DD
SHA256:5094AD359D8CF6DC5324598605C35F68519CC5AF9C7ED5427E02A6B28121E4C7
78082025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\Work\nircmd.exeexecutable
MD5:4A9DA765FD91E80DECFD2C9FE221E842
SHA256:2E81E048AB419FDC6E5F4336A951BD282ED6B740048DC38D7673678EE3490CDA
7936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5z3hny5h.ji5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
OPTIONS
204
34.237.241.83:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=TH&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
23.213.164.167:443
https://geo2.adobe.com/
unknown
text
50 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
18.213.11.84:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=TH&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
binary
187 b
whitelisted
4108
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4108
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4108
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7404
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4008
AcroCEF.exe
23.213.164.167:443
geo2.adobe.com
AKAMAI-AS
DE
whitelisted
4008
AcroCEF.exe
34.237.241.83:443
p13n.adobe.io
AMAZON-AES
US
whitelisted
5400
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.46
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
geo2.adobe.com
  • 23.213.164.167
whitelisted
p13n.adobe.io
  • 34.237.241.83
  • 54.224.241.105
  • 50.16.47.176
  • 18.213.11.84
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-07_8d295b9bcd55fe2aec91cb6ca5ad99e5_black-basta_cova_luca-stealer