File name:

2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer

Full analysis: https://app.any.run/tasks/d86d0860-52a3-4e24-9510-32e4b0363aab
Verdict: Malicious activity
Analysis date: April 29, 2025, 00:56:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

3C4C77F498A5AF06E14CB5A8C380F452

SHA1:

8DE1FD022EB29A809D415BBA8E31F7B614CC641E

SHA256:

D5C3B2162B7591A57BBA1234C580A5A512C0E4D18EE964FA2BEE5A216015AE1A

SSDEEP:

49152:jn7MBLTSMfbTa66iea1KEsaT5/h+pmTW14sAsqxUUZABlbL0DZq4OG5YCB+NoRgE:zglmMfq+JPN5Ni14sAs5lPG51o56

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe (PID: 6468)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 4180)

  • INFO

    • Reads the computer name

      • ShellExperienceHost.exe (PID: 4180)

    • Process checks computer location settings

      • ShellExperienceHost.exe (PID: 4180)

    • The sample compiled with korean language support

      • 2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe (PID: 2108)

    • Reads the machine GUID from the registry

      • ShellExperienceHost.exe (PID: 4180)

    • Checks proxy server information

      • slui.exe (PID: 5200)

    • Reads the software policy settings

      • slui.exe (PID: 5200)

    • Checks supported languages

      • ShellExperienceHost.exe (PID: 4180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:06:27 02:34:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 1766400
InitializedDataSize: 867328
UninitializedDataSize: -
EntryPoint: 0x173fe6
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.5.1
ProductVersionNumber: 1.0.5.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Korean
CharacterSet: Windows, Korea (Shift - KSC 5601)
CompanyName: Neople
FileDescription: Neople Installer
FileVersion: 1.0.5.1
InternalName: Neople Installer
LegalCopyright: (c) Neople inc. All rights reserved.
OriginalFileName: NeopleIns.exe
ProductName: Neople Installer
ProductVersion: 1.0.5.1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe slui.exe shellexperiencehost.exe no specs 2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Users\admin\Desktop\2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe" C:\Users\admin\Desktop\2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe
explorer.exe
User:
admin
Company:
Neople
Integrity Level:
HIGH
Description:
Neople Installer
Exit code:
3221225477
Version:
1.0.5.1
Modules
Images
c:\users\admin\desktop\2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
4180"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
5200C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6468"C:\Users\admin\Desktop\2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe" C:\Users\admin\Desktop\2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exeexplorer.exe
User:
admin
Company:
Neople
Integrity Level:
MEDIUM
Description:
Neople Installer
Exit code:
3221226540
Version:
1.0.5.1
Modules
Images
c:\users\admin\desktop\2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
11 576
Read events
11 491
Write events
43
Delete events
42

Modification events

(PID) Process:(4180) ShellExperienceHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\yYpHriFUdyS-r81lKl88jPGlZr-M05PzoCQ_A6O0gXA\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Voices
Operation:writeName:DefaultTokenId
Value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:writeName:20250402
Value:
00000000234D64A4A1B8DB01
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:writeName:20250505
Value:
00000000001469A4A1B8DB01
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:writeName:20250506
Value:
00000000001469A4A1B8DB01
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240722
Value:
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240708
Value:
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240729
Value:
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240702
Value:
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240801
Value:
(PID) Process:(4180) ShellExperienceHost.exeKey:\REGISTRY\A\{24e47f25-e7c7-5368-51fe-464600cfe047}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240731
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
46
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
2140
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2140
SIHClient.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2140
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2140
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5216
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.3
  • 20.190.160.67
  • 20.190.160.131
  • 20.190.160.4
  • 40.126.32.133
  • 20.190.160.2
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_3c4c77f498a5af06e14cb5a8c380f452_amadey_black-basta_darkgate_elex_floxif_hijackloader_luca-stealer