File name:

2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos

Full analysis: https://app.any.run/tasks/e210aed2-4c41-42a6-a69e-f0bc4aa750fd
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: March 22, 2025, 21:30:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xred
backdoor
arch-scr
delphi
dyndns
snake
keylogger
stealer
gotoassist
rmm-tool
teamviewer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

21B9353B84944FA534F5EED831612CFF

SHA1:

A7D5B1EAB1B68BBA571B69CF31B4C36D5785BCA3

SHA256:

29F2C5A6AD2A8BDF8C948DACEE3AE2B2FC0CAC1793C6F783CE20AAD838A27FAA

SSDEEP:

98304:or7ayGJ6kHOS3pwLIthBYU26wGhiZrDFA/CZg:h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XRED mutex has been found

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • Synaptics.exe (PID: 7552)

    • XRED has been detected

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)

    • Changes the autorun value in the registry

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • icarus.exe (PID: 7980)

    • XRED has been detected (YARA)

      • Synaptics.exe (PID: 7552)

    • Registers / Runs the DLL via REGSVR32.EXE

      • icarus.exe (PID: 7980)

    • Actions looks like stealing of personal data

      • TuneupSvc.exe (PID: 7052)
      • su_worker.exe (PID: 6324)

    • Steals credentials from Web Browsers

      • TuneupSvc.exe (PID: 7052)
      • su_worker.exe (PID: 6324)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • Synaptics.exe (PID: 7552)
      • wa_3rd_party_host_64.exe (PID: 8568)

    • Executable content was dropped or overwritten

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • icarus.exe (PID: 7760)
      • icarus.exe (PID: 7980)
      • gf2hlp.exe (PID: 8396)
      • TuneupSvc.exe (PID: 7052)

    • Starts itself from another location

      • icarus.exe (PID: 7760)

    • There is functionality for taking screenshot (YARA)

      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • Synaptics.exe (PID: 7552)
      • icarus.exe (PID: 7760)

    • The process creates files with name similar to system file names

      • icarus.exe (PID: 7980)
      • gf2hlp.exe (PID: 8396)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 7552)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 7552)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 7980)
      • gf2hlp.exe (PID: 8396)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 7980)

    • Creates a software uninstall entry

      • icarus.exe (PID: 7980)

    • Creates or modifies Windows services

      • icarus.exe (PID: 7980)

    • The process verifies whether the antivirus software is installed

      • pdfix.exe (PID: 1132)
      • icarus.exe (PID: 7760)
      • icarus.exe (PID: 7980)
      • TuneupUI.exe (PID: 7288)
      • TuneupUI.exe (PID: 3008)
      • TuneupUI.exe (PID: 7992)
      • TuneupUI.exe (PID: 7700)
      • TuneupUI.exe (PID: 7268)
      • TuneupUI.exe (PID: 3620)
      • TuneupUI.exe (PID: 6404)
      • gf2hlp.exe (PID: 8152)
      • gf2hlp.exe (PID: 208)
      • gf2hlp.exe (PID: 6592)
      • gf2hlp.exe (PID: 8084)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 7984)
      • TuneupSvc.exe (PID: 7052)
      • gf2hlp.exe (PID: 7780)
      • gf2hlp.exe (PID: 1452)
      • gf2hlp.exe (PID: 8268)
      • gf2hlp.exe (PID: 8336)
      • gf2hlp.exe (PID: 8396)
      • wa_3rd_party_host_64.exe (PID: 8568)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 3240)

    • Application launched itself

      • TuneupUI.exe (PID: 7288)

    • Checks for Java to be installed

      • TuneupSvc.exe (PID: 7052)
      • su_worker.exe (PID: 6324)

    • Executes as Windows Service

      • TuneupSvc.exe (PID: 7052)
      • VSSVC.exe (PID: 744)

    • Reads Microsoft Outlook installation path

      • su_worker.exe (PID: 6324)

    • Starts CMD.EXE for commands execution

      • su_worker.exe (PID: 6324)

    • Detected use of alternative data streams (AltDS)

      • gf2hlp.exe (PID: 8396)

    • Reads the date of Windows installation

      • TuneupSvc.exe (PID: 7052)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 8872)

    • Searches for installed software

      • TuneupSvc.exe (PID: 7052)
      • su_worker.exe (PID: 6324)

  • INFO

    • Checks supported languages

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • Synaptics.exe (PID: 7552)
      • icarus_ui.exe (PID: 7804)
      • icarus.exe (PID: 7760)
      • icarus.exe (PID: 7980)
      • pdfix.exe (PID: 1132)
      • TuneupSvc.exe (PID: 7052)
      • TuneupUI.exe (PID: 7288)
      • TuneupUI.exe (PID: 3008)
      • TuneupUI.exe (PID: 7700)
      • TuneupUI.exe (PID: 7992)
      • TuneupUI.exe (PID: 7268)
      • TuneupUI.exe (PID: 3620)
      • TuneupUI.exe (PID: 6404)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 208)
      • gf2hlp.exe (PID: 8152)
      • gf2hlp.exe (PID: 8084)
      • gf2hlp.exe (PID: 6592)
      • gf2hlp.exe (PID: 7780)
      • gf2hlp.exe (PID: 7984)
      • gf2hlp.exe (PID: 8268)
      • gf2hlp.exe (PID: 8336)
      • pwsh.exe (PID: 8368)
      • gf2hlp.exe (PID: 1452)
      • gf2hlp.exe (PID: 8396)
      • wa_3rd_party_host_64.exe (PID: 8568)
      • pwsh.exe (PID: 8696)
      • DismHost.exe (PID: 8872)

    • The sample compiled with english language support

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • icarus.exe (PID: 7760)
      • icarus.exe (PID: 7980)
      • gf2hlp.exe (PID: 8396)
      • TuneupSvc.exe (PID: 7052)

    • Reads the computer name

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • Synaptics.exe (PID: 7552)
      • icarus.exe (PID: 7760)
      • icarus_ui.exe (PID: 7804)
      • icarus.exe (PID: 7980)
      • TuneupSvc.exe (PID: 7052)
      • TuneupUI.exe (PID: 7288)
      • TuneupUI.exe (PID: 3008)
      • TuneupUI.exe (PID: 7268)
      • TuneupUI.exe (PID: 7700)
      • TuneupUI.exe (PID: 7992)
      • TuneupUI.exe (PID: 3620)
      • TuneupUI.exe (PID: 6404)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 8152)
      • gf2hlp.exe (PID: 208)
      • gf2hlp.exe (PID: 8084)
      • gf2hlp.exe (PID: 6592)
      • gf2hlp.exe (PID: 7984)
      • gf2hlp.exe (PID: 7780)
      • gf2hlp.exe (PID: 8268)
      • gf2hlp.exe (PID: 8336)
      • gf2hlp.exe (PID: 1452)
      • gf2hlp.exe (PID: 8396)
      • wa_3rd_party_host_64.exe (PID: 8568)
      • pwsh.exe (PID: 8696)
      • DismHost.exe (PID: 8872)
      • pwsh.exe (PID: 8368)

    • Creates files in the program directory

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • Synaptics.exe (PID: 7552)
      • icarus_ui.exe (PID: 7804)
      • icarus.exe (PID: 7760)
      • icarus.exe (PID: 7980)
      • regsvr32.exe (PID: 3240)
      • TuneupSvc.exe (PID: 7052)
      • TuneupUI.exe (PID: 7288)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 8152)
      • gf2hlp.exe (PID: 8084)
      • gf2hlp.exe (PID: 7984)
      • gf2hlp.exe (PID: 1452)
      • gf2hlp.exe (PID: 8268)

    • Reads the machine GUID from the registry

      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • icarus.exe (PID: 7760)
      • icarus_ui.exe (PID: 7804)
      • icarus.exe (PID: 7980)
      • Synaptics.exe (PID: 7552)
      • TuneupUI.exe (PID: 7288)
      • TuneupSvc.exe (PID: 7052)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 8152)
      • gf2hlp.exe (PID: 7780)
      • wa_3rd_party_host_64.exe (PID: 8568)

    • Process checks computer location settings

      • 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7292)
      • TuneupUI.exe (PID: 7268)
      • TuneupUI.exe (PID: 7288)
      • TuneupUI.exe (PID: 6404)
      • TuneupUI.exe (PID: 3620)

    • Checks proxy server information

      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • Synaptics.exe (PID: 7552)
      • TuneupUI.exe (PID: 7288)
      • slui.exe (PID: 7960)
      • TuneupUI.exe (PID: 3008)
      • TuneupUI.exe (PID: 7268)
      • TuneupUI.exe (PID: 7700)
      • TuneupUI.exe (PID: 7992)
      • TuneupUI.exe (PID: 6404)
      • TuneupUI.exe (PID: 3620)
      • gf2hlp.exe (PID: 7780)
      • wa_3rd_party_host_64.exe (PID: 8568)

    • Reads the software policy settings

      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • Synaptics.exe (PID: 7552)
      • slui.exe (PID: 7960)
      • TuneupSvc.exe (PID: 7052)
      • TuneupUI.exe (PID: 7288)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 7780)
      • wa_3rd_party_host_64.exe (PID: 8568)

    • Reads CPU info

      • icarus_ui.exe (PID: 7804)
      • icarus.exe (PID: 7760)
      • icarus.exe (PID: 7980)
      • TuneupSvc.exe (PID: 7052)
      • TuneupUI.exe (PID: 7288)
      • TuneupUI.exe (PID: 3008)
      • TuneupUI.exe (PID: 7268)
      • TuneupUI.exe (PID: 7700)
      • TuneupUI.exe (PID: 7992)
      • TuneupUI.exe (PID: 6404)
      • TuneupUI.exe (PID: 3620)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 8152)
      • gf2hlp.exe (PID: 8084)
      • gf2hlp.exe (PID: 6592)
      • gf2hlp.exe (PID: 208)
      • gf2hlp.exe (PID: 7984)
      • gf2hlp.exe (PID: 7780)
      • gf2hlp.exe (PID: 8268)
      • gf2hlp.exe (PID: 8336)
      • gf2hlp.exe (PID: 1452)
      • gf2hlp.exe (PID: 8396)

    • Compiled with Borland Delphi (YARA)

      • ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe (PID: 7448)
      • Synaptics.exe (PID: 7552)
      • icarus.exe (PID: 7760)
      • icarus_ui.exe (PID: 7804)

    • Create files in a temporary directory

      • icarus.exe (PID: 7760)
      • Synaptics.exe (PID: 7552)
      • TuneupUI.exe (PID: 7288)
      • wa_3rd_party_host_64.exe (PID: 8568)
      • gf2hlp.exe (PID: 8396)

    • Manual execution by a user

      • wscript.exe (PID: 4200)
      • wscript.exe (PID: 3180)
      • wscript.exe (PID: 6040)
      • wscript.exe (PID: 2152)
      • wscript.exe (PID: 4180)
      • wscript.exe (PID: 7344)
      • wscript.exe (PID: 7308)
      • wscript.exe (PID: 7312)
      • wscript.exe (PID: 7620)
      • wscript.exe (PID: 7632)
      • wscript.exe (PID: 6512)
      • wscript.exe (PID: 1532)
      • TuneupUI.exe (PID: 7288)
      • wscript.exe (PID: 7908)
      • wscript.exe (PID: 8172)

    • Reads Environment values

      • TuneupSvc.exe (PID: 7052)
      • su_worker.exe (PID: 6324)
      • gf2hlp.exe (PID: 7780)
      • DismHost.exe (PID: 8872)
      • wa_3rd_party_host_64.exe (PID: 8568)

    • Creates files or folders in the user directory

      • TuneupUI.exe (PID: 7288)
      • TuneupSvc.exe (PID: 7052)
      • TuneupUI.exe (PID: 7992)

    • GOTOASSIST has been detected

      • TuneupSvc.exe (PID: 7052)

    • Reads Microsoft Office registry keys

      • su_worker.exe (PID: 6324)

    • TEAMVIEWER has been detected

      • TuneupSvc.exe (PID: 7052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (83.1)
.exe | Inno Setup installer (13.7)
.exe | Win32 Executable Delphi generic (1.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Win16/32 Executable Delphi generic (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 1379328
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
187
Monitored processes
57
Malicious processes
26
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XRED 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe no specs ._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe #XRED synaptics.exe svchost.exe icarus.exe icarus_ui.exe no specs icarus.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs slui.exe pdfix.exe no specs regsvr32.exe no specs tuneupsvc.exe tuneupui.exe tuneupui.exe no specs tuneupui.exe no specs tuneupui.exe tuneupui.exe no specs tuneupui.exe no specs tuneupui.exe no specs wscript.exe no specs su_worker.exe wscript.exe no specs unsecapp.exe no specs gf2hlp.exe no specs gf2hlp.exe no specs SPPSurrogate no specs unsecapp.exe no specs vssvc.exe no specs gf2hlp.exe no specs gf2hlp.exe no specs gf2hlp.exe no specs gf2hlp.exe gf2hlp.exe no specs gf2hlp.exe no specs cmd.exe no specs conhost.exe no specs gf2hlp.exe no specs pwsh.exe no specs gf2hlp.exe wa_3rd_party_host_64.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs pwsh.exe no specs dismhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files\Avast Software\Cleanup\gf2hlp.exe" /analyze /cleanupHandlers:eyJhYm9ydCI6ODQ5MiwiYnVmZmVyIjo4NTcyLCJoYW5kbGVyIjoiZXNkSW5zdGFsbGF0aW9uIiwicHJvZ3Jlc3MiOjg3MzJ9 /out:"C:\ProgramData\Avast Software\Cleanup"C:\Program Files\Avast Software\Cleanup\gf2hlp.exeTuneupSvc.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Cleanup Helper Application
Exit code:
0
Version:
24.4.17452.0
Modules
Images
c:\program files\avast software\cleanup\gf2hlp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
744C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132"C:\Program Files\Avast Software\Cleanup\pdfix.exe" /fixifeoC:\Program Files\Avast Software\Cleanup\pdfix.exeicarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast PD Fix
Exit code:
0
Version:
24.4.17452.0
Modules
Images
c:\program files\avast software\cleanup\pdfix.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1452"C:\Program Files\Avast Software\Cleanup\gf2hlp.exe" /analyze /cleanupHandlers:eyJhYm9ydCI6ODU5MiwiYnVmZmVyIjo4ODkyLCJoYW5kbGVyIjoiZGVsT3B0RmlsZXMiLCJwcm9ncmVzcyI6ODc2OH0= /out:"C:\ProgramData\Avast Software\Cleanup"C:\Program Files\Avast Software\Cleanup\gf2hlp.exeTuneupSvc.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Cleanup Helper Application
Exit code:
1
Version:
24.4.17452.0
Modules
Images
c:\program files\avast software\cleanup\gf2hlp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1532"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\measure.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2152"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-button.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2644C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3008"C:\Program Files\Avast Software\Cleanup\TuneupUI.exe" --type=gpu-process --field-trial-handle=2708,338644539015970765,10452977593164425082,131072 --disable-features=CalculateNativeWinOcclusion,CookiesWithoutSameSiteMustBeSecure,ForcedColors,SameSiteByDefaultCookies,SameSiteDefaultChecksMethodRigorously --no-sandbox --disable-gpu-driver-bug-workarounds --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Cleanup\log\cef_log.txt" --log-severity=error --user-agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Avastium" --lang=en-US --disable-webaudio --force-wave-audio --disable-software-rasterizer --no-sandbox --blacklist-accelerated-compositing --disable-accelerated-2d-canvas --disable-accelerated-compositing --disable-accelerated-layers --disable-accelerated-video-decode --blacklist-webgl --disable-bundled-ppapi-flash --disable-flash-3d --enable-aggressive-domstorage-flushing --enable-media-stream --disable-gpu --disable-webgl --disable-gpu-compositing --allow-file-access-from-files=1 --pack_loading_disabled=1 --gpu-preferences=SAAAAAAAAADgAABwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Cleanup\log\cef_log.txt" --mojo-platform-channel-handle=2720 /prefetch:2C:\Program Files\Avast Software\Cleanup\TuneupUI.exeTuneupUI.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
MEDIUM
Description:
Avast Cleanup UI
Exit code:
0
Version:
24.4.17452.0
Modules
Images
c:\program files\avast software\cleanup\tuneupui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3180"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\s-visually-hidden.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
136 950
Read events
136 841
Write events
101
Delete events
8

Modification events

(PID) Process:(7292) 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7292) 2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Synaptics Pointing Device Driver
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(7760) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:144807F0-DE37-4C62-9C05-EB4CC64A7A2F
Value:
b43f5bf4-0564-4e50-acd3-410e84bf3d74
(PID) Process:(7760) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:56C7A9DA-4B11-406A-8B1A-EFF157C294D6
Value:
b43f5bf4-0564-4e50-acd3-410e84bf3d74
(PID) Process:(7760) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:5FD38555-4B16-40AE-9A09-E2C969CB74AF
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(7760) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:7CCD586D-2ABC-42FF-A23B-3731F4F183D9
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(7760) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:8C5CFDF4-AB05-4EB0-8EF6-7B4620DC2CF3
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAeKfAaBoHr0i/SwNMjC+fIQQAAAACAAAAAAAQZgAAAAEAACAAAABTOzVUtbIMuL2KyFKzBWnFzkjUTkzOS2l8QXLaU9cyrwAAAAAOgAAAAAIAACAAAACZGNzJ3RRGmEfSXGncy7SsCfFzdFh1pfY2jteJpRY7h2AAAAAWMUQDxexbgWWfiysiSZtBiMWWGMfd1EB0gAT4Tp+x9/FzJjX2NZZeMXx7DEEJWLmbB+A2czKxXBgGH3BEQrwXPnLhn65abO7bHPgd7oYxxRy4WCiPYvTFIfj/e45hHFJAAAAA6FJPprsLhgtCZG1C5c7fR99Y+hKj1whO+jnd9SDulf+wXqHZcvk7y5USLzqtp+NopmKNs4CqXpsphM83SbyEOA==
(PID) Process:(7760) icarus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:5E1D6A55-0134-486E-A166-38C2E4919BB1
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAeKfAaBoHr0i/SwNMjC+fIQQAAAACAAAAAAAQZgAAAAEAACAAAABTOzVUtbIMuL2KyFKzBWnFzkjUTkzOS2l8QXLaU9cyrwAAAAAOgAAAAAIAACAAAACZGNzJ3RRGmEfSXGncy7SsCfFzdFh1pfY2jteJpRY7h2AAAAAWMUQDxexbgWWfiysiSZtBiMWWGMfd1EB0gAT4Tp+x9/FzJjX2NZZeMXx7DEEJWLmbB+A2czKxXBgGH3BEQrwXPnLhn65abO7bHPgd7oYxxRy4WCiPYvTFIfj/e45hHFJAAAAA6FJPprsLhgtCZG1C5c7fR99Y+hKj1whO+jnd9SDulf+wXqHZcvk7y5USLzqtp+NopmKNs4CqXpsphM83SbyEOA==
(PID) Process:(7980) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Software\Avast Software\Icarus
Operation:writeName:DataFolder
Value:
C:\ProgramData\Avast Software\Icarus
(PID) Process:(7980) icarus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Software\Avast Software\Icarus
Operation:delete valueName:UninstallToken
Value:
Executable files
277
Suspicious files
596
Text files
160
Unknown types
1

Dropped files

PID
Process
Filename
Type
72922025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\Users\admin\Desktop\._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeexecutable
MD5:11D64E764D320DAFE8F6513F61662DB6
SHA256:F5514E16A7CFD91674F4CEA0CED8B360AB4947519CA72F98EB794A7F43396889
72922025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\ProgramData\Synaptics\RCXD35F.tmpexecutable
MD5:255F7EF1EF6A2637281D87E02EA054F1
SHA256:625B0EEF79EC4259359D1F93BE5D5E8D5352E1B5855B45A16BBBBC11A55DABA5
7448._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\Windows\Temp\asw-d1a7e14c-04a4-4468-ad95-2a191c8f6217\common\38cfe453-8cb4-4056-a6dd-bd0e2227d8efcompressed
MD5:0838E9E802A8929CA5F594ABBF3F23A6
SHA256:489BEF47EFF9A4770078820D59A6D9A2B97C98CA88F17F055EC998FFCCA95F67
7448._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\Windows\Temp\asw-d1a7e14c-04a4-4468-ad95-2a191c8f6217\common\0ceb6ed5-932a-4de8-b35d-78c2845e43a1compressed
MD5:C366C512E679CA41FFE9E0A61FCBE4DD
SHA256:748D6B6C39775798411114D905476C4FB2077C02E1418AF91EC8499795D90AAC
7448._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\Windows\Temp\asw-d1a7e14c-04a4-4468-ad95-2a191c8f6217\common\43a02ea1-418f-4bbe-a429-425101814d86compressed
MD5:DA6C53C9DAB4A796C46AE4FD021B462E
SHA256:05EEF64D730CFD4D720D58398480506197C909907FFF2A2470CFE5061707A4A5
7448._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\ProgramData\Avast Software\Icarus\Logs\sfx.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
7448._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\Windows\Temp\asw-d1a7e14c-04a4-4468-ad95-2a191c8f6217\common\icarus_ui.exeexecutable
MD5:665EA9F9AB600BC84CF2C3B96EA1EA84
SHA256:898E902FEDA5BDCBF1E941D7D07E901EA1D8E30F91297663D92F463E71EF2A03
7760icarus.exeC:\ProgramData\Avast Software\Icarus\Logs\report.log
MD5:
SHA256:
7448._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\Windows\Temp\asw-d1a7e14c-04a4-4468-ad95-2a191c8f6217\common\4e1b11b3-24a2-4792-b2c7-151e6bc77771compressed
MD5:FBEE341DBBB6C3F3EBE44C04C33DA1F4
SHA256:8C6C95DE328E08B23D63176344C78CA6F425CBA7D258C7FD801DCDAD7133A7F6
72922025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:21B9353B84944FA534F5EED831612CFF
SHA256:29F2C5A6AD2A8BDF8C948DACEE3AE2B2FC0CAC1793C6F783CE20AAD838A27FAA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
381
TCP/UDP connections
168
DNS requests
72
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7448
._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe
GET
404
23.32.97.64:80
http://honzik.avcdn.net/dll/avast-tu/x86/icarus_mod.dll.lzma
unknown
whitelisted
7552
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
GET
200
23.32.97.64:443
https://honzik.avcdn.net/universe/dce3/54f2/3e84/dce354f23e841a0a92242b0dca5d692b00071698a891d7228049c76c6824357e.lzma
unknown
compressed
26.5 Kb
whitelisted
GET
200
34.160.176.28:443
https://shepherd.ff.avast.com/?p_age=0&p_cpua=x64&p_icar=1&p_lng=en&p_midex=97B7721C4994E2556FF6A439510F665D6ACD3D78DD342964D27D61A55DE88B78&p_olpeid=b43f5bf4-0564-4e50-acd3-410e84bf3d74&p_olpfp=F6D4F52220BB5A3D7246A004278BB23F&p_ost=0&p_osv=10.0&p_pro=111&p_prod=avast-tu&p_ram=4090&p_vbd=17452&p_vep=24&p_ves=4&p_vre=19934&repoid=release&
unknown
text
621 b
whitelisted
GET
200
23.32.97.64:443
https://honzik.avcdn.net/universe/40c0/d020/2e2b/40c0d0202e2b2ace2e5364221d4e42dafd9d18091cf55a3f834bc55fedaf8a59.lzma
unknown
compressed
467 Kb
whitelisted
GET
404
23.32.97.64:443
https://honzik.avcdn.net/dll/avast-tu/x86/icarus_mod.dll.lzma
unknown
html
234 b
whitelisted
POST
200
34.117.223.223:443
https://analytics.avcdn.net/v4/receive/json/25
unknown
binary
19 b
whitelisted
GET
200
23.32.97.64:443
https://honzik.avcdn.net/universe/b17a/d1a8/2821/b17ad1a82821487b3b5d5cde36b495041844a51f6c33b771ca5f64aa0237f0ed.lzma
unknown
compressed
2.38 Mb
whitelisted
GET
200
23.32.97.64:443
https://honzik.avcdn.net/universe/898e/902f/eda5/898e902feda5bdcbf1e941d7d07e901ea1d8e30f91297663d92f463e71ef2a03.lzma
unknown
compressed
3.81 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
7448
._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe
23.32.97.64:443
honzik.avcdn.net
AKAMAI-AS
SE
whitelisted
7448
._cache_2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos.exe
23.32.97.64:80
honzik.avcdn.net
AKAMAI-AS
SE
whitelisted
7552
Synaptics.exe
69.42.215.252:80
freedns.afraid.org
AWKNET
US
whitelisted
2196
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
2196
svchost.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
honzik.avcdn.net
  • 23.32.97.64
  • 2a02:26f0:3500:f92::240d
  • 2a02:26f0:3500:f9c::240d
whitelisted
xred.mooo.com
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
analytics.avcdn.net
  • 34.117.223.223
whitelisted
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
docs.google.com
  • 142.250.186.174
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET MALWARE Snake Keylogger Payload Request (GET)
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-22_21b9353b84944fa534f5eed831612cff_akira_darkgate_hijackloader_luca-stealer_remcos