File name:

2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos

Full analysis: https://app.any.run/tasks/228a6b73-a189-4bb9-a014-64e7df3861aa
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 29, 2025, 02:57:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xred
backdoor
auto-reg
delphi
dyndns
snake
keylogger
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

E6614465DA44493DB589656A542B279F

SHA1:

EAEA6CD895FF35643C26B1B2728FDA947E49E1FA

SHA256:

5C5DBBA7EF207FD839C7D11E21FB76F75726B44A455D03713DEEDFE4DF5D7838

SSDEEP:

98304:Er7ayGJ6kHOSwPY8K7LiKx/bTfx3dpTMYgNDeecpM4pbc/dvo7MElqCTMfnIL7Mf:k9akL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XRED mutex has been found

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • Synaptics.exe (PID: 7832)
      • Synaptics.exe (PID: 8140)

    • XRED has been detected

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)

    • Changes the autorun value in the registry

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)

    • Scans artifacts that could help determine the target

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)

    • XRED has been detected (YARA)

      • Synaptics.exe (PID: 7832)

    • GENERIC has been found (auto)

      • OfficeClickToRun.exe (PID: 6132)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)

    • Executable content was dropped or overwritten

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)

    • Reads security settings of Internet Explorer

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • Synaptics.exe (PID: 7832)

    • Process drops legitimate windows executable

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)

    • Application launched itself

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)

    • There is functionality for taking screenshot (YARA)

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • Synaptics.exe (PID: 7832)

    • Searches for installed software

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)

    • The process bypasses the loading of PowerShell profile settings

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)

    • Starts POWERSHELL.EXE for commands execution

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 7832)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 7832)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 6132)

  • INFO

    • Reads the computer name

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • Synaptics.exe (PID: 7832)
      • Synaptics.exe (PID: 8140)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)
      • OfficeClickToRun.exe (PID: 2656)

    • Checks supported languages

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • Synaptics.exe (PID: 7832)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • Synaptics.exe (PID: 8140)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)
      • OfficeClickToRun.exe (PID: 2656)

    • Creates files in the program directory

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • Synaptics.exe (PID: 7832)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)

    • Process checks whether UAC notifications are on

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)

    • Launch of the file from Registry key

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)

    • Checks proxy server information

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • Synaptics.exe (PID: 7832)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)
      • OfficeClickToRun.exe (PID: 2656)
      • slui.exe (PID: 4464)

    • Process checks computer location settings

      • 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7536)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)

    • Reads the machine GUID from the registry

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • Synaptics.exe (PID: 7832)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)

    • Reads the software policy settings

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • Synaptics.exe (PID: 7832)
      • OfficeClickToRun.exe (PID: 6132)
      • slui.exe (PID: 4464)

    • Reads Microsoft Office registry keys

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 7952)
      • OfficeClickToRun.exe (PID: 2656)

    • Creates files or folders in the user directory

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • OfficeClickToRun.exe (PID: 6132)
      • OfficeClickToRun.exe (PID: 2656)

    • Create files in a temporary directory

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • OfficeClickToRun.exe (PID: 6132)
      • Synaptics.exe (PID: 7832)
      • OfficeClickToRun.exe (PID: 2656)

    • Manual execution by a user

      • Synaptics.exe (PID: 8140)

    • Reads Environment values

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)

    • Reads CPU info

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)

    • Compiled with Borland Delphi (YARA)

      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7820)
      • ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7588)
      • OfficeClickToRun.exe (PID: 6132)
      • Synaptics.exe (PID: 7832)
      • slui.exe (PID: 4464)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 6132)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 6132)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 7952)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 6132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (90.7)
.exe | InstallShield setup (5.8)
.exe | Win32 Executable Delphi generic (1.9)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 6608896
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
17
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XRED 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe #XRED synaptics.exe powershell.exe no specs conhost.exe no specs svchost.exe #XRED synaptics.exe no specs Delivery Optimization User no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs #GENERIC officeclicktorun.exe slui.exe officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2656 deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 productreleaseid=O365ProPlusRetail platform=x64 luca-stealer=remcos scenario=unknown culture=en-us lcid=1033 b= prereleasebuild=4419 tx= cache=2025-05-29 e6614465da44493db589656a542b279f=amadey black-basta=darkgate elex=gcleaner defaultplatform=False forcecentcheck= storeid= productstoadd=O365ProPlusRetail.16_en-us_x-none O365ProPlusRetail.excludedapps=groove,groove updatesenabled=False cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18827.20128 mediatype=CDN baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 sourcetype=CDN flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknownC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18827.20128
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4464C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4988C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5528"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6132OfficeClickToRun.exe deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 productreleaseid=O365ProPlusRetail platform=x64 luca-stealer=remcos scenario=CLIENTUPDATE culture=en-us lcid=1033 b= prereleasebuild=4419 tx= cache=2025-05-29 e6614465da44493db589656a542b279f=amadey black-basta=darkgate elex=gcleaner defaultplatform=False forcecentcheck= storeid= productstoadd=O365ProPlusRetail.16_en-us_x-none O365ProPlusRetail.excludedapps=groove,groove updatesenabled=False cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18827.20128 mediatype=CDN baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknownC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7144"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7536"C:\Users\admin\Desktop\2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe" C:\Users\admin\Desktop\2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
42 534
Read events
42 162
Write events
166
Delete events
206

Modification events

(PID) Process:(7536) 2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(7588) ._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
413
Suspicious files
21
Text files
69
Unknown types
0

Dropped files

PID
Process
Filename
Type
75362025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:E6614465DA44493DB589656A542B279F
SHA256:5C5DBBA7EF207FD839C7D11E21FB76F75726B44A455D03713DEEDFE4DF5D7838
75362025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\Desktop\._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeexecutable
MD5:A81E3D5D29F8C19AA91AEC4DCB987C75
SHA256:0ACE8CE60F6E7C52FBF84947788D08998A955CC56D85C00D56C734428DAB887C
7588._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe_Rules.xmlxml
MD5:C95D5C92D917BC7D4ED950E94A63297D
SHA256:52C02C9F1EB43FB5C56557653F9C9EBDC72780CEB3462A9755F8C72137ECFD33
7940powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fmsa0n2k.wzv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7940powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3u1nisz2.wlt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7820._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:1F7FF83C7BF54319DBD144496C6858D2
SHA256:9D62C4C88CCF6175328782B09A3AD115FF172A394DEBFDA1F3B796DE21A96D11
7940powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_orowhmso.gal.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7940powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A19034DE84D5E402731C9498BAE55E14
SHA256:29CF1320F7D84901629CF642D1867E736A7676BC1DC712A879A5621DC27E2822
7820._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
7820._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9Ebinary
MD5:544AB9B3B9FCC1F38AA4C73F14BCA274
SHA256:E7DF581A69CCE963576AD8DA91AD22D9326139DD1910BF53E78883DDD2C4AF6F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
198
TCP/UDP connections
94
DNS requests
45
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6572
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
13.107.6.156:443
https://nexusrules.officeapps.live.com/nexus/rules?Application=C2R.exe&Version=16.0.13127.20616&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.13127.20616&
unknown
xml
131 Kb
whitelisted
GET
200
52.123.129.14:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.13127.20616/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=officeclicktorun&Platform=win32&Version=16.0.13127.20616&MsoVersion=16.0.13127.20616&Audience=Production&Build=ship&Architecture=x86&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bBBB01DA1-3748-47EE-A232-E8AD8E8AC6B6%7d&LabMachine=false
unknown
binary
65.1 Kb
whitelisted
7832
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6572
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6572
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7588
._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7588
._cache_2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
52.111.227.14:443
nexusrules.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
xred.mooo.com
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.136
  • 20.190.160.130
  • 40.126.32.68
  • 20.190.160.2
  • 40.126.32.133
  • 20.190.160.65
  • 20.190.160.4
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET MALWARE Snake Keylogger Payload Request (GET)
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-29_e6614465da44493db589656a542b279f_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos