File name:

2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer

Full analysis: https://app.any.run/tasks/beb5d3a4-211a-4a6c-97e4-342fa87c4a36
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 23:40:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xred
backdoor
auto-reg
delphi
dyndns
snake
keylogger
qrcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

F58987E9CF5020D8D3EBB444E2C264A2

SHA1:

05DE00666C403B93A799ABA99188559F1FA319EB

SHA256:

6C186091C22691A69C1DB9AA403B8F5C005A2E60000FAFD86CF6409972366A35

SSDEEP:

98304:5r7ayGJ6kHOS2ok4Zm0NIBj2y67qwjMCUMJKYF6jPJN7WMmfRlGLYBfLJeSTp3Io:8A+h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • setup.exe (PID: 2108)

    • XRED mutex has been found

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • Synaptics.exe (PID: 7508)
      • Synaptics.exe (PID: 8080)

    • XRED has been detected (YARA)

      • Synaptics.exe (PID: 7508)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • updater.exe (PID: 7608)
      • updater.exe (PID: 7728)
      • setup.exe (PID: 2108)
      • 136.0.7103.114_chrome_installer.exe (PID: 5164)

    • Reads security settings of Internet Explorer

      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7340)
      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • Synaptics.exe (PID: 7508)
      • updater.exe (PID: 7608)

    • Application launched itself

      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7340)
      • updater.exe (PID: 7608)
      • updater.exe (PID: 7728)
      • updater.exe (PID: 7828)
      • setup.exe (PID: 2108)
      • setup.exe (PID: 960)
      • updater.exe (PID: 7664)

    • Executes as Windows Service

      • updater.exe (PID: 7728)
      • updater.exe (PID: 7828)
      • updater.exe (PID: 7664)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 7508)

    • There is functionality for taking screenshot (YARA)

      • Synaptics.exe (PID: 7508)
      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7340)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 7508)

    • Creates a software uninstall entry

      • setup.exe (PID: 2108)
      • chrome.exe (PID: 3900)

    • Searches for installed software

      • setup.exe (PID: 2108)

  • INFO

    • The sample compiled with english language support

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • updater.exe (PID: 7608)
      • updater.exe (PID: 7728)
      • setup.exe (PID: 2108)
      • 136.0.7103.114_chrome_installer.exe (PID: 5164)

    • The sample compiled with chinese language support

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)

    • Creates files in the program directory

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7540)
      • updater.exe (PID: 7608)
      • Synaptics.exe (PID: 7508)
      • updater.exe (PID: 7628)
      • updater.exe (PID: 7728)
      • updater.exe (PID: 7828)
      • setup.exe (PID: 960)
      • setup.exe (PID: 2108)
      • updater.exe (PID: 7664)

    • Reads the computer name

      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7340)
      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • Synaptics.exe (PID: 7508)
      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7540)
      • updater.exe (PID: 7608)
      • updater.exe (PID: 7728)
      • updater.exe (PID: 7828)
      • Synaptics.exe (PID: 8080)
      • 136.0.7103.114_chrome_installer.exe (PID: 5164)
      • setup.exe (PID: 960)
      • setup.exe (PID: 2108)
      • elevation_service.exe (PID: 8004)
      • updater.exe (PID: 7664)

    • Process checks computer location settings

      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7340)
      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)

    • Auto-launch of the file from Registry key

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • setup.exe (PID: 2108)

    • Checks supported languages

      • 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7292)
      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7340)
      • Synaptics.exe (PID: 7508)
      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7540)
      • updater.exe (PID: 7608)
      • updater.exe (PID: 7628)
      • updater.exe (PID: 7748)
      • updater.exe (PID: 7728)
      • updater.exe (PID: 7828)
      • updater.exe (PID: 7848)
      • 136.0.7103.114_chrome_installer.exe (PID: 5164)
      • Synaptics.exe (PID: 8080)
      • setup.exe (PID: 2108)
      • setup.exe (PID: 7036)
      • setup.exe (PID: 960)
      • setup.exe (PID: 4620)
      • elevation_service.exe (PID: 8004)
      • updater.exe (PID: 7652)
      • updater.exe (PID: 7664)

    • Checks proxy server information

      • Synaptics.exe (PID: 7508)
      • updater.exe (PID: 7608)
      • slui.exe (PID: 5544)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 7608)
      • updater.exe (PID: 7728)
      • updater.exe (PID: 7828)
      • updater.exe (PID: 7664)

    • Reads the software policy settings

      • updater.exe (PID: 7828)
      • updater.exe (PID: 7608)
      • Synaptics.exe (PID: 7508)
      • slui.exe (PID: 5544)
      • updater.exe (PID: 7664)

    • Create files in a temporary directory

      • updater.exe (PID: 7608)
      • Synaptics.exe (PID: 7508)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 7828)
      • updater.exe (PID: 7608)
      • Synaptics.exe (PID: 7508)
      • updater.exe (PID: 7664)

    • Creates files or folders in the user directory

      • updater.exe (PID: 7608)

    • Manual execution by a user

      • Synaptics.exe (PID: 8080)
      • chrmstp.exe (PID: 1852)
      • chrome.exe (PID: 3900)
      • msedge.exe (PID: 5512)

    • Compiled with Borland Delphi (YARA)

      • updater.exe (PID: 7608)
      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7540)
      • Synaptics.exe (PID: 7508)
      • updater.exe (PID: 7628)
      • slui.exe (PID: 5544)
      • ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe (PID: 7340)

    • Application launched itself

      • chrome.exe (PID: 3900)
      • chrmstp.exe (PID: 1852)
      • chrmstp.exe (PID: 7336)
      • msedge.exe (PID: 5512)

    • Executes as Windows Service

      • elevation_service.exe (PID: 8004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (79)
.exe | Inno Setup installer (13)
.exe | Win32 EXE PECompact compressed (generic) (4.9)
.exe | Win32 Executable Delphi generic (1.6)
.exe | Win32 Executable (generic) (0.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 10828800
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: 易语言程序
ProductName: 易语言程序
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
208
Monitored processes
80
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XRED 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe no specs #XRED synaptics.exe ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exe updater.exe updater.exe no specs updater.exe updater.exe no specs svchost.exe updater.exe updater.exe no specs #XRED synaptics.exe no specs slui.exe 136.0.7103.114_chrome_installer.exe setup.exe setup.exe no specs setup.exe no specs setup.exe no specs chrome.exe chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrmstp.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs updater.exe updater.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --field-trial-handle=1996,i,10289610842826525416,99300959646489241,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
136.0.7103.114
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
668"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=1996,i,10289610842826525416,99300959646489241,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
136.0.7103.114
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
812"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=1996,i,10289610842826525416,99300959646489241,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
136.0.7103.114
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
904"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --field-trial-handle=1996,i,10289610842826525416,99300959646489241,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
136.0.7103.114
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
920"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5756 --field-trial-handle=2328,i,7546829528776352546,10387056964998942986,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
960"C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping7828_1851706254\CR_DF4F7.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7828_1851706254\CR_DF4F7.tmp\setup.exesetup.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Chrome Installer
Exit code:
73
Version:
136.0.7103.114
Modules
Images
c:\windows\systemtemp\chrome_unpacker_beginunzipping7828_1851706254\cr_df4f7.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1004"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1996,i,10289610842826525416,99300959646489241,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
136.0.7103.114
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1116"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=1996,i,10289610842826525416,99300959646489241,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
136.0.7103.114
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2740 --field-trial-handle=2328,i,7546829528776352546,10387056964998942986,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1196"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1996,i,10289610842826525416,99300959646489241,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
136.0.7103.114
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
37 088
Read events
36 807
Write events
251
Delete events
30

Modification events

(PID) Process:(7292) 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7292) 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:?????
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(7340) ._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000
(PID) Process:(7292) 2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000
(PID) Process:(7828) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
135.0.7023.0
(PID) Process:(7608) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
135.0.7023.0
(PID) Process:(7608) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(7608) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
135.0.7023.0
(PID) Process:(7608) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(7608) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5908117A-ED9A-5D13-906D-DF921375C50B}
Operation:writeName:AppID
Value:
{5908117A-ED9A-5D13-906D-DF921375C50B}
Executable files
20
Suspicious files
183
Text files
120
Unknown types
0

Dropped files

PID
Process
Filename
Type
7540._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Windows\SystemTemp\Google7540_792793732\UPDATER.PACKED.7Z
MD5:
SHA256:
72922025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\Users\admin\Desktop\._cache_2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeexecutable
MD5:07BD99DBFC8AD569DEDBC690B894DBFC
SHA256:2E828620D447C6044A3C6D3F1796512B6FDEF7AD63B929B1FCA3CB5008670816
72922025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:F58987E9CF5020D8D3EBB444E2C264A2
SHA256:6C186091C22691A69C1DB9AA403B8F5C005A2E60000FAFD86CF6409972366A35
7608updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:42A002C5DC214A2DB2A68E41C4721E6D
SHA256:68DD66893980B0410191ED2079C61EBFD9B773A2FFDC3470293413BBDB670F06
7828updater.exeC:\Windows\SystemTemp\chrome_url_fetcher_7828_222140561\-8a69d345-d564-463c-aff1-a69d9e530f96-_136.0.7103.114_all_ad7dwyzixriyihpq34zcr5sbgv5a.crx3
MD5:
SHA256:
7828updater.exeC:\Program Files (x86)\Google\GoogleUpdater\crx_cache\{8a69d345-d564-463c-aff1-a69d9e530f96}_1.3c44958b04fc5472723195695245b0c97501b3f727c7d76a2beea42321b274f4
MD5:
SHA256:
7828updater.exeC:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7828_1851706254\136.0.7103.114_chrome_installer.exe
MD5:
SHA256:
7728updater.exeC:\Program Files (x86)\Google\Update\GoogleUpdate.exeexecutable
MD5:962CC41D4BA39FFCFE4E5B513A8179B2
SHA256:E3EB70A25DA3CF0563EBAA3B95622CAD7423E447273BC7C779C7466F39EAC7A2
7728updater.exeC:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RF10d61e.TMPbinary
MD5:060CB6F325012294952E187047D8DA3B
SHA256:254526B169016A334C1C044B6CD8671C138E4155984D9AE9CF0FAF692DC5DA3B
7728updater.exeC:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\prefs.jsonbinary
MD5:AA2D0C0C72BB528CF4168EA91C1C9A56
SHA256:E03E9D262CA3B7D19E37C3A69C7D8B46BD3F5542AA555A17D864071C28257B2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
106
DNS requests
88
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7828
updater.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome/acmzzukkl3jb73m2a5uyibbxyj5a_136.0.7103.114/-8a69d345-d564-463c-aff1-a69d9e530f96-_136.0.7103.114_all_ad7dwyzixriyihpq34zcr5sbgv5a.crx3
unknown
whitelisted
8012
chrome.exe
GET
200
142.250.185.238:80
http://clients2.google.com/time/1/current?cup2key=9:535Ilgen9lsdirRZEAG2pH8Br4LyP9V07GbH5QHsxoE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
7664
updater.exe
GET
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/update2/addwxmli27pyat4wbk4uxwzupcsq_138.0.7156.0/-44fc7fe2-65ce-487c-93f4-edee46eeaaab-_138.0.7156.0_all_adncm5p7vf6po3sq4wsvphupsi4a.crx3
unknown
whitelisted
7508
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
8044
SIHClient.exe
GET
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8044
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8044
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8044
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7508
Synaptics.exe
69.42.215.252:80
freedns.afraid.org
AWKNET
US
whitelisted
7828
updater.exe
142.250.186.99:443
update.googleapis.com
GOOGLE
US
whitelisted
2196
svchost.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
xred.mooo.com
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
update.googleapis.com
  • 142.250.186.99
  • 142.250.185.99
whitelisted
dl.google.com
  • 142.250.186.174
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET MALWARE Snake Keylogger Payload Request (GET)
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
8012
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8012
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_f58987e9cf5020d8d3ebb444e2c264a2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer