File name:

2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos

Full analysis: https://app.any.run/tasks/cef5eb5f-9828-41ef-ab6c-3e1d14ee6781
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 26, 2025, 12:03:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
auto-sch
auto-startup
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

7E0D90C3669DFDBA3C46A2B0CE748CA8

SHA1:

9EFBCFE432F4C80A90D6EA564FD0372E9D59571D

SHA256:

6C401A89DDC59F6ADAB0C08FD30E0FE9B2E3CE3D24B8E6099187A17EF3B3D98A

SSDEEP:

786432:R2qcj1Z9pUJ3+crDue3sjJquUqbecszAIMrO9:Q1ZXUF+6DueGJhUqbecszAIMK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • msiexec.exe (PID: 5284)

    • Uses Task Scheduler to run other applications

      • msiexec.exe (PID: 304)

  • SUSPICIOUS

    • ADVANCEDINSTALLER mutex has been found

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)

    • Reads security settings of Internet Explorer

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • fxdevcon64.exe (PID: 1612)
      • updater.exe (PID: 6672)

    • Executable content was dropped or overwritten

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • fxdevcon64.exe (PID: 1612)
      • drvinst.exe (PID: 6284)

    • Reads the Windows owner or organization settings

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 5284)

    • Process drops legitimate windows executable

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4196)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 5284)
      • fxdevcon64.exe (PID: 1612)
      • drvinst.exe (PID: 6284)

    • Creates files in the driver directory

      • drvinst.exe (PID: 6284)

    • Detects AdvancedInstaller (YARA)

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 5284)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 2432)

    • Uses powercfg.exe to modify the power settings

      • msiexec.exe (PID: 304)

  • INFO

    • Reads the computer name

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 5284)
      • msiexec.exe (PID: 6292)
      • msiexec.exe (PID: 304)
      • DfxSetupDrv.exe (PID: 1036)
      • fxdevcon64.exe (PID: 1612)
      • DfxSetupDrv.exe (PID: 2404)
      • drvinst.exe (PID: 6284)
      • drvinst.exe (PID: 2432)
      • DfxSetupDrv.exe (PID: 2320)
      • DfxSetupDrv.exe (PID: 4984)
      • updater.exe (PID: 6672)
      • FxSound.exe (PID: 5416)

    • Checks supported languages

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 5284)
      • msiexec.exe (PID: 6292)
      • msiexec.exe (PID: 304)
      • DfxSetupDrv.exe (PID: 1036)
      • fxdevcon64.exe (PID: 1612)
      • fxdevcon64.exe (PID: 3704)
      • drvinst.exe (PID: 6284)
      • drvinst.exe (PID: 2432)
      • DfxSetupDrv.exe (PID: 2320)
      • DfxSetupDrv.exe (PID: 2404)
      • DfxSetupDrv.exe (PID: 4984)
      • FxSound.exe (PID: 5416)
      • updater.exe (PID: 6672)

    • Reads Environment values

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 6292)
      • msiexec.exe (PID: 304)

    • The sample compiled with english language support

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 5284)
      • fxdevcon64.exe (PID: 1612)
      • drvinst.exe (PID: 6284)

    • Creates files or folders in the user directory

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • FxSound.exe (PID: 5416)

    • Reads the machine GUID from the registry

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 5284)
      • fxdevcon64.exe (PID: 1612)
      • drvinst.exe (PID: 6284)
      • updater.exe (PID: 6672)

    • Checks proxy server information

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 4824)
      • updater.exe (PID: 6672)
      • slui.exe (PID: 2952)

    • Reads the software policy settings

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 4824)
      • msiexec.exe (PID: 5284)
      • fxdevcon64.exe (PID: 1612)
      • drvinst.exe (PID: 6284)
      • updater.exe (PID: 6672)
      • slui.exe (PID: 2952)

    • Create files in a temporary directory

      • 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe (PID: 4916)
      • msiexec.exe (PID: 4824)
      • fxdevcon64.exe (PID: 1612)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4824)

    • Manages system restore points

      • SrTasks.exe (PID: 7136)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5284)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5284)

    • Launching a file from the Startup directory

      • msiexec.exe (PID: 5284)

    • Launching a file from Task Scheduler

      • msiexec.exe (PID: 304)

    • Creates files in the program directory

      • updater.exe (PID: 6672)

    • Manual execution by a user

      • updater.exe (PID: 6672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:03 13:51:40+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.43
CodeSize: 2920960
InitializedDataSize: 1171456
UninitializedDataSize: -
EntryPoint: 0x2351b0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.1.33.0
ProductVersionNumber: 1.1.33.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: FxSound LLC
FileDescription: FxSound Installer
FileVersion: 1.1.33.0
InternalName: fxsound_setup
LegalCopyright: Copyright (C) 2025 FxSound LLC
OriginalFileName: fxsound_setup.exe
ProductName: FxSound
ProductVersion: 1.1.33.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
30
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe msiexec.exe msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs fxdevcon64.exe no specs conhost.exe no specs dfxsetupdrv.exe no specs conhost.exe no specs fxdevcon64.exe conhost.exe no specs drvinst.exe drvinst.exe no specs dfxsetupdrv.exe no specs conhost.exe no specs dfxsetupdrv.exe no specs conhost.exe no specs dfxsetupdrv.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs fxsound.exe no specs updater.exe slui.exe 2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304C:\Windows\syswow64\MsiExec.exe -Embedding E9377AD4040DC57C7A4D7EE197372D65C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1036"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" checkC:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exemsiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\fxsound llc\fxsound\apps\dfxsetupdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1352\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDfxSetupDrv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1612"C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" install "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf"C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
msiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\fxsound llc\fxsound\drivers\win10\x64\fxdevcon64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2072schtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /fC:\Windows\SysWOW64\schtasks.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2216"C:\Users\admin\Desktop\2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe" C:\Users\admin\Desktop\2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeexplorer.exe
User:
admin
Company:
FxSound LLC
Integrity Level:
MEDIUM
Description:
FxSound Installer
Exit code:
3221226540
Version:
1.1.33.0
Modules
Images
c:\users\admin\desktop\2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2320"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" getguidC:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exemsiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\fxsound llc\fxsound\apps\dfxsetupdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2404"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" setnameC:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exemsiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\fxsound llc\fxsound\apps\dfxsetupdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2432DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:ed86ca115cc2c934:DFX_Device:14.1.0.0:root\fxvad," "4143399a7" "00000000000001F4"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
Total events
30 803
Read events
29 810
Write events
933
Delete events
60

Modification events

(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000939C0A7692E6DB01A4140000A4150000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000006FE2E67592E6DB01A4140000A4150000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000006FE2E67592E6DB01A4140000A4150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C938087692E6DB01A4140000A4150000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C938087692E6DB01A4140000A4150000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000003B604D7692E6DB01A4140000A4150000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000003B28527692E6DB01A4140000580C0000E8030000010000000000000000000000C65E49049CB1F54AABB66968109C35CB00000000000000000000000000000000
(PID) Process:(4196) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000000FCC627692E6DB0164100000D40B0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4196) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000006430657692E6DB0164100000280E0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4196) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000006430657692E6DB016410000084040000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
36
Suspicious files
20
Text files
30
Unknown types
27

Dropped files

PID
Process
Filename
Type
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Roaming\FxSound LLC\FxSound 1.1.33.0\install\holder0.aiph
MD5:
SHA256:
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Temp\MSI73C8.LOG
MD5:
SHA256:
5284msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Roaming\FxSound LLC\FxSound 1.1.33.0\install\fxsound.x64.msiexecutable
MD5:7D597A26AFD3B73F322ACA969D840725
SHA256:A6CA7B944E29F491834E7E83ADC36A5BCA36F27DF25C0D87617E6F9F26158F28
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Roaming\FxSound LLC\FxSound 1.1.33.0\install\fxsound1.cab
MD5:
SHA256:
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Temp\MSI7B8C.tmpexecutable
MD5:2330EBBE491C6026AF5E8853F3692798
SHA256:3ADA2257732FAE73114BB6A5E082CEF4BD72C3D6842924BE6F22728C7D7CACC4
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Temp\MSI7B0E.tmpexecutable
MD5:2330EBBE491C6026AF5E8853F3692798
SHA256:3ADA2257732FAE73114BB6A5E082CEF4BD72C3D6842924BE6F22728C7D7CACC4
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Temp\MSI7BBC.tmpexecutable
MD5:2330EBBE491C6026AF5E8853F3692798
SHA256:3ADA2257732FAE73114BB6A5E082CEF4BD72C3D6842924BE6F22728C7D7CACC4
5284msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.logtext
MD5:AEB793061D2DB20C5905B15893BAAEA0
SHA256:53666F437BA08086D423B1B3090B9A416EDBCD5148A72374A0F7C08BB138130E
49162025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Temp\MSI7BCC.tmpexecutable
MD5:AFA8190A561A082DCC094E9FF8ABDB4A
SHA256:289359FCC5A40E6627040ACC92E88851056B31203A3833F1FC09C6B36AD2D84B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
56
DNS requests
29
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
GET
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
GET
2.17.190.73:80
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
unknown
whitelisted
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
GET
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
GET
2.17.190.73:80
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
unknown
whitelisted
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
GET
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAUbnQsIXskxy5P7XpyBqSg%3D
unknown
whitelisted
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
GET
2.17.190.73:80
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
unknown
whitelisted
4824
msiexec.exe
GET
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4824
msiexec.exe
GET
2.17.190.73:80
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
unknown
whitelisted
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
GET
2.17.190.73:80
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
unknown
whitelisted
4824
msiexec.exe
GET
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4916
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4824
msiexec.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5284
msiexec.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6672
updater.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
5444
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl3.digicert.com
  • 2.17.190.73
whitelisted
crl4.digicert.com
  • 2.17.190.73
whitelisted
github.com
  • 140.82.121.3
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.132
  • 40.126.32.133
  • 20.190.160.4
  • 20.190.160.20
  • 20.190.160.66
  • 20.190.160.14
  • 40.126.32.68
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
Process
Message
updater.exe
Logger::SetLogFile( C:\ProgramData\FxSound LLC\FxSound\updates\updater.log ) while OLD path is:
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-26_7e0d90c3669dfdba3c46a2b0ce748ca8_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_remcos