Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
-
Size
4.4MB
-
MD5
a5d9278cbbe4fe8f36e20f42ffaaef33
-
SHA1
fd1e19aaed6d9e08d164f987592618133b5728ff
-
SHA256
33c98b343bfb4807546e83f8cd1ce5adc868b8e5712d1598ea6b6e8bffbff777
-
SHA512
a8e4683fe16138da711172205c1206265950cc407bbb7bdba8c9ff079e904b9e7669929e72626cb3e138c09abc6582738f135f27763ebd62fd6d75b7cee1c3ed
-
SSDEEP
98304:ZWE4hFqotKGJnWLI2MXCT9b4vHwPOwAf8jTlwFTQ2C0u2gaR:ZGqotJ0MGb4fdwLnG21GgG
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x0008000000024240-113.dat family_mofksys behavioral1/files/0x000800000002429a-129.dat family_mofksys behavioral1/files/0x000800000002429b-138.dat family_mofksys behavioral1/files/0x000d00000002408e-148.dat family_mofksys behavioral1/files/0x000900000002429c-202.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe -
Executes dropped EXE 9 IoCs
pid Process 4056 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 4572 icsys.icn.exe 1884 explorer.exe 4736 vs_setup_bootstrapper.exe 4892 spoolsv.exe 2496 svchost.exe 5280 spoolsv.exe 4076 svchost.exe 6072 explorer.exe -
Loads dropped DLL 21 IoCs
pid Process 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe 4736 vs_setup_bootstrapper.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language getmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vs_setup_bootstrapper.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 icsys.icn.exe 4572 icsys.icn.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 2496 svchost.exe 2496 svchost.exe 1884 explorer.exe 1884 explorer.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 1884 explorer.exe 1884 explorer.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 2496 svchost.exe 1884 explorer.exe 2496 svchost.exe 2496 svchost.exe 2496 svchost.exe 1884 explorer.exe 1884 explorer.exe 2496 svchost.exe 2496 svchost.exe 1884 explorer.exe 1884 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1884 explorer.exe 2496 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4736 vs_setup_bootstrapper.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 4572 icsys.icn.exe 4572 icsys.icn.exe 1884 explorer.exe 1884 explorer.exe 4892 spoolsv.exe 4892 spoolsv.exe 2496 svchost.exe 2496 svchost.exe 5280 spoolsv.exe 5280 spoolsv.exe 1884 explorer.exe 1884 explorer.exe 4076 svchost.exe 4076 svchost.exe 6072 explorer.exe 6072 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4940 wrote to memory of 4056 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 88 PID 4940 wrote to memory of 4056 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 88 PID 4940 wrote to memory of 4056 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 88 PID 4940 wrote to memory of 4572 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 90 PID 4940 wrote to memory of 4572 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 90 PID 4940 wrote to memory of 4572 4940 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 90 PID 4572 wrote to memory of 1884 4572 icsys.icn.exe 91 PID 4572 wrote to memory of 1884 4572 icsys.icn.exe 91 PID 4572 wrote to memory of 1884 4572 icsys.icn.exe 91 PID 4056 wrote to memory of 4736 4056 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 92 PID 4056 wrote to memory of 4736 4056 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 92 PID 4056 wrote to memory of 4736 4056 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 92 PID 1884 wrote to memory of 4892 1884 explorer.exe 93 PID 1884 wrote to memory of 4892 1884 explorer.exe 93 PID 1884 wrote to memory of 4892 1884 explorer.exe 93 PID 4892 wrote to memory of 2496 4892 spoolsv.exe 94 PID 4892 wrote to memory of 2496 4892 spoolsv.exe 94 PID 4892 wrote to memory of 2496 4892 spoolsv.exe 94 PID 2496 wrote to memory of 5280 2496 svchost.exe 95 PID 2496 wrote to memory of 5280 2496 svchost.exe 95 PID 2496 wrote to memory of 5280 2496 svchost.exe 95 PID 4736 wrote to memory of 3584 4736 vs_setup_bootstrapper.exe 101 PID 4736 wrote to memory of 3584 4736 vs_setup_bootstrapper.exe 101 PID 4736 wrote to memory of 3584 4736 vs_setup_bootstrapper.exe 101 PID 4052 wrote to memory of 4076 4052 cmd.exe 100 PID 4052 wrote to memory of 4076 4052 cmd.exe 100 PID 4052 wrote to memory of 4076 4052 cmd.exe 100 PID 2496 wrote to memory of 312 2496 svchost.exe 103 PID 2496 wrote to memory of 312 2496 svchost.exe 103 PID 2496 wrote to memory of 312 2496 svchost.exe 103 PID 316 wrote to memory of 6072 316 cmd.exe 105 PID 316 wrote to memory of 6072 316 cmd.exe 105 PID 316 wrote to memory of 6072 316 cmd.exe 105 PID 2496 wrote to memory of 1744 2496 svchost.exe 128 PID 2496 wrote to memory of 1744 2496 svchost.exe 128 PID 2496 wrote to memory of 1744 2496 svchost.exe 128 PID 2496 wrote to memory of 3916 2496 svchost.exe 131 PID 2496 wrote to memory of 3916 2496 svchost.exe 131 PID 2496 wrote to memory of 3916 2496 svchost.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\getmac.exe"getmac"4⤵
- System Location Discovery: System Language Discovery
PID:3584
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5280
-
-
C:\Windows\SysWOW64\at.exeat 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:312
-
-
C:\Windows\SysWOW64\at.exeat 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\SysWOW64\at.exeat 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3916
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4076
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202505200830254533.json
Filesize162B
MD5ad891c3b02a02419dc60db8c273a8315
SHA1141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA51264cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20250520083057_c4095fcaba8347b88afb1f0042d28e2f.trn
Filesize6KB
MD5c3e53fc93b3cc29a5a131c5c149f0d95
SHA1f3ab38ded5d0fa803db6af4d2c5c811b9bcb00ec
SHA256df86537e910ac72d0a3da1880adbf3c20d772d6baf1a11ffd2bede5219996792
SHA512442e8428cd04dd45a0d0ff32a25af04eac8825a06fd1bb330bf6d4c01a4892224443e7d3419eaa3e73795663537cb817f6941264e76b37ca68031aa214b42411
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
Filesize4.2MB
MD5f31be30464259e66a1caa8a3196b2d91
SHA174b4eeb5e7517707b04a01d4e0d9143b41495a49
SHA256db062cd6a3fe35d0f04873ca387c748417468439b80a11b5a1379b25b0465194
SHA51201923fd49e73c4bb56f806bc93cfbb11da14469a5a8f847d290b45faef0cd9f221b2af0b118196e99ffae30a8ff8749f8be372a9523ca5a885dcf7e13e89595c
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize19KB
MD52999091dfdc507751c83112b99ccf45c
SHA17bd85c761a84ffa95f40eca4a0755b966aa5f396
SHA25653b2d60f8a6904a474a12620623f8a3c8630e248f228398795c47941703b3654
SHA512fc61a4746996ec082baa020d578ad2cadf5c1c0fe3d5901351f7e179a9d36db5d43fa38acd97c34795a3b82532db928267155a181a1f1e459d87ab75a035efcd
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
Filesize115KB
MD55b8c95a244032aabc7b043af9c4e6111
SHA1c045eaa89b47b8cf7249cb406d34a796078e9835
SHA2565304aadfedfc2b74e78cefa04b7e5481add6ca9d295922454afd33812c4fa929
SHA512149df41ecc4849237d01c304ebb3b2d280db4a7a5dc7e4168d9fbfdddf31d1214c465754afc95fa2faeb8fcfffca151a3e0ae21d56784db19e31e1c8e9fc8dea
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
Filesize46KB
MD5355c1a112bc0f859b374a4b1c811c1e7
SHA1b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize582KB
MD52d276aa3eedf5d56d287cfa062cbf996
SHA15ccb1ead82b7047618825ebf60344076fc1f82fc
SHA25653843b1c80e18fd9581d18f9cb4f2b8d0096a8305db43784e760a6f168122155
SHA5127f71b2b1e1834ca247fdbe64d85ade3eaa8b2171d1fe9d6ed36ca3916129ac925ab01d7de336643d8e3bc2ebaac4083bd6cc6c311901ea392686bdd6730e4c19
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize307KB
MD5f010059bc2c2d7a8f9c9e96bd88d5a95
SHA1ddb9c2c07c0deabca0d7b7df56bfd64a7672de59
SHA25647cebe91571377764ffbf50d7c346975d80601ffc6211de7ff6c5ebbe7258f48
SHA51270f6001080f0754fc9e2eb39ab70a8daee743aacba7828373420219dcd6122414ad70c9d1860c653a6d932d1960e4b6495935ff13961695de2dfc051cca701e0
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize1.4MB
MD599208fd00d39640093d6db9a72d2205f
SHA1b8b2101026d1d0cc117be3ab56d334078b481b2f
SHA256c904d85273eed1173b229cd03593defaa3ff6afb8388ff77853e141d33788d02
SHA51217ae8fd7b66b68f3f36ede4055d64145f8990960064e7d49e7dfcbdf3b5c689df32f41e6876efaaa34ca3c1879a5c6ad5bc1463c0a7b081490badccbc35328b3
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize1012KB
MD5e3f32bd0c7ea3408258d44dd3a6a2459
SHA162bebff872c0e9bd1a46524584332a51aa3d7d10
SHA2567b409e6d96f602671f08243d0ed649e1c833271a331af2059f00add59a12140f
SHA51260d18615f5dd55675232dd4e372e3075a6646f3601298ab28f393c33354a2006d059dc63d601d04cf72746f6f0470ff00de0e1e1e3181118f3d36e2f8ded3a07
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize61KB
MD5370769c79ea79463adbf0c6476225935
SHA12d340026691f83e069c4a87125ca096b9f26c97e
SHA2564d1d5efd28d72c332ba87e1993cb35e46404753543c5563700b98a97aa3c42a6
SHA5125d3af80c54fda6d4d0de06f7b22722d400857743203a745bfcd1667e5e48ea8c2ef7b0c6ffede84b2ea2bd4b74a2ddc766c17392ed07f366d1f0a9b34eb5c63c
-
Filesize
705KB
MD500c34112da9e104a0deaebe2e71cc21a
SHA1f0ea635ef401d75f6ea939e71d750cff7f074d53
SHA2568e9dd1dc511093f7edd8b96e4e113e8761676210197093b6b59cb1e4bb46e277
SHA512141c3127c2ed281cdef9630f25f0febcb69322285188a0082e653ef33d00de593991f31585d05b2dafe6d439cae87a1f7788cbbb3a925bebf04bcad6c56993bb
-
Filesize
138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
Filesize
8KB
MD5782f4beae90d11351db508f38271eb26
SHA1f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA5120a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.config
Filesize621B
MD58024f977c83c16eed95e0358ee03b272
SHA12393025a5aebb33ec563cab32e6b2956b24a30d6
SHA256b3f28c843956917cd334b50476a52d2e23afafc48b8818ba13cf75b12c90a328
SHA512d182a5c8bc2616331b66bd41d568c868ecae70cd240b8776e2532607adf7ad20bdd44d56f0a351cb9aeae3cc583c312ff2727b900d869628c1cea0bf1f9f0236
-
Filesize
404KB
MD50941bc3970a158835cfa9b769be06f47
SHA15bf04b54e308b75671ad4a00506cfaa207ffb9dd
SHA256f0ef5058eca8af96cc72c0505b0f5427b08c12f196c8afd3c13d7ecf4bc1cc1d
SHA51253a9ff67023113d27e267cda538e142b3a5b277e38229ad8969bd914093b2421756b5c704591a27102865e57fd2f2b0f22a837c2fb2ccd68efd3792960611edb
-
C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize3KB
MD5aa49563d97bd34bb11ebe5ba7305adc9
SHA1930b61f0c1400e28823ce56212c4d9e0c673c750
SHA256405b6cfe55904b670ba0f0cfde16e14f37168192a4993a2f9d91886631145cad
SHA5121998a3edc5b5a06e775bac58d3bfe2a4623be0f9f1c55f1063240e9b735fdcf6b676aa133a90dca96161eb4128d16c9c8822bfe064391bc7e6b04fa45d03b199
-
Filesize
206KB
MD5536290c5f5bcbe6b1a21e1579898d525
SHA1f3e7e9ac466a33ad5b739af20d726a83457b3667
SHA256b4d15ba1e4d0bf6487110161d9cfd0376f38dc1f6d19cd4f18e39ffaffa0e871
SHA512b8a7ac64bcce30eac8f74abaf1b65364fc1f38c3341019e3bb4eec162588a642d53c7055d1216f9a8a42e6caaf588380b73ad88a3e69d854eb2017c77e27c5c2
-
Filesize
207KB
MD52012f3a33f5ffad279aed1b033d86fc6
SHA14d0bb4b780ed7e365a7e12aadeed1675d3dc6bd0
SHA256708149e78f4144f4201a44216c1bf292d696e17c0b49e3c559bdcbc1815294dd
SHA512fe0e9a3432aad17e7869cfbeb8b5d24160362226763c48f85b9f64f62c85e3194863c5d0b2bd5c2e8ce38df8f47886007e7cb9968519cb601437c8d3c5f9cd5b
-
Filesize
206KB
MD5bfdf07f78cc12bd77b1c0323ceb84e55
SHA1c949778d37bc9425018be6d97eff1b4a28f0d00f
SHA256de6eead86515e0e865fc1a7c8b2b48919bcc6dc0890ba32d3831997fb7a4c31c
SHA512af4d7f725814d2921dfb2cebd8e557357d5c6c682ceae58cf45604f3451ee7ce2df4f475ee421a2e72e15dd7e16571bc35679ceab6e43024ff641bbe3bb42d3f
-
Filesize
206KB
MD5e36ef68cd1d06ccff64cfd03e3b9a52d
SHA1a0dc57d6304495ee9d0a834c2427243af64fd129
SHA256ea01a36417b2e4b4ac7ca0b06bffc6c00fe3da34f1908f8ecba1087f6997500c
SHA5126de7e5d2ecf17fe7255e55d596b2da08379255a730be6c8c2396382d50b762b10d5ca6d6ff317109b866a09ef166360e0bd84e572561470731ade9f57be8f5eb
-
Filesize
206KB
MD572be56237e45aa7652387d0718da0c00
SHA107d86358d5b8df7dcc6f71009f8cfc08815da89b
SHA25674743ec65c74b151e8d655d97999f5f3b0c0549976ceb2049c7fefc94db90530
SHA5123f2561e2c77cf593df29c0f05ffb08fb1df09ad9a3ed262a92b04c804a0cfede9fa86f40b60e5f8bd7615b9c3c65921d71ce57c63aabd9bb37c827f1ad16a208