Malware Analysis Report

2025-06-16 05:40

Sample ID 250520-keafyswqz9
Target 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer
SHA256 33c98b343bfb4807546e83f8cd1ce5adc868b8e5712d1598ea6b6e8bffbff777
Tags
mofksys defense_evasion discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33c98b343bfb4807546e83f8cd1ce5adc868b8e5712d1598ea6b6e8bffbff777

Threat Level: Known bad

The file 2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence worm

Mofksys

Mofksys family

Detects Mofksys worm

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 08:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 08:30

Reported

2025-05-20 08:32

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\getmac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
PID 4940 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
PID 4940 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
PID 4940 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4940 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4940 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4572 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4572 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4572 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4056 wrote to memory of 4736 N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 4056 wrote to memory of 4736 N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 4056 wrote to memory of 4736 N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 1884 wrote to memory of 4892 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1884 wrote to memory of 4892 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1884 wrote to memory of 4892 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4892 wrote to memory of 2496 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4892 wrote to memory of 2496 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4892 wrote to memory of 2496 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2496 wrote to memory of 5280 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2496 wrote to memory of 5280 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2496 wrote to memory of 5280 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4736 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 4736 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 4736 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 4052 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4052 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4052 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 2496 wrote to memory of 312 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2496 wrote to memory of 312 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2496 wrote to memory of 312 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 316 wrote to memory of 6072 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 316 wrote to memory of 6072 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 316 wrote to memory of 6072 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 2496 wrote to memory of 1744 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2496 wrote to memory of 1744 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2496 wrote to memory of 1744 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2496 wrote to memory of 3916 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2496 wrote to memory of 3916 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2496 wrote to memory of 3916 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 

c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\getmac.exe

"getmac"

C:\Windows\SysWOW64\at.exe

at 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

C:\Windows\SysWOW64\at.exe

at 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 aka.ms udp
GB 23.37.198.9:443 aka.ms tcp
GB 23.37.198.9:443 aka.ms tcp
US 8.8.8.8:53 telemetry.visualstudio.microsoft.com udp
US 8.8.8.8:53 settings.visualstudio.microsoft.com udp
DE 2.16.164.33:443 settings.visualstudio.microsoft.com tcp
DE 2.16.164.16:443 telemetry.visualstudio.microsoft.com tcp
US 8.8.8.8:53 targetednotifications-tm.trafficmanager.net udp
US 40.70.147.9:443 targetednotifications-tm.trafficmanager.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 mobile.events.data.microsoft.com udp
US 20.44.10.123:443 mobile.events.data.microsoft.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 

MD5 f31be30464259e66a1caa8a3196b2d91
SHA1 74b4eeb5e7517707b04a01d4e0d9143b41495a49
SHA256 db062cd6a3fe35d0f04873ca387c748417468439b80a11b5a1379b25b0465194
SHA512 01923fd49e73c4bb56f806bc93cfbb11da14469a5a8f847d290b45faef0cd9f221b2af0b118196e99ffae30a8ff8749f8be372a9523ca5a885dcf7e13e89595c

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 536290c5f5bcbe6b1a21e1579898d525
SHA1 f3e7e9ac466a33ad5b739af20d726a83457b3667
SHA256 b4d15ba1e4d0bf6487110161d9cfd0376f38dc1f6d19cd4f18e39ffaffa0e871
SHA512 b8a7ac64bcce30eac8f74abaf1b65364fc1f38c3341019e3bb4eec162588a642d53c7055d1216f9a8a42e6caaf588380b73ad88a3e69d854eb2017c77e27c5c2

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

MD5 0941bc3970a158835cfa9b769be06f47
SHA1 5bf04b54e308b75671ad4a00506cfaa207ffb9dd
SHA256 f0ef5058eca8af96cc72c0505b0f5427b08c12f196c8afd3c13d7ecf4bc1cc1d
SHA512 53a9ff67023113d27e267cda538e142b3a5b277e38229ad8969bd914093b2421756b5c704591a27102865e57fd2f2b0f22a837c2fb2ccd68efd3792960611edb

\??\c:\windows\system\explorer.exe

MD5 e36ef68cd1d06ccff64cfd03e3b9a52d
SHA1 a0dc57d6304495ee9d0a834c2427243af64fd129
SHA256 ea01a36417b2e4b4ac7ca0b06bffc6c00fe3da34f1908f8ecba1087f6997500c
SHA512 6de7e5d2ecf17fe7255e55d596b2da08379255a730be6c8c2396382d50b762b10d5ca6d6ff317109b866a09ef166360e0bd84e572561470731ade9f57be8f5eb

C:\Windows\System\spoolsv.exe

MD5 bfdf07f78cc12bd77b1c0323ceb84e55
SHA1 c949778d37bc9425018be6d97eff1b4a28f0d00f
SHA256 de6eead86515e0e865fc1a7c8b2b48919bcc6dc0890ba32d3831997fb7a4c31c
SHA512 af4d7f725814d2921dfb2cebd8e557357d5c6c682ceae58cf45604f3451ee7ce2df4f475ee421a2e72e15dd7e16571bc35679ceab6e43024ff641bbe3bb42d3f

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

MD5 aa49563d97bd34bb11ebe5ba7305adc9
SHA1 930b61f0c1400e28823ce56212c4d9e0c673c750
SHA256 405b6cfe55904b670ba0f0cfde16e14f37168192a4993a2f9d91886631145cad
SHA512 1998a3edc5b5a06e775bac58d3bfe2a4623be0f9f1c55f1063240e9b735fdcf6b676aa133a90dca96161eb4128d16c9c8822bfe064391bc7e6b04fa45d03b199

\??\c:\windows\system\svchost.exe

MD5 72be56237e45aa7652387d0718da0c00
SHA1 07d86358d5b8df7dcc6f71009f8cfc08815da89b
SHA256 74743ec65c74b151e8d655d97999f5f3b0c0549976ceb2049c7fefc94db90530
SHA512 3f2561e2c77cf593df29c0f05ffb08fb1df09ad9a3ed262a92b04c804a0cfede9fa86f40b60e5f8bd7615b9c3c65921d71ce57c63aabd9bb37c827f1ad16a208

memory/4736-154-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/4736-161-0x0000000004E50000-0x0000000004FBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

MD5 e3f32bd0c7ea3408258d44dd3a6a2459
SHA1 62bebff872c0e9bd1a46524584332a51aa3d7d10
SHA256 7b409e6d96f602671f08243d0ed649e1c833271a331af2059f00add59a12140f
SHA512 60d18615f5dd55675232dd4e372e3075a6646f3601298ab28f393c33354a2006d059dc63d601d04cf72746f6f0470ff00de0e1e1e3181118f3d36e2f8ded3a07

memory/4736-179-0x0000000005210000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

MD5 f010059bc2c2d7a8f9c9e96bd88d5a95
SHA1 ddb9c2c07c0deabca0d7b7df56bfd64a7672de59
SHA256 47cebe91571377764ffbf50d7c346975d80601ffc6211de7ff6c5ebbe7258f48
SHA512 70f6001080f0754fc9e2eb39ab70a8daee743aacba7828373420219dcd6122414ad70c9d1860c653a6d932d1960e4b6495935ff13961695de2dfc051cca701e0

memory/4736-173-0x0000000004E40000-0x0000000004E48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

MD5 2999091dfdc507751c83112b99ccf45c
SHA1 7bd85c761a84ffa95f40eca4a0755b966aa5f396
SHA256 53b2d60f8a6904a474a12620623f8a3c8630e248f228398795c47941703b3654
SHA512 fc61a4746996ec082baa020d578ad2cadf5c1c0fe3d5901351f7e179a9d36db5d43fa38acd97c34795a3b82532db928267155a181a1f1e459d87ab75a035efcd

memory/4736-169-0x0000000005400000-0x0000000005500000-memory.dmp

memory/4736-165-0x0000000005260000-0x00000000052F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

MD5 2d276aa3eedf5d56d287cfa062cbf996
SHA1 5ccb1ead82b7047618825ebf60344076fc1f82fc
SHA256 53843b1c80e18fd9581d18f9cb4f2b8d0096a8305db43784e760a6f168122155
SHA512 7f71b2b1e1834ca247fdbe64d85ade3eaa8b2171d1fe9d6ed36ca3916129ac925ab01d7de336643d8e3bc2ebaac4083bd6cc6c311901ea392686bdd6730e4c19

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

MD5 99208fd00d39640093d6db9a72d2205f
SHA1 b8b2101026d1d0cc117be3ab56d334078b481b2f
SHA256 c904d85273eed1173b229cd03593defaa3ff6afb8388ff77853e141d33788d02
SHA512 17ae8fd7b66b68f3f36ede4055d64145f8990960064e7d49e7dfcbdf3b5c689df32f41e6876efaaa34ca3c1879a5c6ad5bc1463c0a7b081490badccbc35328b3

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Newtonsoft.Json.dll

MD5 00c34112da9e104a0deaebe2e71cc21a
SHA1 f0ea635ef401d75f6ea939e71d750cff7f074d53
SHA256 8e9dd1dc511093f7edd8b96e4e113e8761676210197093b6b59cb1e4bb46e277
SHA512 141c3127c2ed281cdef9630f25f0febcb69322285188a0082e653ef33d00de593991f31585d05b2dafe6d439cae87a1f7788cbbb3a925bebf04bcad6c56993bb

memory/4736-183-0x0000000005840000-0x00000000058F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

MD5 370769c79ea79463adbf0c6476225935
SHA1 2d340026691f83e069c4a87125ca096b9f26c97e
SHA256 4d1d5efd28d72c332ba87e1993cb35e46404753543c5563700b98a97aa3c42a6
SHA512 5d3af80c54fda6d4d0de06f7b22722d400857743203a745bfcd1667e5e48ea8c2ef7b0c6ffede84b2ea2bd4b74a2ddc766c17392ed07f366d1f0a9b34eb5c63c

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\System.Memory.dll

MD5 f09441a1ee47fb3e6571a3a448e05baf
SHA1 3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256 bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA512 0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

MD5 c610e828b54001574d86dd2ed730e392
SHA1 180a7baafbc820a838bbaca434032d9d33cceebe
SHA256 37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512 441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

memory/4736-195-0x00000000057C0000-0x00000000057C8000-memory.dmp

memory/4736-199-0x0000000005B90000-0x0000000005BA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 2012f3a33f5ffad279aed1b033d86fc6
SHA1 4d0bb4b780ed7e365a7e12aadeed1675d3dc6bd0
SHA256 708149e78f4144f4201a44216c1bf292d696e17c0b49e3c559bdcbc1815294dd
SHA512 fe0e9a3432aad17e7869cfbeb8b5d24160362226763c48f85b9f64f62c85e3194863c5d0b2bd5c2e8ce38df8f47886007e7cb9968519cb601437c8d3c5f9cd5b

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

MD5 5b8c95a244032aabc7b043af9c4e6111
SHA1 c045eaa89b47b8cf7249cb406d34a796078e9835
SHA256 5304aadfedfc2b74e78cefa04b7e5481add6ca9d295922454afd33812c4fa929
SHA512 149df41ecc4849237d01c304ebb3b2d280db4a7a5dc7e4168d9fbfdddf31d1214c465754afc95fa2faeb8fcfffca151a3e0ae21d56784db19e31e1c8e9fc8dea

memory/4736-212-0x0000000005EC0000-0x0000000005EE2000-memory.dmp

C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202505200830254533.json

MD5 ad891c3b02a02419dc60db8c273a8315
SHA1 141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256 186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA512 64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.config

MD5 8024f977c83c16eed95e0358ee03b272
SHA1 2393025a5aebb33ec563cab32e6b2956b24a30d6
SHA256 b3f28c843956917cd334b50476a52d2e23afafc48b8818ba13cf75b12c90a328
SHA512 d182a5c8bc2616331b66bd41d568c868ecae70cd240b8776e2532607adf7ad20bdd44d56f0a351cb9aeae3cc583c312ff2727b900d869628c1cea0bf1f9f0236

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

MD5 355c1a112bc0f859b374a4b1c811c1e7
SHA1 b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256 cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512 f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

memory/4736-214-0x0000000005FF0000-0x0000000006344000-memory.dmp

memory/4736-191-0x00000000057D0000-0x00000000057F6000-memory.dmp

memory/4736-187-0x0000000005780000-0x0000000005794000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\detection.json

MD5 782f4beae90d11351db508f38271eb26
SHA1 f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256 c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA512 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

memory/4736-219-0x00000000068C0000-0x0000000006926000-memory.dmp

memory/4736-218-0x0000000006800000-0x00000000068BA000-memory.dmp

memory/4736-221-0x0000000007140000-0x00000000071D2000-memory.dmp

memory/4736-222-0x0000000007790000-0x0000000007D34000-memory.dmp

memory/4736-225-0x00000000076C0000-0x00000000076C8000-memory.dmp

memory/4736-224-0x0000000007630000-0x0000000007638000-memory.dmp

memory/4736-227-0x0000000007720000-0x000000000772E000-memory.dmp

memory/4736-226-0x000000000B400000-0x000000000B438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20250520083057_c4095fcaba8347b88afb1f0042d28e2f.trn

MD5 c3e53fc93b3cc29a5a131c5c149f0d95
SHA1 f3ab38ded5d0fa803db6af4d2c5c811b9bcb00ec
SHA256 df86537e910ac72d0a3da1880adbf3c20d772d6baf1a11ffd2bede5219996792
SHA512 442e8428cd04dd45a0d0ff32a25af04eac8825a06fd1bb330bf6d4c01a4892224443e7d3419eaa3e73795663537cb817f6941264e76b37ca68031aa214b42411

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-20 08:30

Reported

2025-05-20 08:32

Platform

win11-20250502-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2117256398-1057710415-2142084777-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2117256398-1057710415-2142084777-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\getmac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5656 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
PID 5656 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
PID 5656 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
PID 5656 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 5656 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 5656 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1840 wrote to memory of 5824 N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 1840 wrote to memory of 5824 N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 1840 wrote to memory of 5824 N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
PID 4336 wrote to memory of 1508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4336 wrote to memory of 1508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4336 wrote to memory of 1508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1508 wrote to memory of 2244 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1508 wrote to memory of 2244 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1508 wrote to memory of 2244 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2244 wrote to memory of 2856 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2244 wrote to memory of 2856 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2244 wrote to memory of 2856 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4420 wrote to memory of 5328 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4420 wrote to memory of 5328 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4420 wrote to memory of 5328 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 2244 wrote to memory of 1456 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2244 wrote to memory of 1456 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2244 wrote to memory of 1456 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3324 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3324 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3324 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 5824 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 5824 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 5824 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe C:\Windows\SysWOW64\getmac.exe
PID 2244 wrote to memory of 5468 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2244 wrote to memory of 5468 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2244 wrote to memory of 5468 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2244 wrote to memory of 2900 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2244 wrote to memory of 2900 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2244 wrote to memory of 2900 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 

c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

C:\Windows\SysWOW64\getmac.exe

"getmac"

C:\Windows\SysWOW64\at.exe

at 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 aka.ms udp
GB 23.37.198.9:443 aka.ms tcp
GB 23.37.198.9:443 aka.ms tcp
US 8.8.8.8:53 telemetry.visualstudio.microsoft.com udp
DE 2.16.164.33:443 settings.visualstudio.microsoft.com tcp
DE 2.16.164.16:443 telemetry.visualstudio.microsoft.com tcp
US 20.42.128.98:443 targetednotifications-tm.trafficmanager.net tcp
US 20.189.173.13:443 mobile.events.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 

MD5 f31be30464259e66a1caa8a3196b2d91
SHA1 74b4eeb5e7517707b04a01d4e0d9143b41495a49
SHA256 db062cd6a3fe35d0f04873ca387c748417468439b80a11b5a1379b25b0465194
SHA512 01923fd49e73c4bb56f806bc93cfbb11da14469a5a8f847d290b45faef0cd9f221b2af0b118196e99ffae30a8ff8749f8be372a9523ca5a885dcf7e13e89595c

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 536290c5f5bcbe6b1a21e1579898d525
SHA1 f3e7e9ac466a33ad5b739af20d726a83457b3667
SHA256 b4d15ba1e4d0bf6487110161d9cfd0376f38dc1f6d19cd4f18e39ffaffa0e871
SHA512 b8a7ac64bcce30eac8f74abaf1b65364fc1f38c3341019e3bb4eec162588a642d53c7055d1216f9a8a42e6caaf588380b73ad88a3e69d854eb2017c77e27c5c2

C:\Windows\System\explorer.exe

MD5 84bf7192a3940a58f5262bb5aaec1ed5
SHA1 7e9617cc050299230adb1211c25f4fc55d512a0d
SHA256 8a83e2fbeeff710b23e753bd14a7bec18637478b44abaf3d7b050b01c77667af
SHA512 5b163a74fedf5934cc262809266f72845555849417114a46c4871ad3c2427a8d0777b6cae0c3f892b3b9e9caa8aee30932e2c5fb640d12bb340617a7256fcb60

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

MD5 0941bc3970a158835cfa9b769be06f47
SHA1 5bf04b54e308b75671ad4a00506cfaa207ffb9dd
SHA256 f0ef5058eca8af96cc72c0505b0f5427b08c12f196c8afd3c13d7ecf4bc1cc1d
SHA512 53a9ff67023113d27e267cda538e142b3a5b277e38229ad8969bd914093b2421756b5c704591a27102865e57fd2f2b0f22a837c2fb2ccd68efd3792960611edb

C:\Windows\System\spoolsv.exe

MD5 8bb07607ed263a0275f0e564bee47eca
SHA1 365edd7f8fe444bea5b9d345a9afb057fa4f82e4
SHA256 f81c997e8fea452e334541c1048be5b4eec3031adda6a3cacb7348495971b969
SHA512 199c16f95f57480d89049ef2cf6b12bf019a638e310c2a899f6722f941c183fefe632b6e6bc7174cf3e565f2a69fc981a3bdb369dba194295ecd4deebe81a56c

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

MD5 aa49563d97bd34bb11ebe5ba7305adc9
SHA1 930b61f0c1400e28823ce56212c4d9e0c673c750
SHA256 405b6cfe55904b670ba0f0cfde16e14f37168192a4993a2f9d91886631145cad
SHA512 1998a3edc5b5a06e775bac58d3bfe2a4623be0f9f1c55f1063240e9b735fdcf6b676aa133a90dca96161eb4128d16c9c8822bfe064391bc7e6b04fa45d03b199

\??\c:\windows\system\svchost.exe

MD5 b016663811b5f0778773219253a0c615
SHA1 d6aa0a85e65d9a7fa10f4ec3e825f698584881d4
SHA256 3645fc671144bae40473d2d0f1f16cb8857dd458e1978567c476eebd176854fa
SHA512 1f51c5f19c0b50930e0461cc903f170a6d59958a9fa47c696432fad561adfc3c5ef127220d77a3075058cc6c98b732dbba15694b138d90b0a7406140ccee4d47

memory/5824-156-0x0000000000080000-0x00000000000E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

MD5 99208fd00d39640093d6db9a72d2205f
SHA1 b8b2101026d1d0cc117be3ab56d334078b481b2f
SHA256 c904d85273eed1173b229cd03593defaa3ff6afb8388ff77853e141d33788d02
SHA512 17ae8fd7b66b68f3f36ede4055d64145f8990960064e7d49e7dfcbdf3b5c689df32f41e6876efaaa34ca3c1879a5c6ad5bc1463c0a7b081490badccbc35328b3

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

MD5 2d276aa3eedf5d56d287cfa062cbf996
SHA1 5ccb1ead82b7047618825ebf60344076fc1f82fc
SHA256 53843b1c80e18fd9581d18f9cb4f2b8d0096a8305db43784e760a6f168122155
SHA512 7f71b2b1e1834ca247fdbe64d85ade3eaa8b2171d1fe9d6ed36ca3916129ac925ab01d7de336643d8e3bc2ebaac4083bd6cc6c311901ea392686bdd6730e4c19

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

MD5 e3f32bd0c7ea3408258d44dd3a6a2459
SHA1 62bebff872c0e9bd1a46524584332a51aa3d7d10
SHA256 7b409e6d96f602671f08243d0ed649e1c833271a331af2059f00add59a12140f
SHA512 60d18615f5dd55675232dd4e372e3075a6646f3601298ab28f393c33354a2006d059dc63d601d04cf72746f6f0470ff00de0e1e1e3181118f3d36e2f8ded3a07

memory/5824-179-0x00000000050A0000-0x00000000050F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

MD5 f010059bc2c2d7a8f9c9e96bd88d5a95
SHA1 ddb9c2c07c0deabca0d7b7df56bfd64a7672de59
SHA256 47cebe91571377764ffbf50d7c346975d80601ffc6211de7ff6c5ebbe7258f48
SHA512 70f6001080f0754fc9e2eb39ab70a8daee743aacba7828373420219dcd6122414ad70c9d1860c653a6d932d1960e4b6495935ff13961695de2dfc051cca701e0

memory/5824-175-0x0000000004C80000-0x0000000004C88000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 65c66fc445aec631d1f6c353bdbe6544
SHA1 13782a996fedb56552bacc65da7b4cb635b6bb13
SHA256 a2e518ebd821acee043d720a444bd4b64145be99613f759b43f27dbe45b492ae
SHA512 caca41001c0f49f65f4ea2c7618b417ec647ff983f84df69b10d23375776e8fe0af1a6847d7a753578283bd4c259da24a98cdef34682d3598b85cccd9cfc06a6

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

MD5 2999091dfdc507751c83112b99ccf45c
SHA1 7bd85c761a84ffa95f40eca4a0755b966aa5f396
SHA256 53b2d60f8a6904a474a12620623f8a3c8630e248f228398795c47941703b3654
SHA512 fc61a4746996ec082baa020d578ad2cadf5c1c0fe3d5901351f7e179a9d36db5d43fa38acd97c34795a3b82532db928267155a181a1f1e459d87ab75a035efcd

memory/5824-171-0x0000000005290000-0x0000000005390000-memory.dmp

memory/5824-188-0x0000000005710000-0x00000000057C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Newtonsoft.Json.dll

MD5 00c34112da9e104a0deaebe2e71cc21a
SHA1 f0ea635ef401d75f6ea939e71d750cff7f074d53
SHA256 8e9dd1dc511093f7edd8b96e4e113e8761676210197093b6b59cb1e4bb46e277
SHA512 141c3127c2ed281cdef9630f25f0febcb69322285188a0082e653ef33d00de593991f31585d05b2dafe6d439cae87a1f7788cbbb3a925bebf04bcad6c56993bb

memory/5824-167-0x00000000050F0000-0x0000000005184000-memory.dmp

memory/5824-161-0x0000000004CA0000-0x0000000004E0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

MD5 370769c79ea79463adbf0c6476225935
SHA1 2d340026691f83e069c4a87125ca096b9f26c97e
SHA256 4d1d5efd28d72c332ba87e1993cb35e46404753543c5563700b98a97aa3c42a6
SHA512 5d3af80c54fda6d4d0de06f7b22722d400857743203a745bfcd1667e5e48ea8c2ef7b0c6ffede84b2ea2bd4b74a2ddc766c17392ed07f366d1f0a9b34eb5c63c

memory/5824-196-0x0000000005510000-0x0000000005524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\System.Memory.dll

MD5 f09441a1ee47fb3e6571a3a448e05baf
SHA1 3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256 bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA512 0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

memory/5824-200-0x0000000005680000-0x00000000056A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

MD5 c610e828b54001574d86dd2ed730e392
SHA1 180a7baafbc820a838bbaca434032d9d33cceebe
SHA256 37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512 441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

memory/5824-204-0x0000000005530000-0x0000000005538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

MD5 355c1a112bc0f859b374a4b1c811c1e7
SHA1 b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256 cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512 f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

memory/5824-208-0x0000000005AF0000-0x0000000005B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

MD5 5b8c95a244032aabc7b043af9c4e6111
SHA1 c045eaa89b47b8cf7249cb406d34a796078e9835
SHA256 5304aadfedfc2b74e78cefa04b7e5481add6ca9d295922454afd33812c4fa929
SHA512 149df41ecc4849237d01c304ebb3b2d280db4a7a5dc7e4168d9fbfdddf31d1214c465754afc95fa2faeb8fcfffca151a3e0ae21d56784db19e31e1c8e9fc8dea

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.config

MD5 8024f977c83c16eed95e0358ee03b272
SHA1 2393025a5aebb33ec563cab32e6b2956b24a30d6
SHA256 b3f28c843956917cd334b50476a52d2e23afafc48b8818ba13cf75b12c90a328
SHA512 d182a5c8bc2616331b66bd41d568c868ecae70cd240b8776e2532607adf7ad20bdd44d56f0a351cb9aeae3cc583c312ff2727b900d869628c1cea0bf1f9f0236

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\vs_setup_bootstrapper.json

MD5 ad891c3b02a02419dc60db8c273a8315
SHA1 141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256 186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA512 64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

memory/5824-216-0x0000000005E30000-0x0000000005E52000-memory.dmp

memory/5824-217-0x0000000005E60000-0x00000000061B7000-memory.dmp

memory/5824-218-0x0000000006980000-0x00000000069E6000-memory.dmp

memory/5824-220-0x0000000006CE0000-0x0000000006D72000-memory.dmp

memory/5824-221-0x0000000007330000-0x00000000078D6000-memory.dmp

memory/5824-222-0x0000000007AA0000-0x0000000007B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7568f46c92f461f7889ddb9d2a99\vs_bootstrapper_d15\detection.json

MD5 782f4beae90d11351db508f38271eb26
SHA1 f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256 c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA512 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

memory/5824-226-0x0000000009D60000-0x0000000009D68000-memory.dmp

memory/5824-227-0x0000000009D90000-0x0000000009D98000-memory.dmp

memory/5824-228-0x000000000A4D0000-0x000000000A508000-memory.dmp

memory/5824-229-0x0000000009DB0000-0x0000000009DBE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20250520083056_3f5622948bee4d9ea4518983f03b618a.trn

MD5 435fc792976660135d01451242a0d696
SHA1 d0416b19f6ef10e4098ca052df624aa0933e1dc1
SHA256 afd97fd146873585b22371f94cd45e662e5d04435aa299497b9b5173fe25b277
SHA512 e9f859e4b4cb58c74c8ba1db99342df453ff464ec21fd81cd418fff3d3fffd1ed1b9d1321138093915716dda7dbdab9fdd7b9b212c70a7e430c300524998868d