Malware Analysis Report

2025-06-16 05:39

Sample ID 250520-kgjseaen4z
Target 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_smoke-loader_stealc_tofsee
SHA256 21f05af90bdee3716b1e8a7797e361c6ac31275f1a9c66f9c5f6fc7f9e1c9189
Tags
mofksys defense_evasion discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21f05af90bdee3716b1e8a7797e361c6ac31275f1a9c66f9c5f6fc7f9e1c9189

Threat Level: Known bad

The file 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_smoke-loader_stealc_tofsee was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence worm

Mofksys family

Modifies WinLogon for persistence

Mofksys

Detects Mofksys worm

Modifies visiblity of hidden/system files in Explorer

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 08:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 08:34

Reported

2025-05-20 08:36

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\S: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\Y: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\V: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\K: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\N: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\P: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\U: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\E: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\O: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\X: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\R: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\W: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\J: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\L: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\Z: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\T: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeAssignPrimaryTokenPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeLockMemoryPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeIncreaseQuotaPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeMachineAccountPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeTcbPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeTakeOwnershipPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeLoadDriverPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSystemProfilePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSystemtimePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeProfSingleProcessPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreatePagefilePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreatePermanentPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeShutdownPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeAuditPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSystemEnvironmentPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeChangeNotifyPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeRemoteShutdownPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeUndockPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSyncAgentPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeEnableDelegationPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeManageVolumePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeImpersonatePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreateGlobalPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreateTokenPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeAssignPrimaryTokenPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeLockMemoryPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeIncreaseQuotaPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeMachineAccountPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeTcbPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeTakeOwnershipPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeLoadDriverPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSystemProfilePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSystemtimePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeProfSingleProcessPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreatePagefilePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreatePermanentPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeShutdownPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeAuditPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSystemEnvironmentPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeChangeNotifyPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeRemoteShutdownPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeUndockPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeSyncAgentPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeEnableDelegationPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeManageVolumePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeImpersonatePrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreateGlobalPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeCreateTokenPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeAssignPrimaryTokenPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeLockMemoryPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeIncreaseQuotaPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A
Token: SeMachineAccountPrivilege N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 
PID 3088 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 
PID 3088 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 
PID 3088 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 3088 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 3088 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4700 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4700 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4700 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4592 wrote to memory of 4888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4592 wrote to memory of 4888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4592 wrote to memory of 4888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4888 wrote to memory of 5928 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4888 wrote to memory of 5928 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4888 wrote to memory of 5928 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5928 wrote to memory of 3432 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5928 wrote to memory of 3432 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5928 wrote to memory of 3432 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5928 wrote to memory of 4984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5928 wrote to memory of 4984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5928 wrote to memory of 4984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4876 wrote to memory of 5492 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4876 wrote to memory of 5492 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4876 wrote to memory of 5492 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 5080 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 5080 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 5080 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 1348 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1348 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1348 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5928 wrote to memory of 3256 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5928 wrote to memory of 3256 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5928 wrote to memory of 3256 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5928 wrote to memory of 1108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5928 wrote to memory of 1108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5928 wrote to memory of 1108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 

c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 44EC0DC58A2346408020C5807359040D C

C:\Windows\SysWOW64\at.exe

at 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 download.honeygain.com udp
US 104.26.13.49:443 download.honeygain.com tcp
DE 142.250.185.131:80 c.pki.goog tcp
US 8.8.8.8:53 resources.honeygain.com udp
US 104.26.12.49:443 resources.honeygain.com tcp
FR 2.21.35.200:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 142.250.185.131:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 

MD5 e5d5acd2bc76a50accda70ea55c40ebf
SHA1 75b649e01d35e7010d5d60c87545dc7ab47a3420
SHA256 67fb9596b6c5d0b12c9f44ea8b04d5843101935ea65e179835707f3efe715802
SHA512 3a3e318c926e70e485fbfd42db924fd4dfb8a44596725885372c940fb9bdbeb64a98c2374d4f5c3420e62ad5a67e7b9ed1b1338d83b7888280038ed15ff2e60c

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 07dbf607fdc270184154b89db909d55f
SHA1 d02d1c6ee1104f26e21c683e6bcbaaf22750504f
SHA256 9c6c49d4afd283c153800b627baf538a36732d2dd264a3f56d59822ad01576f4
SHA512 4a9314ff14416de9584ef5c7fe20793ecb606cae6b6004134c39bb2f2dcfede33aeebfd5d3c405ccf77cb5181161a8aab4e41c24f447afb08b94b7172bc1a329

C:\Windows\System\explorer.exe

MD5 6044c74fed1ddb325861bdafae47663f
SHA1 055449b958a1164b81ecf79be91d7a24c4117398
SHA256 a4fdc5e17a2cd7eb1cc5d28ffa7b9bcd3b6a37b3e48b9b9838f826c392458aa0
SHA512 8fe670990b124153cba868e4d3ba57980baa9c1c1a8b91fbb774a5791a524558251b231feb57aff8e40698b2d7c9ce8368f5f25004509a575baf452f7b6231cf

\??\c:\windows\system\spoolsv.exe

MD5 046bbff7c2dc7487a54389a2da14e672
SHA1 2370cb9906eb50cbf450f494b78c8444d8a39fc5
SHA256 22636ab900c0f32640e9f7c281502482826603017d93f26d1ffa93e215571903
SHA512 720e3534abe838ca5dc5bbe9d4dc9284a6b4e1a02ca9e0fa96401d17545235f8dea0c1be488c60e0938440da4205354b666028ad057cc19839ae41ca8eb46885

\??\c:\windows\system\svchost.exe

MD5 2a79c0addfc0fe399884c0004000896a
SHA1 5ff51e74351d722736e5e0a302eb926b4f8b1c31
SHA256 1f7b408a6087a61483d84ceed314658324ebf9cbeb9d332a8c8c92b326622677
SHA512 43e8cafaf13a88d9537e8db496199b80e2261b2a377d3c3678025bf08a8b1fec1df1be738c77a3147f547d899f05d1d1373201cd72f5dc00356385c90f4b3858

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 e23bd91ad94ea37e02e57bf2d1f1f341
SHA1 ec718c4d1fe92dd20a940184383ba962fa3fc5e6
SHA256 475c91a8475878e668b166506d753c5cb2913232dc95ea3978f7d2d81fb9bdab
SHA512 59f34df297ccfff43b5423805b19cd07c89c89b3ed07cee8c5eba999e96bd596c206bdf51e040fe614f16fd936664972eec983df5ad681e6eeedb083b97687f6

C:\Users\Admin\AppData\Local\Temp\upd905B.tmp

MD5 91d0484055bd80300fbcc7e546bfd0a2
SHA1 8e8024a1db97cae891cea172035e0ecfb24579af
SHA256 89f930d218b2afc509d8d217ee6b6ff8d29c5772cf2e2234fc0f8a46ef1ee13c
SHA512 2ee8859014b416282ba1e0bc4510bcf7cf290b1ab4a1d8040e76981ff14fdae69935ce0f180653519c86c187d5f997b83420060f3b0101906529c13dba6e1579

C:\Users\Admin\AppData\Roaming\Honeygain\Honeygain 1.5.0.0\install\Honeygain_install.msi

MD5 89ca17e0e21a5a0951899a87a50915c9
SHA1 6d3d6c65b422b6ff2e473580eefcb0e767123e49
SHA256 35c9e82daee05184b803a76276b556802da4b76119cb9dc649bd0bae9b3e00f6
SHA512 95dae81f840a4143a497e06b58ef5fafe41b246f8e1b76fc4911612d24d57d267ab1cfd0c3372a80f0d229bd4e3a6df07775d2f33c9995beecb5304faa281d69

C:\Users\Admin\AppData\Local\Temp\MSI96A6.tmp

MD5 8259dc74965f3c8e91d152862580a773
SHA1 d2d029f9f9be25be3c5526c5a52449c034c673e1
SHA256 84f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9
SHA512 50903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4432\installer_logo_large.png

MD5 92a8f755b579ffc8c3f86ec87076f45e
SHA1 cd5536b089a281807eabe2def1e6f4020e2b124b
SHA256 71a8107a9f5e4464519fb74b4e83b7f7af86812399210f55a2505870391aec66
SHA512 11857b0eefbacc7faf7e1056124319c3acfc82eef0c1769a3ad7945a1019b85757fbd8f620a5bd360652c7f877a8634df744a3cee0fb0f7a07689522024d06fb

C:\Users\Admin\AppData\Local\Temp\MSI98DF.tmp

MD5 8ecff5e8777908818edd94721ddc349d
SHA1 a3ffcfcffae1b44261c1b1a64917ac898c40b9e2
SHA256 1c450659c7681df9df21b20412c9647e7e8e5bf0f2945c48b1ab51f330f2516b
SHA512 8418049fe52dcf6e294cf58d200b7a7d8e704ba592b3f59243c4c5a4d661c60f8db97540badd9a1718547a0047b39316ec7917c43ddcb8a71bebad49e7baaf08

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4432\installer_logo_small.png

MD5 743d8274c5efa5b66c12eff6d89f819e
SHA1 655ab5d69e17883d3651792d7c3ff7e133e9ab54
SHA256 54305db25aef864e71e02d5a1cdadf831387d7b850a80512e041d9fadc0c5438
SHA512 9f261f384932990796143b95cef3540e962757c7ada9bb0485df084f3c8391f28d31ac1eb78478c67eda56ffb1cb238924b107c7ed8e1c72d37cdd6acccc75ae