Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
-
Size
754KB
-
MD5
e7a1294ae66a9b255f984b45c5a1a3e6
-
SHA1
4fa6fff2aa486b9ad08829b914926635bc7c5e2b
-
SHA256
b9bb7ad541c02f06c2549a3fe83e484d8e8ea551801e3e01f2c80996477aa043
-
SHA512
38a850cc7f19283ee0eeae9bb2a37c335dc06c742ecd07e2deba974aac83a7a73de845fc10aa65653c327676572c93c7150e6b54c745235b45bf133743cb62ab
-
SSDEEP
12288:amhjKOXdUlzn3DSudvsh8Awf3XFaZmBITVJPtSrE37yG2LmxiOqOF:thLalj3DSudvGM3MXTVhtSQWGtxt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation ckbmppfjrh.exe -
Executes dropped EXE 4 IoCs
pid Process 2520 ckbmppfjrh.exe 3380 ahqfdrwdcu.exe 4656 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 5940 bindsvc.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\bindsvc.exe ahqfdrwdcu.exe File created C:\Windows\system32\msfte.dll ahqfdrwdcu.exe File created C:\Windows\system32\oci.dll ahqfdrwdcu.exe File created C:\Windows\System32\bindsvc.exe ahqfdrwdcu.exe File created C:\Windows\SysWOW64\wideshut.exe ahqfdrwdcu.exe File opened for modification C:\Windows\SysWOW64\wideshut.exe ahqfdrwdcu.exe File created C:\Windows\SysWOW64\wimsvc.exe ahqfdrwdcu.exe File created C:\Windows\SysWOW64\racfg.exe ahqfdrwdcu.exe -
resource yara_rule behavioral1/files/0x0008000000024109-13.dat upx behavioral1/memory/3380-15-0x0000000000EA0000-0x000000000101A000-memory.dmp upx behavioral1/memory/3380-145-0x0000000000EA0000-0x000000000101A000-memory.dmp upx behavioral1/memory/3380-152-0x0000000000EA0000-0x000000000101A000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4284 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ckbmppfjrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ahqfdrwdcu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bindsvc.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2310cb382ebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057e3fdb282ebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2310cb382ebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d10481b382ebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037e8a0b282ebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000541ff9b282ebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030e981b282ebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c4c84b282ebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000970dc7b282ebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4656 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 4656 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 3380 ahqfdrwdcu.exe 3380 ahqfdrwdcu.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: 33 1228 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1228 SearchIndexer.exe Token: SeDebugPrivilege 4656 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4656 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4656 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2520 1520 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 88 PID 1520 wrote to memory of 2520 1520 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 88 PID 1520 wrote to memory of 2520 1520 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 88 PID 1520 wrote to memory of 3380 1520 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 89 PID 1520 wrote to memory of 3380 1520 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 89 PID 1520 wrote to memory of 3380 1520 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 89 PID 1228 wrote to memory of 3128 1228 SearchIndexer.exe 91 PID 1228 wrote to memory of 3128 1228 SearchIndexer.exe 91 PID 1228 wrote to memory of 4576 1228 SearchIndexer.exe 92 PID 1228 wrote to memory of 4576 1228 SearchIndexer.exe 92 PID 2520 wrote to memory of 4656 2520 ckbmppfjrh.exe 93 PID 2520 wrote to memory of 4656 2520 ckbmppfjrh.exe 93 PID 2520 wrote to memory of 4656 2520 ckbmppfjrh.exe 93 PID 3380 wrote to memory of 1700 3380 ahqfdrwdcu.exe 100 PID 3380 wrote to memory of 1700 3380 ahqfdrwdcu.exe 100 PID 1700 wrote to memory of 4284 1700 cmd.exe 102 PID 1700 wrote to memory of 4284 1700 cmd.exe 102 PID 3380 wrote to memory of 5284 3380 ahqfdrwdcu.exe 103 PID 3380 wrote to memory of 5284 3380 ahqfdrwdcu.exe 103 PID 3380 wrote to memory of 5940 3380 ahqfdrwdcu.exe 104 PID 3380 wrote to memory of 5940 3380 ahqfdrwdcu.exe 104 PID 3380 wrote to memory of 5940 3380 ahqfdrwdcu.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe"C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe" "C:\Users\Admin\AppData\Local\Temp\eyvqtgbium.exe" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4656
-
-
-
C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exeC:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\System32\cmd.exe/c sc config msdtc obj= LocalSystem3⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\sc.exesc config msdtc obj= LocalSystem4⤵
- Launches sc.exe
PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TKylaJrf.bat"3⤵PID:5284
-
-
C:\Windows\System32\bindsvc.exe"C:\Windows\System32\bindsvc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5940
-
-
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3128
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4576
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD52aa1c2e2b881440b7cf00772019f5b71
SHA16b872e826591df25b0c4e052c3423e3a53ec045d
SHA2568cccbf3a938d5af45b633117d172ca05686e46858bf1849d058899bd274c292a
SHA512427d961386cf0de21a561cb0f6edd881b0ed10802c510a721c225c54a89b56d583a1baa49222317639dfa4eef3f98e194c2a6f50b7c729d0c33c33d5e023708e
-
Filesize
580KB
MD52c2029588ad8b86759c17b7ae885ee03
SHA191653b5344d4c210201218e2f215dd5228d76799
SHA2563ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290
SHA51288531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f
-
Filesize
51KB
MD5e48b89715bf5e4c55eb5a1fed67865d9
SHA189a287da39e14b02cdc284eb287549462346d724
SHA256c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e
SHA5124bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c
-
Filesize
38KB
MD5f659ba68d92152adb1b88fece9c9bda5
SHA1c5b10c7b66b35bcbd7e1ab6cd36bb8439d80214d
SHA256b1955a36fee6be734dbe3fd7f68eec972cbaf9af4b694f3bf718f85689e2235a
SHA512de4b9764291100b40d9bd6620d1ef19c9552760441d266073017f577e2f8475e4884a6ce5587bd045f7e90e2faf1f97b229965974f1fd81cf58140b6d05098f0
-
Filesize
291KB
MD57c5b397fb54d5aa06bd2a6fb99c62fee
SHA1a9e0bf7bbabf6ab9e294156985537ae972ebd743
SHA256d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee
SHA512daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c