Analysis
-
max time kernel
146s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
-
Size
754KB
-
MD5
e7a1294ae66a9b255f984b45c5a1a3e6
-
SHA1
4fa6fff2aa486b9ad08829b914926635bc7c5e2b
-
SHA256
b9bb7ad541c02f06c2549a3fe83e484d8e8ea551801e3e01f2c80996477aa043
-
SHA512
38a850cc7f19283ee0eeae9bb2a37c335dc06c742ecd07e2deba974aac83a7a73de845fc10aa65653c327676572c93c7150e6b54c745235b45bf133743cb62ab
-
SSDEEP
12288:amhjKOXdUlzn3DSudvsh8Awf3XFaZmBITVJPtSrE37yG2LmxiOqOF:thLalj3DSudvGM3MXTVhtSQWGtxt
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2500 ucedpsljke.exe 5292 xlctnlefhk.exe 4892 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 6060 bindsvc.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: SearchIndexer.exe File opened (read-only) \??\L: SearchIndexer.exe File opened (read-only) \??\M: SearchIndexer.exe File opened (read-only) \??\X: SearchIndexer.exe File opened (read-only) \??\Y: SearchIndexer.exe File opened (read-only) \??\Z: SearchIndexer.exe File opened (read-only) \??\p: SearchIndexer.exe File opened (read-only) \??\b: SearchIndexer.exe File opened (read-only) \??\B: SearchIndexer.exe File opened (read-only) \??\D: SearchIndexer.exe File opened (read-only) \??\g: SearchIndexer.exe File opened (read-only) \??\H: SearchIndexer.exe File opened (read-only) \??\u: SearchIndexer.exe File opened (read-only) \??\W: SearchIndexer.exe File opened (read-only) \??\E: SearchIndexer.exe File opened (read-only) \??\h: SearchIndexer.exe File opened (read-only) \??\J: SearchIndexer.exe File opened (read-only) \??\l: SearchIndexer.exe File opened (read-only) \??\O: SearchIndexer.exe File opened (read-only) \??\x: SearchIndexer.exe File opened (read-only) \??\y: SearchIndexer.exe File opened (read-only) \??\G: SearchIndexer.exe File opened (read-only) \??\P: SearchIndexer.exe File opened (read-only) \??\Q: SearchIndexer.exe File opened (read-only) \??\R: SearchIndexer.exe File opened (read-only) \??\s: SearchIndexer.exe File opened (read-only) \??\U: SearchIndexer.exe File opened (read-only) \??\w: SearchIndexer.exe File opened (read-only) \??\A: SearchIndexer.exe File opened (read-only) \??\k: SearchIndexer.exe File opened (read-only) \??\n: SearchIndexer.exe File opened (read-only) \??\o: SearchIndexer.exe File opened (read-only) \??\r: SearchIndexer.exe File opened (read-only) \??\T: SearchIndexer.exe File opened (read-only) \??\z: SearchIndexer.exe File opened (read-only) \??\i: SearchIndexer.exe File opened (read-only) \??\I: SearchIndexer.exe File opened (read-only) \??\e: SearchIndexer.exe File opened (read-only) \??\q: SearchIndexer.exe File opened (read-only) \??\t: SearchIndexer.exe File opened (read-only) \??\F: SearchIndexer.exe File opened (read-only) \??\K: SearchIndexer.exe File opened (read-only) \??\N: SearchIndexer.exe File opened (read-only) \??\a: SearchIndexer.exe File opened (read-only) \??\m: SearchIndexer.exe File opened (read-only) \??\S: SearchIndexer.exe File opened (read-only) \??\v: SearchIndexer.exe File opened (read-only) \??\V: SearchIndexer.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\System32\bindsvc.exe xlctnlefhk.exe File created C:\Windows\SysWOW64\wideshut.exe xlctnlefhk.exe File opened for modification C:\Windows\SysWOW64\wideshut.exe xlctnlefhk.exe File created C:\Windows\SysWOW64\wimsvc.exe xlctnlefhk.exe File created C:\Windows\SysWOW64\racfg.exe xlctnlefhk.exe File created C:\Windows\SysWOW64\bindsvc.exe xlctnlefhk.exe File created C:\Windows\system32\msfte.dll xlctnlefhk.exe File created C:\Windows\system32\oci.dll xlctnlefhk.exe -
resource yara_rule behavioral2/files/0x001900000002b094-13.dat upx behavioral2/memory/5292-15-0x0000000000B60000-0x0000000000CDA000-memory.dmp upx behavioral2/memory/5292-174-0x0000000000B60000-0x0000000000CDA000-memory.dmp upx behavioral2/memory/5292-183-0x0000000000B60000-0x0000000000CDA000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4588 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlctnlefhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bindsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ucedpsljke.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a158eb482ebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab061eb482ebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030df35b482ebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4892 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 4892 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 5292 xlctnlefhk.exe 5292 xlctnlefhk.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1920 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1920 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1920 SearchIndexer.exe Token: SeDebugPrivilege 4892 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4892 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4892 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4228 wrote to memory of 2500 4228 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 78 PID 4228 wrote to memory of 2500 4228 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 78 PID 4228 wrote to memory of 2500 4228 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 78 PID 4228 wrote to memory of 5292 4228 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 79 PID 4228 wrote to memory of 5292 4228 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 79 PID 4228 wrote to memory of 5292 4228 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe 79 PID 1920 wrote to memory of 1020 1920 SearchIndexer.exe 81 PID 1920 wrote to memory of 1020 1920 SearchIndexer.exe 81 PID 2500 wrote to memory of 4892 2500 ucedpsljke.exe 82 PID 2500 wrote to memory of 4892 2500 ucedpsljke.exe 82 PID 2500 wrote to memory of 4892 2500 ucedpsljke.exe 82 PID 1920 wrote to memory of 4888 1920 SearchIndexer.exe 83 PID 1920 wrote to memory of 4888 1920 SearchIndexer.exe 83 PID 1920 wrote to memory of 4904 1920 SearchIndexer.exe 84 PID 1920 wrote to memory of 4904 1920 SearchIndexer.exe 84 PID 5292 wrote to memory of 6044 5292 xlctnlefhk.exe 85 PID 5292 wrote to memory of 6044 5292 xlctnlefhk.exe 85 PID 6044 wrote to memory of 4588 6044 cmd.exe 87 PID 6044 wrote to memory of 4588 6044 cmd.exe 87 PID 5292 wrote to memory of 5580 5292 xlctnlefhk.exe 88 PID 5292 wrote to memory of 5580 5292 xlctnlefhk.exe 88 PID 5292 wrote to memory of 6060 5292 xlctnlefhk.exe 90 PID 5292 wrote to memory of 6060 5292 xlctnlefhk.exe 90 PID 5292 wrote to memory of 6060 5292 xlctnlefhk.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe"C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe" "C:\Users\Admin\AppData\Local\Temp\ubwesknsgx.exe" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4892
-
-
-
C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exeC:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5292 -
C:\Windows\System32\cmd.exe/c sc config msdtc obj= LocalSystem3⤵
- Suspicious use of WriteProcessMemory
PID:6044 -
C:\Windows\system32\sc.exesc config msdtc obj= LocalSystem4⤵
- Launches sc.exe
PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1Ib3S27M.bat"3⤵PID:5580
-
-
C:\Windows\System32\bindsvc.exe"C:\Windows\System32\bindsvc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6060
-
-
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1020
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2640 2204 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
PID:4888
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2768 2344 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵
- Modifies data under HKEY_USERS
PID:4904
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD52e89099b065a8497f21a87c063f7a2fa
SHA139b8a88357941002bc1b0279466280b034bdc3e2
SHA256d010fbd4c4ab965ce63ce21bbb64c286c5f407b3548da5adf36e055f33738108
SHA5124208d16d8627d310f151799299b1b59633ac7322db94cd4063b4102e652db5849e929dac723ecc3d607d706b26cdb44ed1701db77023091478d2e33c8ad23002
-
Filesize
38KB
MD5f659ba68d92152adb1b88fece9c9bda5
SHA1c5b10c7b66b35bcbd7e1ab6cd36bb8439d80214d
SHA256b1955a36fee6be734dbe3fd7f68eec972cbaf9af4b694f3bf718f85689e2235a
SHA512de4b9764291100b40d9bd6620d1ef19c9552760441d266073017f577e2f8475e4884a6ce5587bd045f7e90e2faf1f97b229965974f1fd81cf58140b6d05098f0
-
Filesize
51KB
MD5e48b89715bf5e4c55eb5a1fed67865d9
SHA189a287da39e14b02cdc284eb287549462346d724
SHA256c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e
SHA5124bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c
-
Filesize
580KB
MD52c2029588ad8b86759c17b7ae885ee03
SHA191653b5344d4c210201218e2f215dd5228d76799
SHA2563ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290
SHA51288531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f
-
Filesize
1KB
MD51bfb02f2b271e4120c8a147b7faed27d
SHA17de18acfd9cfd7b2e4276c0f882a0086261e0b31
SHA2564ea416ebbbf8f2d35f09514cb513796694c2bc28d41e023c5a849e1c0bcd7c02
SHA512bc89dc24cb5926bff603dee68de40b60b59551ef750b712125bdb37caff08c6ffd45ca631230a4d149a3d23f8206e96b4718d07e0cd17dc1aa453f3ccb231a29
-
Filesize
291KB
MD57c5b397fb54d5aa06bd2a6fb99c62fee
SHA1a9e0bf7bbabf6ab9e294156985537ae972ebd743
SHA256d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee
SHA512daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c