Malware Analysis Report

2025-08-10 19:49

Sample ID 250702-xj7ngazvhs
Target 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader
SHA256 b9bb7ad541c02f06c2549a3fe83e484d8e8ea551801e3e01f2c80996477aa043
Tags
discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b9bb7ad541c02f06c2549a3fe83e484d8e8ea551801e3e01f2c80996477aa043

Threat Level: Shows suspicious behavior

The file 2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

UPX packed file

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 18:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 18:54

Reported

2025-07-02 18:56

Platform

win10v2004-20250619-en

Max time kernel

131s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bindsvc.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
File created C:\Windows\system32\msfte.dll C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
File created C:\Windows\system32\oci.dll C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
File created C:\Windows\System32\bindsvc.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
File created C:\Windows\SysWOW64\wideshut.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
File opened for modification C:\Windows\SysWOW64\wideshut.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
File created C:\Windows\SysWOW64\wimsvc.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
File created C:\Windows\SysWOW64\racfg.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\System32\bindsvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2310cb382ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057e3fdb282ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2310cb382ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d10481b382ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037e8a0b282ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000541ff9b282ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030e981b282ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c4c84b282ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000970dc7b282ebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe
PID 1520 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe
PID 1520 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe
PID 1520 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe
PID 1520 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe
PID 1520 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe
PID 1228 wrote to memory of 3128 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1228 wrote to memory of 3128 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1228 wrote to memory of 4576 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1228 wrote to memory of 4576 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2520 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
PID 2520 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
PID 2520 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
PID 3380 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe C:\Windows\System32\cmd.exe
PID 3380 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe C:\Windows\System32\cmd.exe
PID 1700 wrote to memory of 4284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1700 wrote to memory of 4284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3380 wrote to memory of 5284 N/A C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe C:\Windows\system32\cmd.exe
PID 3380 wrote to memory of 5284 N/A C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe C:\Windows\system32\cmd.exe
PID 3380 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe C:\Windows\System32\bindsvc.exe
PID 3380 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe C:\Windows\System32\bindsvc.exe
PID 3380 wrote to memory of 5940 N/A C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe C:\Windows\System32\bindsvc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe

"C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe" "C:\Users\Admin\AppData\Local\Temp\eyvqtgbium.exe" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe

C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

C:\Windows\System32\cmd.exe

/c sc config msdtc obj= LocalSystem

C:\Windows\system32\sc.exe

sc config msdtc obj= LocalSystem

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TKylaJrf.bat"

C:\Windows\System32\bindsvc.exe

"C:\Windows\System32\bindsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\ckbmppfjrh.exe

MD5 e48b89715bf5e4c55eb5a1fed67865d9
SHA1 89a287da39e14b02cdc284eb287549462346d724
SHA256 c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e
SHA512 4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

C:\Users\Admin\AppData\Local\Temp\eyvqtgbium.exe

MD5 f659ba68d92152adb1b88fece9c9bda5
SHA1 c5b10c7b66b35bcbd7e1ab6cd36bb8439d80214d
SHA256 b1955a36fee6be734dbe3fd7f68eec972cbaf9af4b694f3bf718f85689e2235a
SHA512 de4b9764291100b40d9bd6620d1ef19c9552760441d266073017f577e2f8475e4884a6ce5587bd045f7e90e2faf1f97b229965974f1fd81cf58140b6d05098f0

C:\Users\Admin\AppData\Local\Temp\ahqfdrwdcu.exe

MD5 2c2029588ad8b86759c17b7ae885ee03
SHA1 91653b5344d4c210201218e2f215dd5228d76799
SHA256 3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290
SHA512 88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

memory/3380-15-0x0000000000EA0000-0x000000000101A000-memory.dmp

memory/1228-37-0x000001CEE1630000-0x000001CEE1640000-memory.dmp

memory/1228-21-0x000001CEE1410000-0x000001CEE1420000-memory.dmp

memory/1228-53-0x000001CEE99F0000-0x000001CEE99F8000-memory.dmp

memory/1228-55-0x000001CEE9BF0000-0x000001CEE9BF8000-memory.dmp

memory/4656-70-0x0000000000BF0000-0x0000000000C00000-memory.dmp

memory/4656-71-0x0000000005B10000-0x00000000060B4000-memory.dmp

memory/4656-72-0x0000000005600000-0x0000000005692000-memory.dmp

memory/4656-73-0x00000000055F0000-0x00000000055FA000-memory.dmp

memory/4576-74-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-75-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-76-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-77-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-79-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-78-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-80-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-81-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-84-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-85-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-86-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-88-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-89-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-87-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-83-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-82-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-90-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-91-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-92-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-93-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-95-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-94-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-96-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-100-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-99-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-98-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-104-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-105-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-103-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-102-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-101-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-97-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-106-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-107-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-108-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-111-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-110-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-109-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-112-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-113-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-121-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-120-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-119-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-118-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-117-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-116-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-115-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-114-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-122-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-123-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-124-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-125-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-127-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-126-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-128-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-129-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-133-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-131-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-132-0x0000019154910000-0x0000019154920000-memory.dmp

memory/4576-130-0x0000019154910000-0x0000019154920000-memory.dmp

memory/3380-145-0x0000000000EA0000-0x000000000101A000-memory.dmp

memory/3380-152-0x0000000000EA0000-0x000000000101A000-memory.dmp

C:\Windows\System32\bindsvc.exe

MD5 7c5b397fb54d5aa06bd2a6fb99c62fee
SHA1 a9e0bf7bbabf6ab9e294156985537ae972ebd743
SHA256 d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee
SHA512 daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

C:\Users\Admin\AppData\Local\Temp\TKylaJrf.bat

MD5 2aa1c2e2b881440b7cf00772019f5b71
SHA1 6b872e826591df25b0c4e052c3423e3a53ec045d
SHA256 8cccbf3a938d5af45b633117d172ca05686e46858bf1849d058899bd274c292a
SHA512 427d961386cf0de21a561cb0f6edd881b0ed10802c510a721c225c54a89b56d583a1baa49222317639dfa4eef3f98e194c2a6f50b7c729d0c33c33d5e023708e

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-02 18:54

Reported

2025-07-02 18:56

Platform

win11-20250610-en

Max time kernel

146s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\p: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\b: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\u: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\l: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\x: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\y: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\s: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\w: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\k: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\n: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\o: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\r: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\z: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\i: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\q: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\t: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\a: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\m: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\v: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\SearchIndexer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\bindsvc.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
File created C:\Windows\SysWOW64\wideshut.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
File opened for modification C:\Windows\SysWOW64\wideshut.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
File created C:\Windows\SysWOW64\wimsvc.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
File created C:\Windows\SysWOW64\racfg.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
File created C:\Windows\SysWOW64\bindsvc.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
File created C:\Windows\system32\msfte.dll C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
File created C:\Windows\system32\oci.dll C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\System32\bindsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3 C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a158eb482ebdb01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab061eb482ebdb01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030df35b482ebdb01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff C:\Windows\System32\SearchProtocolHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe
PID 4228 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe
PID 4228 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe
PID 4228 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe
PID 4228 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe
PID 4228 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe
PID 1920 wrote to memory of 1020 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\System32\SearchProtocolHost.exe
PID 1920 wrote to memory of 1020 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\System32\SearchProtocolHost.exe
PID 2500 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
PID 2500 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
PID 2500 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
PID 1920 wrote to memory of 4888 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1920 wrote to memory of 4888 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1920 wrote to memory of 4904 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1920 wrote to memory of 4904 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 5292 wrote to memory of 6044 N/A C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe C:\Windows\System32\cmd.exe
PID 5292 wrote to memory of 6044 N/A C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe C:\Windows\System32\cmd.exe
PID 6044 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 6044 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 5292 wrote to memory of 5580 N/A C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe C:\Windows\system32\cmd.exe
PID 5292 wrote to memory of 5580 N/A C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe C:\Windows\system32\cmd.exe
PID 5292 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe C:\Windows\System32\bindsvc.exe
PID 5292 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe C:\Windows\System32\bindsvc.exe
PID 5292 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe C:\Windows\System32\bindsvc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe

"C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe" "C:\Users\Admin\AppData\Local\Temp\ubwesknsgx.exe" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe

C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\System32\SearchProtocolHost.exe

"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e7a1294ae66a9b255f984b45c5a1a3e6_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 828 2640 2204 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 828 2768 2344 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}

C:\Windows\System32\cmd.exe

/c sc config msdtc obj= LocalSystem

C:\Windows\system32\sc.exe

sc config msdtc obj= LocalSystem

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1Ib3S27M.bat"

C:\Windows\System32\bindsvc.exe

"C:\Windows\System32\bindsvc.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\ucedpsljke.exe

MD5 e48b89715bf5e4c55eb5a1fed67865d9
SHA1 89a287da39e14b02cdc284eb287549462346d724
SHA256 c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e
SHA512 4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

C:\Users\Admin\AppData\Local\Temp\ubwesknsgx.exe

MD5 f659ba68d92152adb1b88fece9c9bda5
SHA1 c5b10c7b66b35bcbd7e1ab6cd36bb8439d80214d
SHA256 b1955a36fee6be734dbe3fd7f68eec972cbaf9af4b694f3bf718f85689e2235a
SHA512 de4b9764291100b40d9bd6620d1ef19c9552760441d266073017f577e2f8475e4884a6ce5587bd045f7e90e2faf1f97b229965974f1fd81cf58140b6d05098f0

C:\Users\Admin\AppData\Local\Temp\xlctnlefhk.exe

MD5 2c2029588ad8b86759c17b7ae885ee03
SHA1 91653b5344d4c210201218e2f215dd5228d76799
SHA256 3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290
SHA512 88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

memory/5292-15-0x0000000000B60000-0x0000000000CDA000-memory.dmp

memory/1920-21-0x0000025D8E7C0000-0x0000025D8E7D0000-memory.dmp

memory/1920-37-0x0000025D8E8C0000-0x0000025D8E8D0000-memory.dmp

memory/1920-53-0x0000025D96DB0000-0x0000025D96DB8000-memory.dmp

memory/4892-68-0x0000000000C50000-0x0000000000C60000-memory.dmp

memory/4892-69-0x0000000005C30000-0x00000000061D6000-memory.dmp

memory/4892-70-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/4892-71-0x0000000005660000-0x000000000566A000-memory.dmp

memory/4888-72-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-73-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-74-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-75-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-77-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-76-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-78-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-80-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-81-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-82-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-83-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-85-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-87-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-86-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-84-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-79-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-88-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-89-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-90-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-92-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-93-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-91-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-103-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-102-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-101-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-100-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-99-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-98-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-97-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-96-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-95-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-94-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-104-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-105-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-106-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-109-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-108-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-107-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-110-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-114-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-116-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-117-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-119-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-121-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-125-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-126-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-132-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-131-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-130-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-129-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-128-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-127-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-124-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-123-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-122-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-120-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-118-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-115-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-113-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-111-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/4888-112-0x00000208CCF10000-0x00000208CCF20000-memory.dmp

memory/5292-174-0x0000000000B60000-0x0000000000CDA000-memory.dmp

C:\Windows\System32\bindsvc.exe

MD5 7c5b397fb54d5aa06bd2a6fb99c62fee
SHA1 a9e0bf7bbabf6ab9e294156985537ae972ebd743
SHA256 d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee
SHA512 daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

memory/5292-183-0x0000000000B60000-0x0000000000CDA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

MD5 1bfb02f2b271e4120c8a147b7faed27d
SHA1 7de18acfd9cfd7b2e4276c0f882a0086261e0b31
SHA256 4ea416ebbbf8f2d35f09514cb513796694c2bc28d41e023c5a849e1c0bcd7c02
SHA512 bc89dc24cb5926bff603dee68de40b60b59551ef750b712125bdb37caff08c6ffd45ca631230a4d149a3d23f8206e96b4718d07e0cd17dc1aa453f3ccb231a29

C:\Users\Admin\AppData\Local\Temp\1Ib3S27M.bat

MD5 2e89099b065a8497f21a87c063f7a2fa
SHA1 39b8a88357941002bc1b0279466280b034bdc3e2
SHA256 d010fbd4c4ab965ce63ce21bbb64c286c5f407b3548da5adf36e055f33738108
SHA512 4208d16d8627d310f151799299b1b59633ac7322db94cd4063b4102e652db5849e929dac723ecc3d607d706b26cdb44ed1701db77023091478d2e33c8ad23002