Analysis Overview
SHA256
06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7
Threat Level: Shows suspicious behavior
The file 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
NTFS ADS
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:13
Reported
2025-07-04 12:15
Platform
win10v2004-20250502-en
Max time kernel
77s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wabmig.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\misc.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\servertool.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\nmhproxy.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoasb.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1236 wrote to memory of 5216 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 1236 wrote to memory of 5216 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 1236 wrote to memory of 5216 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4100-0-0x0000000000400000-0x000000000040D000-memory.dmp
C:\905c0769f9a06c95a24ddf945\patcher.exe
| MD5 | 5253f80680a0966e9548d7cf95b5b5c4 |
| SHA1 | 20d74b053bb8dc68fcb05563f1a9c1f36ebd1232 |
| SHA256 | 06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7 |
| SHA512 | b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad |
memory/5216-8-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files\7-Zip\7z.exe
| MD5 | b0270b8614e645872c933e0865502ba0 |
| SHA1 | a5ccd773220a84b34ee9e25d853b374cfbb0ccb7 |
| SHA256 | 255f9cdf8a15d08dcb4ecbfd6d9103d71debf118c5902993864ccb3aa36412fa |
| SHA512 | 1f88569da608f18ced492df1f75b5d773b9627ffb9a7ee90992f32351add15f4c49e1dfcbb0bc84a22c1cf5d1244b104b223dff74dc7e65316d478e8a909c827 |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe
| MD5 | 21ff3bbe993c594f1b33e41c52a6c9b4 |
| SHA1 | ee2a9a3a2cf07d025d9e5c67ddb3cebb09295001 |
| SHA256 | 1057fa462cd6a939fd3a5a062c495a4c408f6801e73f33e4948f1930b7595fce |
| SHA512 | 1dff09fed010b9fad795694e59ea365f83f2d71ebb685b83b167a133a26d7e85d2a94e41886a2779980bbfebefeab08573d37b2cf8142433e0002318b4bacdd5 |
C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe$
| MD5 | c6d24019b33ace88abb086b07cb322ea |
| SHA1 | 6d754003889b0a8c7eb72c8b2e64078908d4250d |
| SHA256 | 2828320f6a29e8e8ecbace4ed060fd259f77aaf7883e43524edb3e7dc81f1161 |
| SHA512 | f2b6a2dccacbb741c44b9be34f8bb0a241eead9a4097293c831c3fadca36164f1c756a727d3990a35f4261ba62731c327869c1b9508906cb98d2b3854771d62c |
C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe
| MD5 | dca2781ea20ba661e9ffe74824b9a743 |
| SHA1 | 2f678da436f4538b8594824aecacafe74f41fb66 |
| SHA256 | f06285ea3b1a92ef220c9bdd5a846f9fae7babfa46cf2270dc4118cca7e7e549 |
| SHA512 | 8f4cabb4201c2d9cc5919298aa6b19ec40a25ea647e6ace94073398ef6162ec8bac1b7d900b52e1a9d60fd7ee0756af50e4c09c3e87ae1de251177e7279eb4ea |
C:\Program Files\Microsoft Office\root\Integration\Integrator.exe$
| MD5 | 6cabd9ba06b333d145c91c44b3f42557 |
| SHA1 | b483b6cb35c6d915a57963c8b6ff3514193a7428 |
| SHA256 | 9fff3278eeff628fad43fda97dec40523781d013d269f530e13ed2400a27ceff |
| SHA512 | 1be4a74f7811edf7e8434b6502b1b4070deb16f3e0b7dffdb0ece3b1b8dc601d7602aafb199591943438a182dca3064636047ae0742af3f16a305213ffa34ff3 |
C:\Program Files\Mozilla Firefox\uninstall\helper.exe$
| MD5 | abc22efad8b836f080f606004bd4ddf2 |
| SHA1 | 2146661ddc263473ec7861bc51ea11b01edfab2f |
| SHA256 | 7145edc466c893789904636f602fdeb8ecff1ef02691d58f84f7144097f867db |
| SHA512 | e48a50e352cb76d345c69e6bf9ed9f5355dcff8e31cff297f293cb03730fadd35adbaf919d88bc32d094a5c0de31c3f2eda2e33ba82f24ed0b37b73b3996d039 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
| MD5 | 2e00fb4e11dfa8d7646c100f6861ef6c |
| SHA1 | 827a34a276fcd853b752c9920ade0fedb3eaa466 |
| SHA256 | 0bba7bbaf9f7bcc5e1e47861fe4d2e67f78ba5138a6514a3ca86d05e1e2a03cf |
| SHA512 | 0dbee7a6ff9d4ca0955e3b7cae5890bf68e064940e2ffc606320767d23220864e3b8c7b85e4f49880454d4c50bb5ce4ebbdfdadcd9e594db10cfc20f57cc64ae |
memory/4100-1718-0x0000000000400000-0x000000000040D000-memory.dmp
memory/5216-1726-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe
| MD5 | b6f7d098c817059a2a968ec14d166098 |
| SHA1 | c013fbbe893eda87d5c629aea688200140a0b5e8 |
| SHA256 | e913cd28d6fc2faa18dbd4c959db093700d669f3099b4731947dd09503d83813 |
| SHA512 | 0dfeedfbe92e04ebba266396b55cb7b58e2cb6700b5b846848b877a8a10eb9f86addf0e18056b7a61e2fcd0bcf1c3b3e39ff9c9dd20faa7ae853a9abf9b7d7ec |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:13
Reported
2025-07-04 12:15
Platform
win11-20250610-en
Max time kernel
123s
Max time network
106s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdate.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Cortana.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\PilotshubApp.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevated_tracing_service.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Todo.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_173546\javaws.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3592 wrote to memory of 5356 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 3592 wrote to memory of 5356 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 3592 wrote to memory of 5356 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
Network
Files
memory/5292-0-0x0000000000400000-0x000000000040D000-memory.dmp
C:\905c0769f9a06c95a24ddf945\patcher.exe
| MD5 | 5253f80680a0966e9548d7cf95b5b5c4 |
| SHA1 | 20d74b053bb8dc68fcb05563f1a9c1f36ebd1232 |
| SHA256 | 06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7 |
| SHA512 | b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad |
memory/5356-8-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files\7-Zip\7z.exe
| MD5 | b0270b8614e645872c933e0865502ba0 |
| SHA1 | a5ccd773220a84b34ee9e25d853b374cfbb0ccb7 |
| SHA256 | 255f9cdf8a15d08dcb4ecbfd6d9103d71debf118c5902993864ccb3aa36412fa |
| SHA512 | 1f88569da608f18ced492df1f75b5d773b9627ffb9a7ee90992f32351add15f4c49e1dfcbb0bc84a22c1cf5d1244b104b223dff74dc7e65316d478e8a909c827 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe
| MD5 | abc22efad8b836f080f606004bd4ddf2 |
| SHA1 | 2146661ddc263473ec7861bc51ea11b01edfab2f |
| SHA256 | 7145edc466c893789904636f602fdeb8ecff1ef02691d58f84f7144097f867db |
| SHA512 | e48a50e352cb76d345c69e6bf9ed9f5355dcff8e31cff297f293cb03730fadd35adbaf919d88bc32d094a5c0de31c3f2eda2e33ba82f24ed0b37b73b3996d039 |
memory/5292-1565-0x0000000000400000-0x000000000040D000-memory.dmp
memory/5356-1566-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe$
| MD5 | 2e0750bfcf10cfcfbc248d783ff0aba8 |
| SHA1 | a7bc8d6b709e057000be3dd20812bcd9ba7ed8c1 |
| SHA256 | 2d47d748b55e878907a32b9a5185f54c17423ff892276aff86a33c0bef915690 |
| SHA512 | 2d2703c07182278caef813e5c42f03ce46d78f94f6aa8403efc400357897238da052a202cfdf1ea52267a3a000eb9154a57aa49fdb6cd61507e5908056dcea33 |
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe
| MD5 | b6f7d098c817059a2a968ec14d166098 |
| SHA1 | c013fbbe893eda87d5c629aea688200140a0b5e8 |
| SHA256 | e913cd28d6fc2faa18dbd4c959db093700d669f3099b4731947dd09503d83813 |
| SHA512 | 0dfeedfbe92e04ebba266396b55cb7b58e2cb6700b5b846848b877a8a10eb9f86addf0e18056b7a61e2fcd0bcf1c3b3e39ff9c9dd20faa7ae853a9abf9b7d7ec |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe$
| MD5 | 41909cd292b08ece310f3cce91275af9 |
| SHA1 | b0f0a164488261c2652d282ccb4c2b1ea8c32628 |
| SHA256 | f558db2c13e097f8f7f528f087036957fd1364c8ba16a07e33afaeff652664b1 |
| SHA512 | 59c695643094a225e58760e8988c8c1f5e5aabc1cc02e533c7d2adf826ad3d6f3e9a4a3189c75de8992d38c4d2fa866a5f2111c750877ffc3d71437d48a32c8a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe$
| MD5 | 03cce3788923b7c22d674c605ee53900 |
| SHA1 | 30f34757c96f5dc9ec95f7743905d37bd4093d33 |
| SHA256 | 9cdee110bd5384b35e9874ebe5c6253e58f3eb38bcd58b9fbfd7e6c611add3ea |
| SHA512 | a611d966db7c2b22f95ddf491ae86920626e574c7312e3c767ce653b0e38e363fc6bf801f2fd356fdce68e8f1099aac04f85c85c8884e34cf68757891a60c665 |