Analysis Overview
SHA256
cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd
Threat Level: Shows suspicious behavior
The file 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops autorun.inf file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:15
Reported
2025-07-04 12:17
Platform
win11-20250619-en
Max time kernel
110s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\pwahelper.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\ImagingDevices.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wabmig.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wab.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_pwa_launcher.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\nmhproxy.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\TerminalAzBridge.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_proxy.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\kinit.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe$ | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe$ | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4796 wrote to memory of 5640 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 4796 wrote to memory of 5640 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 4796 wrote to memory of 5640 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
Network
Files
memory/424-0-0x0000000000400000-0x000000000040D000-memory.dmp
C:\905c0769f9a06c95a24ddf945\patcher.exe
| MD5 | 614153dad6bc03a96eb46e72ea0d5b75 |
| SHA1 | 05b9166159f852630be9c8df63868372b7028542 |
| SHA256 | cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd |
| SHA512 | db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456 |
C:\Program Files\7-Zip\7z.exe
| MD5 | f95912fb8ca8f66f30bc751da876f1a7 |
| SHA1 | 80603c4f79c0e526ee89e2b4e5e4cc8a2100a53a |
| SHA256 | 11711262c1b9fb08cb98c18fc2ccc9f343a73e81573952fa7a3ca294d9e80e17 |
| SHA512 | d2146f9600d619441fe8233e126a0cc8f0cf843dd8ad4b5e0e736fa84ca15b750317c893d292d3b97be2e38dfd37b1368f0353575f7d53bc95d4ab8f99ccb7bb |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE$
| MD5 | 57f1d04303d3a8f9f34fe4ea103d8d75 |
| SHA1 | f2e498169ee362d09f25326d605113517c135ef8 |
| SHA256 | 21ec83741ad4c21204699c357f09d729cefa27b333c738d0c4a8d5223b301831 |
| SHA512 | c3aa74dbffd5604c9fdb4d951045f3eb3f45de842c9470328442e96af69c59d78c777e6434599167b310235d0125b5b60bea8b5137e70d3e0b73a5a1088d252e |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
| MD5 | f27d0da088fcc20719fc9e49bce0b905 |
| SHA1 | 37a85f478675d4bf5af5d22223bcb29c7526bd9a |
| SHA256 | ab052ea0d1e9ed838e657dde9ad456c907310d0492a0b3ce4bab8dbe1997f808 |
| SHA512 | 1b9acc932123385b2bfecf9215c4c9f2b36afa996d898b1cf634746efd5c4be748dfa00825a5f46a9ee5ebfcfbfd68677a55ebf225827ebd37a4241e27d5fd50 |
memory/424-1553-0x0000000000400000-0x000000000040D000-memory.dmp
memory/5640-1575-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge.exe
| MD5 | 8523e7a9144ffbe02efff44c9ae4f3d8 |
| SHA1 | 6ab9098f5e687fd1af1aec6559b76bfa5f817328 |
| SHA256 | d45a3a7556e95cf5aa8c2408931221d29b1066977793551c1133362c6f8608bb |
| SHA512 | c0f8633dde607d7cd42916748458005a849c0b9c7cb052ef0ce7b7ae1102701509e9805ca960b066e712a72c64aa31c8461ac69bceb70bd482c9cc0bc26bc0e9 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe$
| MD5 | b79ce0cfde1d1feb6e229f64cf6dfb81 |
| SHA1 | 195dea101c71f29dbea9249dc3f17ba9d05e83d5 |
| SHA256 | 9ab81db48f6a2e1b07d3843ea1b530f58ce50793c6ea8ee18ae0de65c43df2c1 |
| SHA512 | 8e5860f40ea3b814652ce8a7fb5569736e9a4d2df37c48265669c435336d19cda2e7ab068cf0dd3c40d14cfeb86dc9a6f9ba3858afccd753c9eb583d703cd6c9 |
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe$
| MD5 | 3db1a78bea3ded0da508ff96aec13d7b |
| SHA1 | 4cb7147778bec80bdf784596722966c4e30d2cf3 |
| SHA256 | 4f2d6a97493c51af5e701cc1431ac34ce767c36d75520de220f86c7b4e98ac9f |
| SHA512 | 090ab9fdd0063ee12aadf290107070f09bcf64f8251e23114053cb040f8fa27fa572dcde1624f97d764f6435489ba9342bd9c7ac20df55437ac22f74a06e9b6f |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:15
Reported
2025-07-04 12:17
Platform
win10v2004-20250610-en
Max time kernel
114s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\:\autorun.inf | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe | N/A |
| N/A | N/A | C:\905c0769f9a06c95a24ddf945\patcher.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 440 wrote to memory of 352 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 440 wrote to memory of 352 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
| PID 440 wrote to memory of 352 | N/A | C:\Windows\system32\cmd.exe | C:\905c0769f9a06c95a24ddf945\patcher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
C:\905c0769f9a06c95a24ddf945\patcher.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5948-0-0x0000000000400000-0x000000000040D000-memory.dmp
C:\905c0769f9a06c95a24ddf945\patcher.exe
| MD5 | 614153dad6bc03a96eb46e72ea0d5b75 |
| SHA1 | 05b9166159f852630be9c8df63868372b7028542 |
| SHA256 | cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd |
| SHA512 | db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456 |
C:\Program Files\7-Zip\7z.exe
| MD5 | f95912fb8ca8f66f30bc751da876f1a7 |
| SHA1 | 80603c4f79c0e526ee89e2b4e5e4cc8a2100a53a |
| SHA256 | 11711262c1b9fb08cb98c18fc2ccc9f343a73e81573952fa7a3ca294d9e80e17 |
| SHA512 | d2146f9600d619441fe8233e126a0cc8f0cf843dd8ad4b5e0e736fa84ca15b750317c893d292d3b97be2e38dfd37b1368f0353575f7d53bc95d4ab8f99ccb7bb |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe$
| MD5 | bb2d3518128232223c9d47148705fb8d |
| SHA1 | f56d6da0c690749155ad366382d67d0a916e452a |
| SHA256 | db98d5b151191a0b10288a573bac3efb306182ba8b2df370881ae37979d93798 |
| SHA512 | 4a8f6b2f2f58ea595018d426c6eb383cccfbd3523e77d4a1827e522f584ceca8147c12d7a7cd91da493927ec6ab61e0ab1893a5c0cb1de6786477a458dd6cc78 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe$
| MD5 | f27d0da088fcc20719fc9e49bce0b905 |
| SHA1 | 37a85f478675d4bf5af5d22223bcb29c7526bd9a |
| SHA256 | ab052ea0d1e9ed838e657dde9ad456c907310d0492a0b3ce4bab8dbe1997f808 |
| SHA512 | 1b9acc932123385b2bfecf9215c4c9f2b36afa996d898b1cf634746efd5c4be748dfa00825a5f46a9ee5ebfcfbfd68677a55ebf225827ebd37a4241e27d5fd50 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe$
| MD5 | e8b5bd69db003d30bf6f219858012680 |
| SHA1 | 0739b15e0f76c507fd6ab714426f2a69cfd0f85a |
| SHA256 | ff89a84f8117616c198afef00e490e51f9e88d5714688e83c59b3463ddf8d412 |
| SHA512 | 91003c008d03b123548880a64e81b85e715b0c4372eaa3e423ade8995bff1782f0e4702bddab8644145a1922fcc4f8125aaa4ba4dd81a51972f4d0a00e0fe339 |
memory/5948-1593-0x0000000000400000-0x000000000040D000-memory.dmp
memory/352-1603-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe
| MD5 | 8523e7a9144ffbe02efff44c9ae4f3d8 |
| SHA1 | 6ab9098f5e687fd1af1aec6559b76bfa5f817328 |
| SHA256 | d45a3a7556e95cf5aa8c2408931221d29b1066977793551c1133362c6f8608bb |
| SHA512 | c0f8633dde607d7cd42916748458005a849c0b9c7cb052ef0ce7b7ae1102701509e9805ca960b066e712a72c64aa31c8461ac69bceb70bd482c9cc0bc26bc0e9 |