Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-pgw5yssxay
Target 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader
SHA256 518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54

Threat Level: Shows suspicious behavior

The file 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:18

Reported

2025-07-04 12:21

Platform

win10v2004-20250619-en

Max time kernel

80s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Windows\SysWOW64\:\autorun.inf C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\:\autorun.inf C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\ReadResume.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe
PID 2636 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe
PID 2636 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe

C:\905c0769f9a06c95a24ddf945\patcher.exe

C:\905c0769f9a06c95a24ddf945\patcher.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/352-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\905c0769f9a06c95a24ddf945\patcher.exe

MD5 8f09effb3c6427dae90e629653ddcd4f
SHA1 8b018f7645045712327f4993938680f6e2e99c75
SHA256 518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54
SHA512 ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7

C:\Program Files\7-Zip\7z.exe

MD5 52236bc058fbdf1d3c3025bdc87332d2
SHA1 09403a596a5f5c5c5e9b881ecad2dd1449d5d89c
SHA256 007d8bd9e7ebf28635afafce70bec8bb835f64187b5ed308ab1e7b595400b741
SHA512 f63f4b52cb27190a9c490414a9b9dcd81fcb7285fe28ab70a50c1fdf7017e66acebae32bcee8255ace9cebf3ee5c4aecce29e5433491062f69ddd4c0ee2056b6

C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

MD5 9777d461006ade0fcd7190213de19026
SHA1 14ae5b326d871fb49bf98104fd4ba0c96433cc4a
SHA256 377f17c5b091059a5bd9bc9066353cb6b3a94db3dec11ffa6d6880205b1c792e
SHA512 589af044c47f411d413bc0fba73a5be3e6752e0c4ffdf59c4921f98038dc3c60906d2c3175995cfc88714d00cefc555223722bb5f152c45ac3f97d7acd6d34ce

C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe

MD5 1a7e962703c0bbb7baf702853685b3f0
SHA1 d92ffccd374abbb43247e86a6f9bf4f84ded58f5
SHA256 0eb95be539ebeee1df009393a5dd3a2a320bd09b9a2967ad538ba071b6715f91
SHA512 de184a2aa6086190252820ff92bb09baf0d083fc87a05a2af9f27a5d673213fcba1498874f540cb4bdb5b6d09d52629ea46f7ba2ba6bdefd0d399cc796136152

memory/352-1677-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3520-1713-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 163e3058e16761df079982d7ead6cc62
SHA1 e569e2912142b4c78ba93d329f5991fd3d7eea07
SHA256 a29f6d8a809be1595c5b3300f191b34005fc14ad4bce62bae88878e681db6507
SHA512 c11a1532bc9ba4f7efca7d958814e8fd7e9042461e57296193be4f063c747291c321feb4da45582bfeda1214b6fb2f3b74ca79d96c641653009e0293d6e96c3e

C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$

MD5 5d4467cfba0c674d5e4ace47544f2e14
SHA1 f3a843a4cf99c60d822bf5926d3976ecea11f873
SHA256 495b199bac8b7acb33df60ce2cc3a3bbfdbc94ce244696600231660b4775eae4
SHA512 daed64338ec0f90014b7af7c783965ed4b2b4e371a123fe51a5f372c5a2c6e4df06c87ef3d50cb98f3176f8ef7c70359872ed0d31ca6796bd07718a3162eccac

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 12:18

Reported

2025-07-04 12:21

Platform

win11-20250610-en

Max time kernel

122s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Windows\SysWOW64\:\autorun.inf C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\:\autorun.inf C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Time.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_pwa_launcher.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeComRegisterShellARM64.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\elevation_service.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Mozilla Firefox\updater.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\WeatherStub.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5876 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe
PID 5876 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe
PID 5876 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe

C:\905c0769f9a06c95a24ddf945\patcher.exe

C:\905c0769f9a06c95a24ddf945\patcher.exe

Network

Files

memory/1164-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\905c0769f9a06c95a24ddf945\patcher.exe

MD5 8f09effb3c6427dae90e629653ddcd4f
SHA1 8b018f7645045712327f4993938680f6e2e99c75
SHA256 518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54
SHA512 ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7

C:\Program Files\7-Zip\7z.exe

MD5 52236bc058fbdf1d3c3025bdc87332d2
SHA1 09403a596a5f5c5c5e9b881ecad2dd1449d5d89c
SHA256 007d8bd9e7ebf28635afafce70bec8bb835f64187b5ed308ab1e7b595400b741
SHA512 f63f4b52cb27190a9c490414a9b9dcd81fcb7285fe28ab70a50c1fdf7017e66acebae32bcee8255ace9cebf3ee5c4aecce29e5433491062f69ddd4c0ee2056b6

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$

MD5 1a7e962703c0bbb7baf702853685b3f0
SHA1 d92ffccd374abbb43247e86a6f9bf4f84ded58f5
SHA256 0eb95be539ebeee1df009393a5dd3a2a320bd09b9a2967ad538ba071b6715f91
SHA512 de184a2aa6086190252820ff92bb09baf0d083fc87a05a2af9f27a5d673213fcba1498874f540cb4bdb5b6d09d52629ea46f7ba2ba6bdefd0d399cc796136152

memory/1164-1554-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2936-1555-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

MD5 40e42f7be138ae4005faf0f7225d56c4
SHA1 3fc572df9d987c3e3760f7e3de783454d136b984
SHA256 14e9b154dd55a9d28cc2f160c13663a3bbc472426eb9fca51e3ba88f87917c35
SHA512 72271e575848fb0ca854d396bd50c64b5e2026e612f9d086f74a9a995351dd194d18554a3630f4f54e56355e8eaa9654f34e8fa038977e53beca6591e3e76dcd

C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe$

MD5 8668966f94defc6b79bf84b1837166d0
SHA1 3261f312aa4dcb266aee73e6bff4e4c0cef8cc4f
SHA256 381f52de996973484ebbadec4c1a1d9a90e914e8cb2b5ee18689e839555fe8d4
SHA512 6aa2272f7f2aaffe8c89a2fcf0f8dc939ea22f9ceccccd173c38833d07a7bf337d175a53b3c57cd4267c3677b009678297ebdd9f8732dfd6c11d5f9ae3d7f311

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_pwa_launcher.exe$

MD5 c30e58209c4ff48fe79475677a276e5b
SHA1 a7aca2c018a0056ff1fa75d48be5721ad2dab618
SHA256 924014f7e792d0ef1bbd1c180a98c99629a252ac4f510ca69583b37666be0ce5
SHA512 19efbcb9dfed38d84cec9c8e2691ffb6e40c893f615dfa921abcf4b8ae703829345231c9e1662aff86b298a313a2d22fe83b94c40b3de62eccfa7a8aec7839e7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe$

MD5 60c82e52c47977d4df809e543f632823
SHA1 60ee57af72f907b3faa7a941ffec277b8dff7aed
SHA256 5967cfac86aeaa998542b3df418c620198e063d24ca16e6c86a75c39f9db0e15
SHA512 0a40d23de665481c7d37255f66f7a59c7a93c07ad2b932818174519b971062479293ae34267cfec4991815b57fa9aca21a70e4fa9f4ce122fe9adaa2d1561abe