File name:

2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/b3093cb4-31c4-467d-9888-d383dd5fff13
Verdict: Malicious activity
Analysis date: July 06, 2025, 00:10:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D759E40943B57A9014FF2EEF8EFF10F3

SHA1:

71F18B2B593413B78F5531485C8E3888B07853F3

SHA256:

1508BF77EE4A524B9DB09258E85D75F4BAD9B3D3654C3B99FBDDA8C19329E2C1

SSDEEP:

98304:KC9Vw29vx1jFUaxkEf8h/SuEcn0rLQxIWKOROg7gmsCQYEqZdOt+0zPD6Rc6d+lS:FcqCdt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4824)
      • b25f6a20 (PID: 7076)
      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Application launched itself

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4824)

    • Executable content was dropped or overwritten

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Executes as Windows Service

      • b25f6a20 (PID: 7076)

    • Connects to the server without a host name

      • b25f6a20 (PID: 7076)
      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)

  • INFO

    • Reads the computer name

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4824)

    • The sample compiled with chinese language support

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4824)
      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Process checks computer location settings

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4824)

    • Checks supported languages

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4824)
      • b25f6a20 (PID: 7076)
      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Reads the software policy settings

      • b25f6a20 (PID: 7076)
      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)
      • slui.exe (PID: 4708)

    • Reads the machine GUID from the registry

      • b25f6a20 (PID: 7076)
      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Checks proxy server information

      • 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4984)
      • slui.exe (PID: 4708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:23 07:18:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 145408
InitializedDataSize: 236544
UninitializedDataSize: -
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1610
ProductVersionNumber: 23.9.20.1610
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1610
ProductVersion: 23, 9, 20, 1610
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe no specs 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe b25f6a20 slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4708C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4824"C:\Users\admin\Desktop\2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
23, 9, 20, 1610
Modules
Images
c:\users\admin\desktop\2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4984"C:\Users\admin\Desktop\2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe
2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1610
Modules
Images
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\wldp.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\kernel.appcore.dll
7076C:\Windows\Syswow64\b25f6a20C:\Windows\SysWOW64\b25f6a20
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1610
Modules
Images
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\wldp.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\ondemandconnroutehelper.dll
c:\windows\syswow64\winhttp.dll
Total events
10 978
Read events
10 975
Write events
3
Delete events
0

Modification events

(PID) Process:(4984) 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4984) 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4984) 2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
49842025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exeC:\Windows\SysWOW64\b25f6a20executable
MD5:B52D1435C19AE6A22276F1A99C831B87
SHA256:5E464FF258CA0A1F03266041870087054009C1169CB2E178FFD0D133803C510D
7076b25f6a20C:\Windows\7924c8text
MD5:D4440F44EDC96455D48DF265B204F20A
SHA256:E7DDB8C7E5D29916E089ED15198AF28DEB2D8F87C3194ADC1834F586B1351B33
49842025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exeC:\Windows\5553f0text
MD5:1D75F2671D6E24BC2D2BF124AFDF817F
SHA256:3BDF6F8F8FD18F0A361A94A334978EB3822E60395AA18A38892D83DD91D27C7D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
124
TCP/UDP connections
178
DNS requests
30
Threats
47

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
SE
binary
825 b
whitelisted
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
SE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
SE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
whitelisted
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
CN
binary
253 b
whitelisted
7076
b25f6a20
GET
200
223.5.5.5:80
http://dns.alidns.com/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
whitelisted
7076
b25f6a20
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.136
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
down.nugong.asia
unknown
dns.alidns.com
  • 223.5.5.5
  • 223.6.6.6
whitelisted
down.xy58.top
  • 54.156.158.84
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
0d78fe00f48f2148.tyui54345.xyz
unknown

Threats

PID
Process
Class
Message
7076
b25f6a20
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7076
b25f6a20
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7076
b25f6a20
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7076
b25f6a20
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7076
b25f6a20
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7076
b25f6a20
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7076
b25f6a20
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
7076
b25f6a20
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
4984
2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop.exe
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-05_d759e40943b57a9014ff2eef8eff10f3_amadey_darkgate_elex_mafia_rhadamanthys_smoke-loader_stop