File name:

2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop

Full analysis: https://app.any.run/tasks/57c3997b-da30-4c95-8c97-2c8913284b3a
Verdict: Malicious activity
Analysis date: June 04, 2025, 22:48:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

1D825FE8792B3B2D8C35C1CF8E937E51

SHA1:

98C31EFAD7BFDA0449B0C1EB887BF39AF2631188

SHA256:

5CCC7CD3A7DF9C416959949A7AE0522EF7398EFA3C530BA0C36F3E1EBDE672E7

SSDEEP:

49152:L80Bq5aMuTMeQEPdlJElvd9CLRDq29veYIP/MokmIR7XjOrXBk:rBqsMuTAHgveYIMZmYXWxk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • Executable content was dropped or overwritten

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)

    • The process creates files with name similar to system file names

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • Executes as Windows Service

      • armsvc.exe (PID: 1072)
      • FlashPlayerUpdateService.exe (PID: 7216)
      • alg.exe (PID: 644)
      • AppVClient.exe (PID: 6880)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4268)

    • Process drops legitimate windows executable

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)

  • INFO

    • The sample compiled with english language support

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)

    • Creates files or folders in the user directory

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • Reads the computer name

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)
      • FlashPlayerUpdateService.exe (PID: 7216)

    • Checks supported languages

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)
      • FlashPlayerUpdateService.exe (PID: 7216)

    • Launching a file from a Registry key

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • Creates files in the program directory

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:12:17 12:13:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 240640
InitializedDataSize: 364544
UninitializedDataSize: -
EntryPoint: 0x24b9c
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 18.6.2.1
ProductVersionNumber: 2018.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Biz Secure Lab's Pvt. Ltd.
FileDescription: 1npdpro5off
FileVersion: 1.0.0.1
InternalName: 1npdpro5off.exe
LegalCopyright: Net Protector AntiVirus, All Rights Reserved
OriginalFileName: 1npdpro5off.exe
ProductName: Net Protector AntiVirus
ProductVersion: 2018.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe armsvc.exe flashplayerupdateservice.exe no specs alg.exe no specs appvclient.exe no specs diagnosticshub.standardcollector.service.exe no specs slui.exe 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
644C:\WINDOWS\System32\alg.exeC:\Windows\System32\alg.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Application Layer Gateway Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\alg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
1072"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Acrobat Update Service
Version:
1.824.460.1042
Modules
Images
c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1696"C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeexplorer.exe
User:
admin
Company:
Biz Secure Lab's Pvt. Ltd.
Integrity Level:
MEDIUM
Description:
1npdpro5off
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4268C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft (R) Diagnostics Hub Standard Collector
Version:
11.00.19041.3930 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
5216C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5968"C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe
explorer.exe
User:
admin
Company:
Biz Secure Lab's Pvt. Ltd.
Integrity Level:
HIGH
Description:
1npdpro5off
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6880C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\appvclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp_win.dll
7216C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeservices.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
3 709
Read events
3 703
Write events
6
Delete events
0

Modification events

(PID) Process:(5968) 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(5968) 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1196296
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:EnableSmartScreen
Value:
0
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HideSCAHealth
Value:
1
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:EnableNotifications
Value:
0
Executable files
122
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\kobprrfa\hihjmofb.tmpexecutable
MD5:E9BBA6F40AD1E2B35C7D7CAF8FB532DA
SHA256:61B997F2FD6BD5D43FF28568597700CD3663FE20F7917470885D2C7966C04FF3
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\1npdpro.initext
MD5:66E47F05D5C2F5B64639056B5C6CDCAF
SHA256:86483FBA3B2935F3E4CB86B8E5FBCFBD3165EF891A854CE903F0C60490B3CAB6
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\alg.exeexecutable
MD5:A2BECE2987D976BA788C39515CE016EF
SHA256:F17CF37DC40AA7E2F08F3AF76FF8B7082E126EFE0DF9322C166D1C7622A32F11
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:F5751AD50C6534F7858E0763B727FE4D
SHA256:A2E056CC46B63655AFE7370EB29E8F17FC83912385C5ED9D08A23962D60052CD
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\iafcobho.tmpexecutable
MD5:77DA953BB589ACD629371253131AD88A
SHA256:94BF6E78CDFC951B0715D74572BF5D34BD3D16793850B49EC1918C8545366024
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\SysWOW64\svchost.exeexecutable
MD5:E5C1C25C827202E2A7BDA342ABCE1456
SHA256:F71812468C14D8D106713CAF27513F5643B22C0ECBD2AF4CA86F704980620A73
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\ocpcakgb.tmpexecutable
MD5:926EE9AA9FEE9A7DC3B92021E603DD4D
SHA256:5A6E821EB993B5D06164856ABA61F398D4AED9B8EB0B32BB7D3B192A704BCD20
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\SysWOW64\Macromed\Flash\meppigeo.tmpexecutable
MD5:F5751AD50C6534F7858E0763B727FE4D
SHA256:A2E056CC46B63655AFE7370EB29E8F17FC83912385C5ED9D08A23962D60052CD
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\ibbmckbo.tmpexecutable
MD5:A2BECE2987D976BA788C39515CE016EF
SHA256:F17CF37DC40AA7E2F08F3AF76FF8B7082E126EFE0DF9322C166D1C7622A32F11
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\AppVClient.exeexecutable
MD5:926EE9AA9FEE9A7DC3B92021E603DD4D
SHA256:5A6E821EB993B5D06164856ABA61F398D4AED9B8EB0B32BB7D3B192A704BCD20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
46
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4616
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8076
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4616
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.133:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
4188
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4188
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4616
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
8076
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4616
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
8076
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4616
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4616
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.131
  • 20.190.160.4
  • 20.190.160.67
  • 20.190.160.66
  • 20.190.160.130
  • 40.126.32.140
  • 40.126.32.74
  • 20.190.160.22
  • 20.190.160.5
  • 40.126.32.72
  • 20.190.160.2
  • 20.190.160.20
  • 20.190.160.64
  • 40.126.32.136
  • 20.190.160.132
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop