File name:

2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop

Full analysis: https://app.any.run/tasks/57c3997b-da30-4c95-8c97-2c8913284b3a
Verdict: Malicious activity
Analysis date: June 04, 2025, 22:48:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

1D825FE8792B3B2D8C35C1CF8E937E51

SHA1:

98C31EFAD7BFDA0449B0C1EB887BF39AF2631188

SHA256:

5CCC7CD3A7DF9C416959949A7AE0522EF7398EFA3C530BA0C36F3E1EBDE672E7

SSDEEP:

49152:L80Bq5aMuTMeQEPdlJElvd9CLRDq29veYIP/MokmIR7XjOrXBk:rBqsMuTAHgveYIMZmYXWxk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • The process creates files with name similar to system file names

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • Executable content was dropped or overwritten

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)

    • Executes as Windows Service

      • armsvc.exe (PID: 1072)
      • FlashPlayerUpdateService.exe (PID: 7216)
      • alg.exe (PID: 644)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4268)
      • AppVClient.exe (PID: 6880)

    • Process drops legitimate windows executable

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)

  • INFO

    • The sample compiled with english language support

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)

    • Checks supported languages

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • armsvc.exe (PID: 1072)
      • FlashPlayerUpdateService.exe (PID: 7216)

    • Reads the computer name

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
      • FlashPlayerUpdateService.exe (PID: 7216)
      • armsvc.exe (PID: 1072)

    • Creates files or folders in the user directory

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • Launching a file from a Registry key

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)

    • Creates files in the program directory

      • 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe (PID: 5968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:12:17 12:13:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 240640
InitializedDataSize: 364544
UninitializedDataSize: -
EntryPoint: 0x24b9c
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 18.6.2.1
ProductVersionNumber: 2018.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Biz Secure Lab's Pvt. Ltd.
FileDescription: 1npdpro5off
FileVersion: 1.0.0.1
InternalName: 1npdpro5off.exe
LegalCopyright: Net Protector AntiVirus, All Rights Reserved
OriginalFileName: 1npdpro5off.exe
ProductName: Net Protector AntiVirus
ProductVersion: 2018.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe armsvc.exe flashplayerupdateservice.exe no specs alg.exe no specs appvclient.exe no specs diagnosticshub.standardcollector.service.exe no specs slui.exe 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
644C:\WINDOWS\System32\alg.exeC:\Windows\System32\alg.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Application Layer Gateway Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\alg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
1072"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Acrobat Update Service
Version:
1.824.460.1042
Modules
Images
c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1696"C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeexplorer.exe
User:
admin
Company:
Biz Secure Lab's Pvt. Ltd.
Integrity Level:
MEDIUM
Description:
1npdpro5off
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4268C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft (R) Diagnostics Hub Standard Collector
Version:
11.00.19041.3930 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
5216C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5968"C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe
explorer.exe
User:
admin
Company:
Biz Secure Lab's Pvt. Ltd.
Integrity Level:
HIGH
Description:
1npdpro5off
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6880C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\appvclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp_win.dll
7216C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeservices.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
3 709
Read events
3 703
Write events
6
Delete events
0

Modification events

(PID) Process:(5968) 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(5968) 2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1196296
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:EnableSmartScreen
Value:
0
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HideSCAHealth
Value:
1
(PID) Process:(1072) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:EnableNotifications
Value:
0
Executable files
122
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\iafcobho.tmpexecutable
MD5:77DA953BB589ACD629371253131AD88A
SHA256:94BF6E78CDFC951B0715D74572BF5D34BD3D16793850B49EC1918C8545366024
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\kobprrfa\hihjmofb.tmpexecutable
MD5:E9BBA6F40AD1E2B35C7D7CAF8FB532DA
SHA256:61B997F2FD6BD5D43FF28568597700CD3663FE20F7917470885D2C7966C04FF3
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\kobprrfa\cmd.exeexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:25895D70663259D3F14A16EEFBDD99B7
SHA256:CF4AC6C89054E6810FB45E2D61894E61A3F3566EA37F4691792D89CED0D40D83
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\SysWOW64\hemjemqi.tmpexecutable
MD5:A0AF29ED2D390E608A31777050A8E9F3
SHA256:855FE0FEF20ADEF5598835697818DA2F046912EF3F21CE854885CFE97690B930
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\pacahqie.tmpexecutable
MD5:8C30E8F0815AB487FDBB182D7A1A71AF
SHA256:03D3D203C10DD325D53F3F2135E2C15DED3BC4EF48A4A27E4F521510874A6646
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\alg.exeexecutable
MD5:A2BECE2987D976BA788C39515CE016EF
SHA256:F17CF37DC40AA7E2F08F3AF76FF8B7082E126EFE0DF9322C166D1C7622A32F11
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\DiagSvcs\njbfppqi.tmpexecutable
MD5:25895D70663259D3F14A16EEFBDD99B7
SHA256:CF4AC6C89054E6810FB45E2D61894E61A3F3566EA37F4691792D89CED0D40D83
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\System32\ibbmckbo.tmpexecutable
MD5:A2BECE2987D976BA788C39515CE016EF
SHA256:F17CF37DC40AA7E2F08F3AF76FF8B7082E126EFE0DF9322C166D1C7622A32F11
59682025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop.exeC:\Windows\SysWOW64\dllhost.exeexecutable
MD5:A0AF29ED2D390E608A31777050A8E9F3
SHA256:855FE0FEF20ADEF5598835697818DA2F046912EF3F21CE854885CFE97690B930
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
46
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4616
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8076
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4616
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.133:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4188
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4188
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4616
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
8076
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4616
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
8076
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4616
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4616
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.131
  • 20.190.160.4
  • 20.190.160.67
  • 20.190.160.66
  • 20.190.160.130
  • 40.126.32.140
  • 40.126.32.74
  • 20.190.160.22
  • 20.190.160.5
  • 40.126.32.72
  • 20.190.160.2
  • 20.190.160.20
  • 20.190.160.64
  • 40.126.32.136
  • 20.190.160.132
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-04_1d825fe8792b3b2d8c35c1cf8e937e51_amadey_darkgate_elex_smoke-loader_stop