File name:

2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/b8434c5d-bff2-4438-b22e-0308b5a23897
Verdict: Malicious activity
Analysis date: May 16, 2025, 13:01:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
websocket
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

93C0F6607C182129B3BCA5EF572FB33F

SHA1:

89EF341B44236508411F8E3E2A63B1BE463984F9

SHA256:

67AE3C4AAEB812423554389A6892CDED42F9A523FE258664D4C4F8DB7E3D9CE4

SSDEEP:

24576:s6hQgV2kJHO9U9hgKo5f5XAKib08tJ96vAEfYF2wt/umw8zcQKCAizXA:s6hQgV2kJgU9hgf5f5XAKig8z96vAEf/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 3768)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • bcpzblxbpt.exe (PID: 1452)
      • bcpzblxbpt.exe (PID: 5380)
      • ekmwvscnla.exe (PID: 2152)

    • Reads security settings of Internet Explorer

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • bcpzblxbpt.exe (PID: 1452)
      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 728)
      • ekmwvscnla.exe (PID: 2152)

    • Process drops legitimate windows executable

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • bcpzblxbpt.exe (PID: 5380)

    • Starts a Microsoft application from unusual location

      • bcpzblxbpt.exe (PID: 1452)
      • bcpzblxbpt.exe (PID: 5380)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 728)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7428)

    • Starts CMD.EXE for commands execution

      • bcpzblxbpt.exe (PID: 5380)

    • Uses pipe srvsvc via SMB (transferring data)

      • bindsvc.exe (PID: 7636)

    • The process executes via Task Scheduler

      • verclsid.exe (PID: 4164)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7344)

    • Executing commands from a ".bat" file

      • bcpzblxbpt.exe (PID: 5380)

  • INFO

    • Checks supported languages

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • ekmwvscnla.exe (PID: 2152)
      • bcpzblxbpt.exe (PID: 1452)
      • GIZGZPJM.exe (PID: 7000)
      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 728)
      • bcpzblxbpt.exe (PID: 5380)
      • bindsvc.exe (PID: 7636)
      • identity_helper.exe (PID: 8512)

    • NirSoft software is detected

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 728)

    • Create files in a temporary directory

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • bcpzblxbpt.exe (PID: 5380)

    • Reads the computer name

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • bcpzblxbpt.exe (PID: 1452)
      • GIZGZPJM.exe (PID: 7000)
      • ekmwvscnla.exe (PID: 2152)
      • bcpzblxbpt.exe (PID: 5380)
      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 728)
      • bindsvc.exe (PID: 7636)
      • identity_helper.exe (PID: 8512)

    • The sample compiled with english language support

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • ekmwvscnla.exe (PID: 2152)
      • bcpzblxbpt.exe (PID: 5380)

    • Process checks computer location settings

      • 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe (PID: 1052)
      • bcpzblxbpt.exe (PID: 1452)
      • ekmwvscnla.exe (PID: 2152)

    • Creates files in the program directory

      • bcpzblxbpt.exe (PID: 1452)
      • SearchIndexer.exe (PID: 4688)

    • Reads the machine GUID from the registry

      • GIZGZPJM.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 3768)
      • SearchProtocolHost.exe (PID: 2320)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 4688)

    • Application launched itself

      • msedge.exe (PID: 1324)

    • Creates files or folders in the user directory

      • bindsvc.exe (PID: 7636)

    • Reads Environment values

      • identity_helper.exe (PID: 8512)

    • UPX packer has been detected

      • bindsvc.exe (PID: 7636)

    • Checks proxy server information

      • slui.exe (PID: 5364)

    • Reads the software policy settings

      • slui.exe (PID: 5364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (29.8)
.exe | Win32 Executable MS Visual C++ (generic) (21.6)
.exe | Win64 Executable (generic) (19.1)
.exe | UPX compressed Win32 Executable (18.7)
.dll | Win32 Dynamic Link Library (generic) (4.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:04 08:51:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 50688
InitializedDataSize: 31232
UninitializedDataSize: -
EntryPoint: 0x7b1f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
71
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe ekmwvscnla.exe bcpzblxbpt.exe gizgzpjm.exe no specs CMSTPLUA 2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe no specs bcpzblxbpt.exe searchindexer.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs bindsvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs slui.exe msedge.exe no specs verclsid.exe no specs searchprotocolhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8020 --field-trial-handle=2388,i,11677645318541681899,15023438118206248470,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
728"C:\Users\admin\Desktop\2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeekmwvscnla.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
BatteryInfoView
Version:
1.25
Modules
Images
c:\users\admin\desktop\2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
924"C:\WINDOWS\system32\SearchFilterHost.exe" 0 908 912 920 8192 916 888 C:\Windows\System32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1052"C:\Users\admin\Desktop\2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
BatteryInfoView
Exit code:
0
Version:
1.25
Modules
Images
c:\users\admin\desktop\2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2380 --field-trial-handle=2388,i,11677645318541681899,15023438118206248470,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1324"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.nirsoft.net/C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1452C:\Users\admin\AppData\Local\Temp\bcpzblxbpt.exeC:\Users\admin\AppData\Local\Temp\bcpzblxbpt.exe
2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Digitizer to Monitor Mapping Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\bcpzblxbpt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2152"C:\Users\admin\AppData\Local\Temp\ekmwvscnla.exe" "C:\Users\admin\AppData\Local\Temp\kyozggtnku.exe" "C:\Users\admin\Desktop\2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe"C:\Users\admin\AppData\Local\Temp\ekmwvscnla.exe
2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ekmwvscnla.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2320"C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\tquery.dll
c:\windows\system32\combase.dll
2332"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7216 --field-trial-handle=2388,i,11677645318541681899,15023438118206248470,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
16 900
Read events
16 762
Write events
115
Delete events
23

Modification events

(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:

(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Operation:delete valueName:000003eb
Value:
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:

(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Operation:delete valueName:000003f5
Value:
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Search\Preferences
Operation:delete valueName:DataDirectory
Value:
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search
Operation:writeName:SchemaCacheTimestamp
Value:
30F44CD30259DA01
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager
Operation:writeName:UseSystemTemp
Value:
0
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex
Operation:writeName:SystemLcid
Value:
1033
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(4688) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1
Operation:writeName:CrawlControl
Value:
0
Executable files
21
Suspicious files
333
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
4688SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
MD5:
SHA256:
10522025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\kyozggtnku.exeexecutable
MD5:BE1B0C0CCE1C61495E49B063F92D9D82
SHA256:8DFFB52B6826067ED8B56F549CBE53F4F5908E21582A54A9172ECFBAD90AFE37
1324msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10f445.TMP
MD5:
SHA256:
1324msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
10522025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\bcpzblxbpt.exeexecutable
MD5:2C2029588AD8B86759C17B7AE885EE03
SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290
1324msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10f455.TMP
MD5:
SHA256:
5380bcpzblxbpt.exeC:\Windows\SysWOW64\bindsvc.exeexecutable
MD5:7C5B397FB54D5AA06BD2A6FB99C62FEE
SHA256:D032BDC64C9451BBB653B346C5BD6AC9F83A91EDEB0155497F098C8D6182DDEE
1324msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10f455.TMP
MD5:
SHA256:
1324msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
1324msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
264
DNS requests
213
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7360
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7360
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7360
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7360
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7360
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7360
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7360
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5324
svchost.exe
HEAD
200
104.124.11.35:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1747698231&P2=404&P3=2&P4=DMD3djMIrwHrC%2f5RlpfciKFBuLnond2pl5p%2fTNM3Nbg%2bdvAJ2jI4A2IHLTjifSmXKpv0HGcRfy1EMDg2Bc6K9A%3d%3d
unknown
whitelisted
7360
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5324
svchost.exe
GET
206
104.124.11.35:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68591036-2289-4858-9f7f-9149e89c8a08?P1=1747698231&P2=404&P3=2&P4=DMD3djMIrwHrC%2f5RlpfciKFBuLnond2pl5p%2fTNM3Nbg%2bdvAJ2jI4A2IHLTjifSmXKpv0HGcRfy1EMDg2Bc6K9A%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1324
msedge.exe
239.255.255.250:1900
whitelisted
6676
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6676
msedge.exe
107.190.138.58:443
www.nirsoft.net
DIMENOC
US
whitelisted
6676
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.69
  • 20.190.159.128
  • 40.126.31.129
  • 40.126.31.67
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.71
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.nirsoft.net
  • 107.190.138.58
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 40.90.65.53
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 2.16.241.205
  • 2.16.241.201
  • 2.16.241.216
  • 2.16.241.222
  • 2.16.241.213
  • 2.16.241.218
  • 2.16.241.206
  • 2.16.241.211
  • 2.16.241.204
whitelisted

Threats

PID
Process
Class
Message
6676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspicious message detected (saved from)
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_93c0f6607c182129b3bca5ef572fb33f_amadey_darkgate_elex_rhadamanthys_smoke-loader