File name:

2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/2c92f795-249c-47d8-8f0e-0dda1d6d8437
Verdict: Malicious activity
Analysis date: May 15, 2025, 11:36:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
tofsee
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5D09F4ACBE7991A501D9618D8FC160A1

SHA1:

4443999CBED6C70A78A3A9681A9C5F8E45EA6F24

SHA256:

0D739C150B4E5FE9FE8426ADDF4B332D90A93F6B300CFAE2DBC934A3BA389505

SSDEEP:

6144:an5OmFgCYwCFkgVG3cOi8qG0EKb/8NGCR3hoImlWsKjM8+VVVVV0OkjvSqCpUwoz:nmFgCY/0w8qG+b/8sVVVVVbUYb4z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)

    • TOFSEE has been detected (YARA)

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)
      • gnnrscmx.exe (PID: 5740)
      • gnnrscmx.exe (PID: 1272)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)

    • Executable content was dropped or overwritten

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 664)
      • svchost.exe (PID: 6640)

  • INFO

    • Create files in a temporary directory

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)

    • Checks supported languages

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)
      • gnnrscmx.exe (PID: 5740)
      • gnnrscmx.exe (PID: 1272)

    • Manual execution by a user

      • gnnrscmx.exe (PID: 1272)

    • Auto-launch of the file from Registry key

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)

    • Reads the computer name

      • gnnrscmx.exe (PID: 5740)
      • gnnrscmx.exe (PID: 1272)
      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)

    • Checks proxy server information

      • slui.exe (PID: 4200)

    • Reads the software policy settings

      • slui.exe (PID: 4200)

    • Process checks computer location settings

      • 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 6988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Tofsee

(PID) Process(6988) 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe
C2 (2)svartalfheim.top
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
(PID) Process(5740) gnnrscmx.exe
C2 (2)svartalfheim.top
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
(PID) Process(1272) gnnrscmx.exe
C2 (2)svartalfheim.top
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:24 07:52:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 66560
InitializedDataSize: 264704
UninitializedDataSize: -
EntryPoint: 0x527e
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 100.0.0.0
ProductVersionNumber: 98.0.0.0
FileFlagsMask: 0x392a
FileFlags: (none)
FileOS: Unknown (0x60481)
ObjectFileType: Unknown
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TOFSEE 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe wusa.exe no specs wusa.exe #TOFSEE gnnrscmx.exe no specs svchost.exe no specs #TOFSEE gnnrscmx.exe no specs svchost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664svchost.exeC:\Windows\SysWOW64\svchost.exegnnrscmx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1272"C:\Users\admin\gnnrscmx.exe"C:\Users\admin\gnnrscmx.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\gnnrscmx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Tofsee
(PID) Process(1272) gnnrscmx.exe
C2 (2)svartalfheim.top
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
3240"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4200C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5376"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5740"C:\Users\admin\gnnrscmx.exe" /d"C:\Users\admin\Desktop\2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe" /e610402100000007FC:\Users\admin\gnnrscmx.exe
2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\gnnrscmx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Tofsee
(PID) Process(5740) gnnrscmx.exe
C2 (2)svartalfheim.top
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
6640svchost.exeC:\Windows\SysWOW64\svchost.exegnnrscmx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
6988"C:\Users\admin\Desktop\2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Tofsee
(PID) Process(6988) 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exe
C2 (2)svartalfheim.top
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
Total events
4 656
Read events
4 651
Write events
3
Delete events
2

Modification events

(PID) Process:(6988) 2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:eymnvvub
Value:
"C:\Users\admin\gnnrscmx.exe"
(PID) Process:(6640) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008DFA3F6D7F0B3D24EDB47D450DD49D084297DCE82E72BAA494BDFFE422031D2CDA5AA5D3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B16DC844A7C3BE7AF644490BDBC7A26E5945A02CCF58D3C74BBC4103D29FCAC6E17D5844F703EE59D084295D9E13F4BB4C06D00FDA1F5377894D92B546AABFB5D2E9BD10F7934E3BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED965570CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945F0CB9F2B8652CEEF2154539FDA46A1CDD844B71048BFF1C10C48DB27824ED92283DA2A7F5692DD49F310D34FEA0547B89CC40743DE7AB541DC38F8D1267B4995D04CBF1BD642ADCA42B596DF0A46D12D8844D7648DDC2065DC98DB47D24ED945F06F49BFE2420D49F4C0442FDA7652E9FD109793AE3A82269B6FBBC4464EC995D06C5FDCB645BA7A4040F39FAA36867A982447004A4AE591DC48DB47D24ED946444C9F9BD642DD49D440D34C7E63850D0834A714E90AB5D19FDCDB57024ED945D04CDF4BD5D6DD690440D34FDA46D14DDBD0D7730E4AD541DC48DB47D1DAD905003B8F1BE172CD09F7E4F61B9A96A13D88D4B06399094141CC98DB47D24ED945D04F4B4BF692DD6EE457E4289A45454DE894D764EE5DE2269C4B4F47929ED965570B886CF151794C1134E3EC794
(PID) Process:(6640) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
(PID) Process:(664) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008DA63F6D7F0B3D24EDB47D450DD49D084297DCE82E72BAA494BDFFE422031DD73B43D6D3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B16DC844A7C3BE7AF644490BDBC7A26E5945A02CCF58D3C74BBC4103D29FCAC6E17D5844F703EE59D084295D9E13F4BB4C06D00FDA1F5377894D92B546AABFB5D2E9BD10F7934E3BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED962905CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945F70CCF2B8652CEEF2154539FDA46A1CDD844B71048BFF1C10C48DB27824ED92283DA2A7F5692DD49F310D34FEA0547B89CC40743DE7AB541DC38F8D1267B4995D04CBF1BD642ADCA42B596DF0A46D12D8844D7648DDC2065DC98DB47D24ED945F06F49BFE2420D49F377942FFA7692E9FD109793AE3A8226FB6F8B34464EC995A03C882CF1658A7A4040F39FDA61E15DD844D7404A4AE591DC48DB47D24ED946444C9F9BD642DD49D440D34C7E63850D0834A714B96DF216EFDCDB57024EFE75C04CDF4BD5D6DD690440D34FDA46D14DDBD0D7730E4AD541DC48DB47D1DAD905004CEF6BD642CA29D7E4F61B9A96A13D8F2457D3FEC94141CC98DB47D24ED945D04F4B4BF692DD79F460E348CA45454DE894D764EE5AD541DC4B4F47929ED945D04CDF4BD641794C1134E3EC794
(PID) Process:(664) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6640svchost.exeC:\Users\admin:.reposbinary
MD5:3D4EAA5869AC4C89E3F53F390BE4DE38
SHA256:9600D2EAC700D0ED9190145E37ABECB550688DF9E89507466D104D3224013781
69882025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\olfgdlbi.exeexecutable
MD5:70832DC4977C3D80305D8F8B52DEBF8F
SHA256:B2D13D8C5DE7500638BB69B69EAFD48E87151F7F4255240B31C2264566FF09DD
69882025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\gnnrscmx.exeexecutable
MD5:19E3820D33E1530273BB59718D053317
SHA256:787A95A77F3DA4B6168CE49FFDD2828B751C1C85DC33E1C1D49A2B274BB18C5D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
52
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4208
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5360
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5360
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5360
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5360
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5360
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4208
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4208
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.159.129
  • 20.190.159.68
  • 40.126.31.2
  • 20.190.159.131
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.0
whitelisted
microsoft.com
whitelisted
yahoo.com
whitelisted
mail.ru
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_5d09f4acbe7991a501d9618d8fc160a1_amadey_elex_rhadamanthys_smoke-loader