File name:	2025-04-22_a7e9c24d588fe3cb667095288c900f81_amadey_elex_rhadamanthys_smoke-loader
Full analysis:	https://app.any.run/tasks/dd1f8aa1-f161-479f-9468-ad7bf8f292fc
Verdict:	Malicious activity
Analysis date:	April 22, 2025, 19:48:00
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg tofsee
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	A7E9C24D588FE3CB667095288C900F81
SHA1:	9E6BA599A74E56718A7FCFBE78BD0186F67951EC
SHA256:	1DB04CCBD78E2843574360742880271BFF3DD81829A06ECA0711D95764A2EED6
SSDEEP:	6144:DGkNOSSGvkYjsVOnkqutSEwcohG/9oZhe2ArO0Q5VVVVVd+uZ:z0SSVYj8Onk5/ByrvNJVVVVVT

.exe	\|	Win32 Executable MS Visual C++ (generic) (35)
.exe	\|	Win64 Executable (generic) (31)
.scr	\|	Windows screen saver (14.7)
.dll	\|	Win32 Dynamic Link Library (generic) (7.3)
.exe	\|	Win32 Executable (generic) (5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:10:15 10:50:16+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	87040
InitializedDataSize:	790016
UninitializedDataSize:	-
EntryPoint:	0x6017
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x007f
FileFlags:	(none)
FileOS:	Unknown (0x40324)
ObjectFileType:	Static library
FileSubtype:	-


(PID) Process:	(7360) 2025-04-22_a7e9c24d588fe3cb667095288c900f81_amadey_elex_rhadamanthys_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	zajiykct
Value: "C:\Users\admin\oqlrkxh.exe"
(PID) Process:	(7672) svchost.exe	Key:	HKEY_CURRENT_USER\Control Panel\Buses
Operation:	write	Name:	Config0
Value: 008DE63F011E153D24EDB47D450DD49D084297DCE82E72BAA494B9FFE422031D9413077B48CD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4854F7434E4AC644490BDBD7D26ED935A0CCBF08D3C74BBC4103D29FCAC6F15DC83457334EC9D084295D9E13F4BB4C06D07FD
(PID) Process:	(7672) svchost.exe	Key:	HKEY_CURRENT_USER\Control Panel\Buses
Operation:	delete value	Name:	Config1
Value:

PID	Process	Filename		Type
7360	2025-04-22_a7e9c24d588fe3cb667095288c900f81_amadey_elex_rhadamanthys_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\prkvckyo.exe		executable
		MD5:08CE480CFE5030166189EC2233069B17	SHA256:3BE32E478B8ADD6E9BE52DD16AB86627DA4733344F52A07BE812621D497F7706
7360	2025-04-22_a7e9c24d588fe3cb667095288c900f81_amadey_elex_rhadamanthys_smoke-loader.exe	C:\Users\admin\oqlrkxh.exe		executable
		MD5:0A85A11125EBD4B1895A7DA453A9D0A7	SHA256:37A72B8D4A795AED7C8C4E1D9329BFC9AF0714C9590198D8A170B6450AE2F986
7672	svchost.exe	C:\Users\admin:.repos		binary
		MD5:C69E0D7450F44798DABEB10A21721082	SHA256:AFAABB1EF74670C587F8709CBCB4EBB3E49D242645552E2D5DAF43662068E70B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	104.124.11.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7952	SIHClient.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7952	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7952	SIHClient.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7952	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7952	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7952	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	104.124.11.17:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
6544	svchost.exe	40.126.32.133:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7672	svchost.exe	13.107.246.59:80	microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7672	svchost.exe	52.101.9.12:25	microsoft-com.mail.protection.outlook.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.186.142	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
crl.microsoft.com	104.124.11.17 104.124.11.58 184.24.77.41 184.24.77.12 184.24.77.15 184.24.77.42 184.24.77.10 184.24.77.11 184.24.77.34 184.24.77.30 184.24.77.35	whitelisted
www.microsoft.com	2.23.246.101 23.35.229.160	whitelisted
login.live.com	40.126.32.133 40.126.32.76 20.190.160.3 20.190.160.17 40.126.32.134 20.190.160.2 20.190.160.65 20.190.160.132	whitelisted
microsoft.com	13.107.246.59	whitelisted
microsoft-com.mail.protection.outlook.com	52.101.9.12 52.101.41.6 52.101.41.22 52.101.9.26	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

General Info

2025-04-22_a7e9c24d588fe3cb667095288c900f81_amadey_elex_rhadamanthys_smoke-loader

A7E9C24D588FE3CB667095288C900F81

9E6BA599A74E56718A7FCFBE78BD0186F67951EC

1DB04CCBD78E2843574360742880271BFF3DD81829A06ECA0711D95764A2EED6

6144:DGkNOSSGvkYjsVOnkqutSEwcohG/9oZhe2ArO0Q5VVVVVd+uZ:z0SSVYj8Onk5/ByrvNJVVVVVT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

TOFSEE has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Detected use of alternative data streams (AltDS)

Connects to SMTP port

Executes application which crashes

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Process checks computer location settings

Auto-launch of the file from Registry key

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings