File name:

2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/20013637-1c05-407e-bd01-311a06ecef36
Verdict: Malicious activity
Analysis date: April 29, 2025, 01:58:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

D4CD7BF58D52C8F7C208E1734DA11A6A

SHA1:

31E628D2FAFC2E32BA12FE4043240346C414FF3F

SHA256:

234F8D4F5D3F0BD69CDC3DFFF5EC3ED6DAFEED353F19893D05F759503123CC8F

SSDEEP:

6144:+GkNOSSGvkYjsVOnkqutSEwcohG/9oZhe2ArO0Q5VVVVVd+uZR:O0SSVYj8Onk5/ByrvNJVVVVVTb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 8024)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)

    • Executable content was dropped or overwritten

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 7912)
      • svchost.exe (PID: 8024)

    • Connects to SMTP port

      • svchost.exe (PID: 7912)
      • svchost.exe (PID: 8024)

    • Executes application which crashes

      • pueztfce.exe (PID: 7720)
      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)
      • pueztfce.exe (PID: 7864)

  • INFO

    • Create files in a temporary directory

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)

    • Reads the computer name

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)
      • pueztfce.exe (PID: 7864)
      • pueztfce.exe (PID: 7720)

    • Checks supported languages

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)
      • pueztfce.exe (PID: 7720)
      • pueztfce.exe (PID: 7864)

    • Process checks computer location settings

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)

    • Manual execution by a user

      • pueztfce.exe (PID: 7864)

    • Auto-launch of the file from Registry key

      • 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe (PID: 7564)

    • Checks proxy server information

      • slui.exe (PID: 4424)

    • Reads the software policy settings

      • slui.exe (PID: 4424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35)
.exe | Win64 Executable (generic) (31)
.scr | Windows screen saver (14.7)
.dll | Win32 Dynamic Link Library (generic) (7.3)
.exe | Win32 Executable (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:15 10:50:16+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 87040
InitializedDataSize: 790016
UninitializedDataSize: -
EntryPoint: 0x6017
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x007f
FileFlags: (none)
FileOS: Unknown (0x40324)
ObjectFileType: Static library
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe wusa.exe no specs wusa.exe pueztfce.exe werfault.exe no specs pueztfce.exe svchost.exe werfault.exe no specs #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4424C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7564"C:\Users\admin\Desktop\2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7636"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7688"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7720"C:\Users\admin\pueztfce.exe" /d"C:\Users\admin\Desktop\2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe" /e550302100000007FC:\Users\admin\pueztfce.exe
2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\pueztfce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7828C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7564 -s 1040C:\Windows\SysWOW64\WerFault.exe2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7864"C:\Users\admin\pueztfce.exe"C:\Users\admin\pueztfce.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\pueztfce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
7912svchost.exeC:\Windows\SysWOW64\svchost.exe
pueztfce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7960C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7720 -s 584C:\Windows\SysWOW64\WerFault.exepueztfce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8024svchost.exeC:\Windows\SysWOW64\svchost.exe
pueztfce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
5 315
Read events
5 312
Write events
2
Delete events
1

Modification events

(PID) Process:(7564) 2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:stcbrdvm
Value:
"C:\Users\admin\pueztfce.exe"
(PID) Process:(7912) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D4C3FD5DF1E3D24EDB47D450DD49D084297DCE82E72BAA4C2638A384E001D7B24E4E34ECD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4824B7538E6AD644490BDB67A26EA955901CDF58D3C74BBC4103D3DFFA66C10D8814E710DB8F2054991CFDB2470DD976D
(PID) Process:(7912) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75642025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\pueztfce.exeexecutable
MD5:9A17A9AD272522783856EDEB6F253DFD
SHA256:2305FEDBFC0435D3AD647EC63EB43DB5F6241B487D8F7ED9359A83E6928841C1
75642025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\qmeebqpd.exeexecutable
MD5:0540BD00969CE7DBB26BCDC5C51FCBDE
SHA256:D8034B8B5EA0AB1E46054080C7285A5A2BA577766246333DAEE38D3BA40C6FED
7912svchost.exeC:\Users\admin:.reposbinary
MD5:E9778E7A207B5B90B0DE432E7D0735CC
SHA256:797218A285BD07BDBB8636180DC959F8EACEB91D1780B52DEF699FE832129CCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
32
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5404
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5404
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5404
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5404
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5404
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7912
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7912
svchost.exe
52.101.194.4:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8024
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8024
svchost.exe
52.101.194.4:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.194.4
  • 52.101.194.19
  • 52.101.10.16
  • 52.101.10.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_d4cd7bf58d52c8f7c208e1734da11a6a_amadey_elex_rhadamanthys_smoke-loader