File name:

2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/0f969222-09a5-4334-9f75-9ff837235765
Verdict: Malicious activity
Analysis date: June 21, 2025, 17:49:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

8EAB9EB272E60B84520045B72229E7A4

SHA1:

AF0F6DDFCDA59C58AD4F87ABC419C341B0496183

SHA256:

26043F787227323DA8C408C2E1DD77A3A79158C4045488FC48262C34F570FDB6

SSDEEP:

49152:Fm2I1tqo/RC8oOOWZSE5GPxX+f9m3OclL/p7X83ISuhblZaYPTE5+SYsxSfJOt0j:FBmBRC8oOOWZDgJX7plFgISuhhZaYPTJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdate.exe (PID: 7048)
      • GoogleUpdateSetup.exe (PID: 4816)
      • GoogleUpdate.exe (PID: 6268)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • GoogleUpdate.exe (PID: 7048)
      • GoogleUpdate.exe (PID: 6268)

    • Executable content was dropped or overwritten

      • GoogleUpdateSetup.exe (PID: 4816)
      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdate.exe (PID: 6400)
      • updater.exe (PID: 3756)

    • Application launched itself

      • GoogleUpdate.exe (PID: 6400)
      • GoogleUpdate.exe (PID: 5372)
      • updater.exe (PID: 3756)

    • Executes as Windows Service

      • updater.exe (PID: 3756)

    • There is functionality for taking screenshot (YARA)

      • GoogleUpdate.exe (PID: 7048)
      • GoogleUpdate.exe (PID: 6268)

  • INFO

    • Checks supported languages

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdate.exe (PID: 7048)
      • GoogleUpdateSetup.exe (PID: 4816)
      • GoogleUpdate.exe (PID: 6268)
      • GoogleUpdate.exe (PID: 6400)
      • GoogleUpdate.exe (PID: 5372)
      • GoogleUpdate.exe (PID: 760)
      • updater.exe (PID: 2076)
      • GoogleUpdate.exe (PID: 5080)
      • updater.exe (PID: 3756)

    • The sample compiled with arabic language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with bulgarian language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with german language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with english language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)
      • GoogleUpdate.exe (PID: 6400)
      • updater.exe (PID: 3756)

    • The sample compiled with czech language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with french language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with Indonesian language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with portuguese language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with polish language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with japanese language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with Italian language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with russian language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with swedish language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with turkish language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with slovak language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with korean language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • The sample compiled with chinese language support

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)
      • GoogleUpdateSetup.exe (PID: 4816)

    • Reads the computer name

      • GoogleUpdate.exe (PID: 7048)
      • GoogleUpdate.exe (PID: 6268)
      • GoogleUpdate.exe (PID: 6400)
      • GoogleUpdate.exe (PID: 5372)
      • updater.exe (PID: 3756)

    • Creates files in the program directory

      • GoogleUpdateSetup.exe (PID: 4816)
      • GoogleUpdate.exe (PID: 6400)
      • updater.exe (PID: 3756)

    • Process checks computer location settings

      • GoogleUpdate.exe (PID: 7048)
      • GoogleUpdate.exe (PID: 6268)

    • Create files in a temporary directory

      • 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 1520)

    • Process checks whether UAC notifications are on

      • GoogleUpdate.exe (PID: 6400)
      • updater.exe (PID: 3756)
      • GoogleUpdate.exe (PID: 5372)

    • Reads the software policy settings

      • slui.exe (PID: 5552)

    • Checks proxy server information

      • slui.exe (PID: 5552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:03:03 22:20:08+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 54784
InitializedDataSize: 822784
UninitializedDataSize: -
EntryPoint: 0x52d5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.23.9
ProductVersionNumber: 1.3.23.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Google Inc.
FileDescription: Google Update Setup
FileVersion: 1.3.23.9
InternalName: Google Update Setup
LegalCopyright: Copyright 2007-2010 Google Inc.
OriginalFileName: GoogleUpdateSetup.exe
ProductName: Google Update
ProductVersion: 1.3.23.9
LanguageId: en
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe googleupdate.exe googleupdatesetup.exe googleupdate.exe googleupdate.exe no specs googleupdate.exe googleupdate.exe no specs googleupdate.exe no specs updater.exe updater.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
760"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0xd6c460,0xd6c46c,0xd6c478C:\Program Files (x86)\Google\Update\GoogleUpdate.exeGoogleUpdate.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Updater
Exit code:
4294967295
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1520"C:\Users\admin\Desktop\2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Update Setup
Exit code:
4294967295
Version:
1.3.23.9
Modules
Images
c:\users\admin\desktop\2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
2076"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3756"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --system --windows-service --service=update-internalC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4816"C:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\GoogleUpdateSetup.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={40C17E54-0BE1-52C4-3934-100B98D1B49D}&lang=ja&browser=2&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&installdataindex=defaultbrowser" /installelevated /nomitagC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\GoogleUpdateSetup.exe
GoogleUpdate.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Update Setup
Exit code:
4294967295
Version:
1.3.23.9
Modules
Images
c:\users\admin\appdata\local\temp\gum6c85.tmp\googleupdatesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5080"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0xd6c460,0xd6c46c,0xd6c478C:\Program Files (x86)\Google\Update\GoogleUpdate.exeGoogleUpdate.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5372"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjMuOSIgc2hlbGxfdmVyc2lvbj0iMS4zLjIxLjEwMyIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9InsyMkQ2QUZCMS0yNzVELTRFMTEtQkVBRi05MDkzQTkzMzI5Njd9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7RDhCMTMxNTQtNzM3NS00MERDLUI4QjItNjY5MjdFNDRGOTg5fSIgcGVyaW9kb3ZlcnJpZGVzZWM9IjAiIGRlZHVwPSJjciI-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMiIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEzNC4wLjY5ODUuMCIgbmV4dHZlcnNpb249IjEuMy4yMy45IiBsYW5nPSJqYSIgYnJhbmQ9IiIgY2xpZW50PSIiIGlpZD0iezQwQzE3RTU0LTBCRTEtNTJDNC0zOTM0LTEwMEI5OEQxQjQ5RH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTYiLz48L2FwcD48L3JlcXVlc3Q-C:\Program Files (x86)\Google\Update\GoogleUpdate.exeGoogleUpdate.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Updater
Exit code:
75009
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5552C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6268"C:\Program Files (x86)\GUM70DA.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={40C17E54-0BE1-52C4-3934-100B98D1B49D}&lang=ja&browser=2&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&installdataindex=defaultbrowser" /installelevatedC:\Program Files (x86)\GUM70DA.tmp\GoogleUpdate.exe
GoogleUpdateSetup.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Installer
Exit code:
4294967295
Version:
1.3.21.103
Modules
Images
c:\program files (x86)\gum70da.tmp\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6400"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={40C17E54-0BE1-52C4-3934-100B98D1B49D}&lang=ja&browser=2&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&installdataindex=defaultbrowser" /installsource taggedmi /sessionid "{22D6AFB1-275D-4E11-BEAF-9093A9332967}"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Updater
Exit code:
4294967295
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 798
Read events
4 686
Write events
96
Delete events
16

Modification events

(PID) Process:(7048) GoogleUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:delete valueName:uid
Value:
(PID) Process:(7048) GoogleUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:delete valueName:old-uid
Value:
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
134.0.6985.0
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
134.0.6985.0
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DEF635A-C3EF-530A-8F03-E90E7C834B9F}
Operation:delete keyName:(default)
Value:
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DEF635A-C3EF-530A-8F03-E90E7C834B9F}
Operation:writeName:AppID
Value:
{1DEF635A-C3EF-530A-8F03-E90E7C834B9F}
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1DEF635A-C3EF-530A-8F03-E90E7C834B9F}
Operation:writeName:LocalService
Value:
GoogleUpdaterInternalService134.0.6985.0
(PID) Process:(6400) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1DEF635A-C3EF-530A-8F03-E90E7C834B9F}
Operation:writeName:ServiceParameters
Value:
--com-service
Executable files
141
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\GoogleUpdate.exeexecutable
MD5:506708142BC63DABA64F2D3AD1DCD5BF
SHA256:9C36A08D9E7932FF4DA7B5F24E6B42C92F28685B8ABE964C870E8D7670FD531A
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\goopdate.dllexecutable
MD5:0928B9C3F2193EE265AA5E9B163D96EB
SHA256:E2044C1098602441657FCBE2661180A7D3E450B5D8ED42410010AC89F866CF45
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\GoogleUpdateOnDemand.exeexecutable
MD5:E093151047BBFFC0CD78D52F36490206
SHA256:26F997A0757E8943BF1B83E2356E35AE6856155B50C40940057433AF621BEC10
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\psmachine_64.dllexecutable
MD5:74D1953F791F4F07B1BADEBE96F81AE0
SHA256:B043ABF637E4BD3AF728677DF5D0811CF02C4BA1C90C4782F2F7388CB8E8D93C
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\psuser.dllexecutable
MD5:725CCC67C2C70D3BCCB0617609DE9366
SHA256:20D143826F108DC98DDF4E74DD46EB9FB24ABDEA421F35C23350754535886F5E
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\GoogleUpdateComRegisterShell64.exeexecutable
MD5:6EFC5F64258FE0D9DA3CCFA7FF4D84BD
SHA256:EA63E79B93DF7FAD11A3C0456710BFF66ACCDEAF9FEAC3AE95C22882ACD8560A
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\goopdateres_ar.dllexecutable
MD5:05E505FBA546536493625827F2584910
SHA256:E1A76534C135931153F02BAEF713BB47773F5181741D11530E85EB16A9DCAA93
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\GoogleCrashHandler64.exeexecutable
MD5:0D5CE0E5AEC3ACC7930AB955334B8533
SHA256:B9A2CA18250A170D4292EFDEC1FCEEADD7A86E8F1D66B33805379BE0E8723F8D
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\goopdateres_bg.dllexecutable
MD5:96F9309CC9742D6ACE7E141942A4CD10
SHA256:213FE703E75DEE3A42A9B9FD551F51C074A96292812033838F89BBEF86998837
15202025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUM6C85.tmp\psuser_64.dllexecutable
MD5:7DA05F2CD5C1F41EFB7FFBA3DCBD8C2B
SHA256:AF7BD808C58D875DC1C03A8546730157CA3683BC7C3E022E1B57BFE772993650
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1564
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1564
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1564
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.131
  • 40.126.31.0
  • 20.190.159.0
  • 40.126.31.128
  • 20.190.159.71
  • 40.126.31.67
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
Process
Message
GoogleUpdate.exe
LOG_SYSTEM: [GoogleUpdate:goopdate]: ERROR - Cannot create ETW log writer
GoogleUpdate.exe
LOG_SYSTEM: [GoogleUpdate:goopdate]: ERROR - Cannot create ETW log writer
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_8eab9eb272e60b84520045b72229e7a4_amadey_elex_karagany_rhadamanthys_smoke-loader