File name:

2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/48c597cc-0d6b-4a89-9e00-21e5eeb5b4dd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 21:55:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
upx
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

2FA49FC377DB448C767359DFE6621B14

SHA1:

0D013A6549E4F1AD24FB0B8D328B17E95DA062CA

SHA256:

2BCD21C1920C201C8FCA602E33AC9526B233F5B621A4C9EC4C0321AE5B68A61E

SSDEEP:

49152:vfi1Kal/wICLXUZgvBzHwf65oaBR9+IuvJU8tWmbf8+hQAHPAkR0CGss/eg4gYo6:S17/DyXUSzQy57QIuvN8mYFAvAkR0CGI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 5176)

    • Connects to the CnC server

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)

    • Actions looks like stealing of personal data

      • 360TS_Setup.exe (PID: 6724)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)

    • Executable content was dropped or overwritten

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 3676)
      • 360TS_Setup.exe (PID: 6724)

    • Starts itself from another location

      • 360TS_Setup.exe (PID: 3676)

    • Contacting a server suspected of hosting an CnC

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)

    • Potential Corporate Privacy Violation

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)

    • Reads security settings of Internet Explorer

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)

    • Process requests binary or script from the Internet

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)

    • There is functionality for taking screenshot (YARA)

      • 360TS_Setup.exe (PID: 3676)
      • 360TS_Setup.exe (PID: 6724)

    • Creates file in the systems drive root

      • 360TS_Setup.exe (PID: 6724)

    • Drops 7-zip archiver for unpacking

      • 360TS_Setup.exe (PID: 6724)

    • Drops a system driver (possible attempt to evade defenses)

      • 360TS_Setup.exe (PID: 6724)

    • The process verifies whether the antivirus software is installed

      • 360TS_Setup.exe (PID: 6724)

  • INFO

    • Reads the computer name

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 3676)
      • 360TS_Setup.exe (PID: 6724)

    • The sample compiled with english language support

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)

    • Checks proxy server information

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)
      • slui.exe (PID: 5384)

    • Creates files or folders in the user directory

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)

    • Checks supported languages

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 3676)
      • 360TS_Setup.exe (PID: 6724)

    • Create files in a temporary directory

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 3676)
      • 360TS_Setup.exe (PID: 6724)

    • Disables trace logs

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)

    • Reads the machine GUID from the registry

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)

    • The sample compiled with chinese language support

      • 360TS_Setup.exe (PID: 3676)
      • 360TS_Setup.exe (PID: 6724)

    • Creates files in the program directory

      • 360TS_Setup.exe (PID: 3676)
      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)

    • Process checks computer location settings

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)

    • UPX packer has been detected

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)

    • Reads the software policy settings

      • 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe (PID: 4408)
      • 360TS_Setup.exe (PID: 6724)
      • slui.exe (PID: 5384)

    • The sample compiled with turkish language support

      • 360TS_Setup.exe (PID: 6724)

    • The sample compiled with russian language support

      • 360TS_Setup.exe (PID: 6724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (56.1)
.scr | Windows screen saver (26.6)
.exe | Win32 Executable (generic) (9.1)
.exe | Generic Win/DOS Executable (4)
.exe | DOS Executable Generic (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:09 06:58:37+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 456704
InitializedDataSize: 1054720
UninitializedDataSize: -
EntryPoint: 0x53c04
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.6.0.1054
ProductVersionNumber: 6.6.0.1054
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Qihoo 360 Technology Co. Ltd.
FileDescription: 360 Total Security Online Installer
FileVersion: 6, 6, 0, 1054
InternalName: 360Installer
LegalCopyright: (C) Qihoo 360 Technology Co. Ltd., All rights reserved.
OriginalFileName: 360Installer.exe
ProductName: 360 Total Security Online Installer
ProductVersion: 6, 6, 0, 1054
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe 360ts_setup.exe 360ts_setup.exe slui.exe 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3676"C:\Users\admin\Desktop\360TS_Setup.exe" /c:WW.NewDon.CPI20230201 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=C:\Users\admin\Desktop\360TS_Setup.exe
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
User:
admin
Integrity Level:
HIGH
Description:
Installer Module
Version:
11,0,0,1195
Modules
Images
c:\users\admin\desktop\360ts_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll
4408"C:\Users\admin\Desktop\2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
explorer.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
HIGH
Description:
360 Total Security Online Installer
Exit code:
1
Version:
6, 6, 0, 1054
Modules
Images
c:\users\admin\desktop\2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\program files\common files\system\symsrv.dll
5176"C:\Users\admin\Desktop\2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeexplorer.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
MEDIUM
Description:
360 Total Security Online Installer
Exit code:
3221226540
Version:
6, 6, 0, 1054
Modules
Images
c:\users\admin\desktop\2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6724"C:\Program Files (x86)\1745963791_0\360TS_Setup.exe" /c:WW.NewDon.CPI20230201 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstallC:\Program Files (x86)\1745963791_0\360TS_Setup.exe
360TS_Setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Installer Module
Version:
11,0,0,1195
Modules
Images
c:\program files (x86)\1745963791_0\360ts_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll
Total events
10 604
Read events
10 576
Write events
24
Delete events
4

Modification events

(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LiveUpdate360
Operation:delete valueName:ieproxy
Value:
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\Liveup
Operation:writeName:mid
Value:
80342cb959da2233832ae840f019ccba8b56b331eb673be97c52113eab1cd1bc
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LiveUpdate360
Operation:writeName:proxytype
Value:
1
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4408) 2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
864
Suspicious files
754
Text files
350
Unknown types
0

Dropped files

PID
Process
Filename
Type
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Users\admin\Desktop\360TS_Setup.exe.P2P
MD5:
SHA256:
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Users\admin\Desktop\360TS_Setup.exe
MD5:
SHA256:
3676360TS_Setup.exeC:\Program Files (x86)\1745963791_0\360TS_Setup.exe
MD5:
SHA256:
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\{BE351EC6-73FC-49fb-A57C-7E5C328C2D46}.tmpcompressed
MD5:7D883E7A121DD2A690E3A04BB196DA6F
SHA256:9A54E77EDD072495D1A9C0BBA781F14C63F344EAAFA4F466D3DE770979691410
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\A1D26E2\DB9C10841138.tmpexecutable
MD5:16CAF58D0EE0491C6A1D8434C5477AC0
SHA256:FB53F5F44E74826095605610FCBDB0FC00337AE58AF61C7F18B5E8EADAB2241A
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
6724360TS_Setup.exeC:\Users\admin\AppData\Local\Temp\360_install_20250429215634_1139078\temp.7z
MD5:
SHA256:
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\{1088B23A-AD5D-4e68-9959-0D27099B0D93}.tmpimage
MD5:B1DDD3B1895D9A3013B843B3702AC2BD
SHA256:46CDA5AD256BF373F5ED0B2A20EFA5275C1FFD96864C33F3727E76A3973F4B3C
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\!@tDEE8.tmpcompressed
MD5:23F6C2D22E02CA57E5981390A31614E6
SHA256:E286B44BC86EC8C30BC4212181EEA925D1BEF1045A1BF1D0C2384140F7027A60
44082025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\{4EC56643-FE7F-4919-B2D6-21FC59FFDD24}.tmp\360P2SP.dllexecutable
MD5:FC1796ADD9491EE757E74E65CEDD6AE7
SHA256:BF1B96F5B56BE51E24D6314BC7EC25F1BDBA2435F4DFC5BE87DE164FE5DE9E60
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
69
DNS requests
17
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
200
52.29.179.141:80
http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.NewDon.CPI20230201&os=10.0&mid=80342cb959da2233832ae840f019ccba&state=153
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
200
151.236.118.173:80
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
200
52.29.179.141:80
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=80342cb959da2233832ae840f019ccba&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=654&tdl=654&tds=643&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,DnFailCount|6,FStatus|1,P2SS|654,P2PS|0,PDMode|2&tfl=654&tp=t&tst=1&ttdl=654&ttm=1016&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
403
45.56.79.23:80
http://www.aieov.com/logo.gif
unknown
malicious
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
200
108.138.24.16:80
http://sd.p.360safe.com/88C6CB61B6BAE97616CD44945EDD50B8C6CA8B0C.trt
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1195.exe
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
104.192.108.17:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1195.exe
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
104.192.108.20:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1195.exe
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
206
104.192.108.21:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1195.exe
unknown
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
GET
104.192.108.20:80
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1195.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
54.77.42.29:3478
st.p.360safe.com
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
54.76.174.118:80
tr.p.360safe.com
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
47.254.140.82:443
orion.ts.360.com
Alibaba US Technology Co., Ltd.
DE
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
52.29.179.141:80
s.360safe.com
AMAZON-02
DE
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
151.236.118.173:80
iup.360safe.com
CDNetworks LLC
RU
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
45.56.79.23:80
www.aieov.com
Linode, LLC
US
malicious
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
108.138.24.16:80
sd.p.360safe.com
AMAZON-02
US
whitelisted
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
104.192.108.21:80
int.down.360safe.com
Beijing Qihu Technology Company Limited
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
st.p.360safe.com
  • 54.77.42.29
whitelisted
orion.ts.360.com
  • 47.254.140.82
whitelisted
s.360safe.com
  • 52.29.179.141
  • 18.184.178.29
whitelisted
iup.360safe.com
  • 151.236.118.173
whitelisted
tr.p.360safe.com
  • 54.76.174.118
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 45.56.79.23
  • 198.58.118.167
  • 45.33.30.197
  • 45.79.19.196
  • 173.255.194.134
  • 45.33.2.79
  • 45.33.20.235
  • 72.14.178.174
  • 96.126.123.244
  • 45.33.18.44
  • 72.14.185.43
  • 45.33.23.183
malicious
int.down.360safe.com
  • 104.192.108.21
  • 104.192.108.17
  • 104.192.108.20
whitelisted

Threats

PID
Process
Class
Message
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Misc activity
ET INFO Packed Executable Download
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
4408
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_2fa49fc377db448c767359dfe6621b14_amadey_elex_floxif_remcos_smoke-loader