File name:

2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/517f69a7-b3a7-4fb6-a9bf-76965e819d9c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 15:39:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
smoke
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

44E50BE992352341E96724B070F13A16

SHA1:

8E818AA8CB6F3BB05950B96940E8FF6BE8A4F466

SHA256:

42E68BF8D713E8C1F3248974A4A7FF66888A71986D9DF655C582B074182C69D2

SSDEEP:

3072:AOn8/BFhEQ0/VIXnJ2TuQbWNKs9N0YHVVVViVCV+S:WBFhEQYaRlNKYNVVVVViVCV5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • explorer.exe (PID: 5492)

    • Runs injected code in another process

      • 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe (PID: 7548)

    • SMOKE mutex has been found

      • explorer.exe (PID: 5492)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe (PID: 7548)
      • explorer.exe (PID: 5492)

    • Executes application which crashes

      • 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe (PID: 7548)

    • Process drops legitimate windows executable

      • 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe (PID: 7548)

  • INFO

    • Checks supported languages

      • 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe (PID: 7548)

    • Create files in a temporary directory

      • 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe (PID: 7548)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7700)
      • explorer.exe (PID: 5492)

    • The sample compiled with english language support

      • 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe (PID: 7548)

    • Checks proxy server information

      • explorer.exe (PID: 5492)

    • Reads the software policy settings

      • slui.exe (PID: 904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:10:15 22:13:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29184
InitializedDataSize: 83456
UninitializedDataSize: -
EntryPoint: 0x76e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 28.0.0.0
ProductVersionNumber: 28.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe werfault.exe no specs slui.exe #SMOKE explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
904C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5492C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7548"C:\Users\admin\Desktop\2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7700C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7548 -s 448C:\Windows\SysWOW64\WerFault.exe2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 802
Read events
5 798
Write events
4
Delete events
0

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001100000000000000620069006700640065007400610069006C002E007200740066003E00200020000000130000000000000062006C007500650077006500620073006900740065002E0070006E0067003E002000200000001600000000000000620075006400670065007400720065007100750069007200650073002E007200740066003E00200020000000120000000000000063006F006D006D0065006E007400730061006C002E007200740066003E002000200000001100000000000000630075007400720061006E0064006F006D002E0070006E0067003E0020002000000010000000000000006E006500740072006F006F006D0073002E006A00700067003E0020002000000016000000000000006F0062006A0065006300740065006C0065006D0065006E00740073002E007200740066003E002000200000001100000000000000720073007300770069006E0064006F0077002E007200740066003E0020002000000017000000000000007300630068006F006F006C006600750072006E00690074007500720065002E006A00700067003E002000200000001400000000000000760065006800690063006C0065006400610069006C0079002E007200740066003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
Executable files
2
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7700WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-03-24_44e50_98ca67202ea04e36707d8cc22a1e2e5718b63d6_01ddf9be_da37816a-a279-4c28-94e5-bc9cc3bd4bf2\Report.wer
MD5:
SHA256:
7700WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exe.7548.dmpbinary
MD5:B600F0CBFC6EA8E13E7DBCD5BD676E6D
SHA256:EF415FF9038575C12FB0D502ED17182EFBBF44537DB99D07E9942587B3A02B6B
7700WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1886.tmp.dmpbinary
MD5:027EEC9D0BDB9D352FB2744C4541DCC4
SHA256:6F63F3CA28BB79681074C6747409A15D5044AB573AACE182FBF7EC0C8C8DCD2C
7700WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1C41.tmp.xmlxml
MD5:F64995292E8A245D4C24FF180D5290D9
SHA256:053D40DF75037E31A4B79007E673113188783B0C2D27A37BE6D09CDB531C8DBF
75482025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\CC4F.tmpexecutable
MD5:9829BD4BC72E924BB60D9DC4EAA7B853
SHA256:F8926DA814046711E9BF5206E8F972E2ED21430E7778AFA36C06542420736E5D
7700WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1B75.tmp.WERInternalMetadata.xmlbinary
MD5:B96DD87E84A1CE577F9A9B9A2020D08D
SHA256:6193081A2F9B879EBF7841D1BC2CE626846910EDEBF628BFC71487074B2E77A5
5492explorer.exeC:\Users\admin\AppData\Roaming\resrfrexml
MD5:1DEE138C17793EF1443773EE5AF3CDEF
SHA256:418CBD95A746CF73FDCB530A9E8092D5A87483700D496B84CE63CB6E529267AD
5492explorer.exeC:\Users\admin\AppData\Roaming\bjcgshjexecutable
MD5:44E50BE992352341E96724B070F13A16
SHA256:42E68BF8D713E8C1F3248974A4A7FF66888A71986D9DF655C582B074182C69D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
53
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
8008
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8008
SIHClient.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
20.190.159.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
GET
200
20.103.156.88:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T153954Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=76a343451a064b5eaf3669c7525e3506&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967659&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358189&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.95 Kb
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
8008
SIHClient.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8008
SIHClient.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8008
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4892
backgroundTaskHost.exe
20.103.156.88:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
4
System
192.168.100.255:137
whitelisted
8008
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 20.198.162.78
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.0
whitelisted
google.com
  • 216.58.212.174
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.48.23.183
  • 23.48.23.181
  • 23.48.23.180
  • 23.48.23.182
  • 23.48.23.186
  • 23.48.23.176
  • 23.48.23.179
  • 23.48.23.175
  • 23.48.23.184
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
vgerkisv.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_44e50be992352341e96724b070f13a16_karagany_rhadamanthys_smoke-loader