File name:

2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/56f67d84-9925-4237-a9e4-91158facc001
Verdict: Malicious activity
Analysis date: April 29, 2025, 22:13:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

32C9D6B57CEBBE2A9E199CEB1AC51928

SHA1:

39E995893A061A3B128315D89F264E34136C2CA6

SHA256:

446186CADA9F8FAA7138CB56E1F25AF0F41E14482E0F4B937E522F412A8EBC1D

SSDEEP:

393216:d22222222222222222222222222222222222222222222222222222222222222n:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)

    • Executable content was dropped or overwritten

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)

    • Executes application which crashes

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)
      • ydzrpse.exe (PID: 7948)
      • ydzrpse.exe (PID: 8180)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 8076)
      • svchost.exe (PID: 7248)

  • INFO

    • Create files in a temporary directory

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)

    • Reads the computer name

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)
      • ydzrpse.exe (PID: 7948)
      • ydzrpse.exe (PID: 8180)

    • Process checks computer location settings

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)

    • Checks supported languages

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)
      • ydzrpse.exe (PID: 7948)
      • ydzrpse.exe (PID: 8180)

    • Auto-launch of the file from Registry key

      • 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 7768)

    • Manual execution by a user

      • ydzrpse.exe (PID: 8180)

    • Checks proxy server information

      • slui.exe (PID: 5544)

    • Reads the software policy settings

      • slui.exe (PID: 5544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:10:05 04:40:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 95744
InitializedDataSize: 4523008
UninitializedDataSize: -
EntryPoint: 0x10b0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 17.0.0.0
ProductVersionNumber: 29.0.0.0
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
11
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe wusa.exe no specs wusa.exe ydzrpse.exe werfault.exe no specs svchost.exe no specs werfault.exe no specs ydzrpse.exe svchost.exe no specs werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5544C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6724C:\WINDOWS\SysWOW64\WerFault.exe -u -p 8180 -s 536C:\Windows\SysWOW64\WerFault.exeydzrpse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7248svchost.exeC:\Windows\SysWOW64\svchost.exeydzrpse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
7768"C:\Users\admin\Desktop\2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7820"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7924"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7948"C:\Users\admin\ydzrpse.exe" /d"C:\Users\admin\Desktop\2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe" /e5E0602100000007FC:\Users\admin\ydzrpse.exe
2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\ydzrpse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
8044C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7768 -s 1312C:\Windows\SysWOW64\WerFault.exe2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8076svchost.exeC:\Windows\SysWOW64\svchost.exeydzrpse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
8124C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7948 -s 564C:\Windows\SysWOW64\WerFault.exeydzrpse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 250
Read events
5 245
Write events
3
Delete events
2

Modification events

(PID) Process:(8076) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D493DAEE21F3D24EDB47D450DD49D084297DCE82E72BAA4920CFDE422031D0F0B5394D3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4834E7039E0AC644490BDB57A24E5945504CBF0BE54758DF21D5904FCA56E15D48C4D7334E79D084295D9E13F4BB4C06D02FDA1F5377894D92B546AABFB5D2E9BD10F7934E0BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED945E77CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945D07BEF2B8652CEEF2154539FDA46D14DD844D75048BFF1C10C48DB47D24ED945D3DA2A7F5692DD49E4C7B32FCA7547B89CC40743DE7A5221BC5FC8D1267B4995D04CEFCCB632BD4A42B596DF0A46D17D5F24B754CDDC2065DC98DB47E2C9B935B77F49BFE2420D49D470542F8D16D2E9FD109793DE4AE2715C58CB44464EC995D04CE80BD662BD0A4040F39FDA46D14DD844D7404A4AE591DC48DB47D24ED946444C9F9BD642EDCEB430430C7E63850D0844D774E95A9516BFDCDB57024ED972E0DBCF2CF5D6DD690440D378EAD1C12AFBD0D7730E4AD511BC18DB47D1DAD905004CFF4BF642FD49F7E4F61B9A96A12D5863B074EED94141CC98DB47822E8945D04F4B4BF692AD295467B478FA45454DE894D743DE4AD541DB5B4F47929EA935802CA87B8111794C1134E3EC794
(PID) Process:(8076) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
(PID) Process:(7768) 2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:dlqbxcpx
Value:
"C:\Users\admin\ydzrpse.exe"
(PID) Process:(7248) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D0B3DAEE21F3D24EDB47D450DD49D084297DCE82E72BAA4920CFDE422031D23FFCF90D3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4834E7039E0AC644490BDB57A24E5945504CBF0BE54758DF21D5904FCA56E15D48C4D7334E79D084295D9E13F4BB4C06D02FDA1F5377894D92B546AABFB5D2E9BD10F7934E0BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED945A71CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945D03B8F2B8652CEEF2154539FDA46D14DD844D75048BFF1C10C48DB47D24ED945D3DA2A7F5692DD49A357B378EA7547B89CC40743DE3DC221EB7FC8D1267B4995D04CA85CB612CD4A42B596DF0A46D13ACF24E074CDDC2065DC98DB47A559B915C77F49BFE2420D49D437C42FEAD6D2E9FD109793DE4AA2115C58CB44464EC995D04CA82BD662BD0A4040F39FDA46D14DD844D7404A4AE591DC48DB47D24ED946444C9F9BD642AA5EB410930C7E63850D0844D734895A9516BFDCDB57024ED93280DBCF2CF5D6DD690440D3388AD1C12AFBD0D7730E4AD5D6ECC8DB47D1DAD905004CFF4BF642FD49F7E4F61B9A96A12D5863B074EED94141CC98DB47457E5945D04F4B4BF692AD295467B478FA45454DE894D743A95DB201AB7B4F47929EA935802CA87B8111794C1134E3EC794
(PID) Process:(7248) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
77682025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\ydzrpse.exeexecutable
MD5:462C7EC8B64E49DB55CEE638D38A9091
SHA256:3B8738C25B0CB698BF4F6F03EA4849DA417117D815EC36FE655499E4AE548860
8076svchost.exeC:\Users\admin:.reposbinary
MD5:5ADB19EBB4DC673E579D83677EA7A843
SHA256:99B260F3E00EDC36637A779499BE1CC289E2C8D8D057A0E1FCAEDDEF02991576
77682025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\gvieqpiu.exeexecutable
MD5:F53EBC45FFFCF5C150E604B3469E4D05
SHA256:7D25F0422938DCE5A0BD74B5444048347CF8CE019E8D28637AE8CEE2433CAEB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
24
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2432
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2432
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2432
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2432
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2432
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7440
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5544
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_32c9d6b57cebbe2a9e199ceb1ac51928_amadey_elex_karagany_rhadamanthys_smoke-loader