File name:

2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe

Full analysis: https://app.any.run/tasks/6e40a947-d0f0-42d2-8583-df57b6140b2e
Verdict: Malicious activity
Analysis date: August 01, 2025, 01:39:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

8356D3459AFBD5A5CD0E646E959562E4

SHA1:

854F80B336D3E26A68BF4057286CC0D555172873

SHA256:

57A385A0BF97D5B4F5C1AA109C2A5A8F465FCDB4345ACE579D841EE2C1F873A6

SSDEEP:

12288:a3muOP5Gs+B3L6dXt+aM0yat3QVVVf+yLI7Y:a3mVP5G1tL6d9+aM0+LIM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)

    • Executable content was dropped or overwritten

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)

    • Process drops legitimate windows executable

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)

  • INFO

    • The sample compiled with english language support

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)

    • Creates files or folders in the user directory

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)

    • Checks supported languages

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)
      • RUXIMICS.exe (PID: 2228)

    • The sample compiled with bulgarian language support

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)

    • Reads the computer name

      • 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe (PID: 6256)

    • Creates files in the program directory

      • RUXIMICS.exe (PID: 2228)

    • Checks proxy server information

      • slui.exe (PID: 6656)

    • Reads the software policy settings

      • slui.exe (PID: 6656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2028:05:18 00:29:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 53248
InitializedDataSize: 245760
UninitializedDataSize: -
EntryPoint: 0x302f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.20.0.0
ProductVersionNumber: 9.20.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7-Zip File Manager
FileVersion: 9.2
InternalName: 7zFM
LegalCopyright: Copyright (c) 1999-2010 Igor Pavlov
OriginalFileName: 7zFM.exe
ProductName: 7-Zip
ProductVersion: 9.2
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe ruximics.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2228%ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetworkC:\Program Files\RUXIM\RUXIMICS.exePLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\ruximics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
6256"C:\Users\admin\Desktop\2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip File Manager
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\desktop\2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
6656C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 528
Read events
3 527
Write events
1
Delete events
0

Modification events

(PID) Process:(6256) 2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
Operation:writeName:WallpaperSource
Value:
C:\windows\WallPapers.jpg
Executable files
186
Suspicious files
0
Text files
1
Unknown types
42

Dropped files

PID
Process
Filename
Type
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.cab
MD5:
SHA256:
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.cab
MD5:
SHA256:
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.cabexecutable
MD5:0FE7B22CBF619CF188638A6025B81DEB
SHA256:B4DD76CDCFE1DDBD6F4F8436EEF5919D46A06EAE7FD26081E503B77DB450B7CF
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.cab
MD5:
SHA256:
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner64.cab
MD5:
SHA256:
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.cabexecutable
MD5:66C8FEDA5C8CC5126DEC3BCC6FC74089
SHA256:CC5D88D8EB4F35CF4E3A372A3C1BF2D98D0981791096B2EDFEBB2D87C4128AA4
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Eula.cabexecutable
MD5:6A20421B04FEC08576E6069D1CC4EF96
SHA256:FA6D7D4509FCD93AA0D656B1A1C3FCB9B5F39882FF79FC27A2942BBBB21222F5
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.cabexecutable
MD5:0CBAB240A946921EC4E9BA1EC71940BB
SHA256:342E4438BFE75A7B2C27FB78FD45A2EC9EF0E1E5FDA11671A4AC1A45C3919D07
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.cabexecutable
MD5:A0593C685617EB9B08BE3F8D858C5041
SHA256:F7EF6A112AFBB287C6089C22A44947FAA4B8BD25C5637401AD9B78F92704063E
62562025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.cabexecutable
MD5:516E45F0C5F9C2FEB897CC856798E29D
SHA256:DF0B4BD3EC5410506983C2ADFDCAF6BF18DFB1A30C2D38ED653145D8FAF700D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
40
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
5968
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
1236
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5968
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5968
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.65
  • 20.190.160.66
  • 40.126.32.136
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.138
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
self.events.data.microsoft.com
  • 20.50.73.13
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-08-01_8356d3459afbd5a5cd0e646e959562e4_elex_rhadamanthys_smoke-loader.exe