File name:

2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/91947e94-21b0-45a8-91dc-e8a90f38fc7f
Verdict: Malicious activity
Analysis date: June 21, 2025, 16:09:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

F474D84EBD544E2E6D1D19FBED8614C6

SHA1:

C601AE16E50C1588CB8800D506DCEDC9C3706DD0

SHA256:

6A273125F3BC2FDFDDF861F290E48BFBF5E1E76F218F5313F9145C031455EDC2

SSDEEP:

98304:HC9Vw29vx1jFUaxkEf8h/SuEcn0rLQxIWKOROg7gmsCQYEqZdOt+g:ycqj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 1644)

    • Reads security settings of Internet Explorer

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 1644)
      • 82343c82 (PID: 5248)
      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)

    • Executable content was dropped or overwritten

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)

    • Connects to the server without a host name

      • 82343c82 (PID: 5248)
      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)

    • Executes as Windows Service

      • 82343c82 (PID: 5248)

  • INFO

    • Reads the computer name

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 1644)
      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)
      • 82343c82 (PID: 5248)

    • The sample compiled with chinese language support

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 1644)
      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)

    • Process checks computer location settings

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 1644)

    • Checks supported languages

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)
      • 82343c82 (PID: 5248)
      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 1644)

    • Checks proxy server information

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)
      • slui.exe (PID: 1036)

    • Reads the machine GUID from the registry

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)
      • 82343c82 (PID: 5248)

    • Reads the software policy settings

      • 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 4860)
      • slui.exe (PID: 1036)
      • 82343c82 (PID: 5248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:02:24 07:15:31+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 145408
InitializedDataSize: 236544
UninitializedDataSize: -
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1610
ProductVersionNumber: 23.9.20.1610
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1610
ProductVersion: 23, 9, 20, 1610
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe no specs 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe 82343c82 slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1036C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1644"C:\Users\admin\Desktop\2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1610
Modules
Images
c:\users\admin\desktop\2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4860"C:\Users\admin\Desktop\2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1610
Modules
Images
c:\users\admin\desktop\2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5248C:\Windows\Syswow64\82343c82C:\Windows\SysWOW64\82343c82
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1610
Modules
Images
c:\windows\syswow64\82343c82
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
11 818
Read events
11 815
Write events
3
Delete events
0

Modification events

(PID) Process:(4860) 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4860) 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4860) 2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
48602025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeC:\Windows\SysWOW64\82343c82executable
MD5:FDB76DCBAAA8ACD5CE393BFC396E7874
SHA256:97AE3466F47DEABEE920F8383DCD027EF7D6A446D9673019CF9F5114CFA7F7F0
48602025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeC:\Windows\533478text
MD5:C13B1118545B84163D7DE657AA8ABF10
SHA256:B43A6622E6140AD283F26AE7BD971A693CD5EA4C0BCC71EC09E1BF36CC9C3A90
524882343c82C:\Windows\59d900text
MD5:81891FFD0F19C608A1D497F7F5266D1C
SHA256:7BC7728A5EF182B7E53F977075D1C5C2B79DD7177DAF1B157A194D359150E787
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
166
TCP/UDP connections
230
DNS requests
42
Threats
55

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
binary
257 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5248
82343c82
GET
200
223.5.5.5:80
http://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
whitelisted
5248
82343c82
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=down.nugong.asia&type=1
unknown
unknown
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
unknown
binary
253 b
whitelisted
5248
82343c82
GET
200
223.5.5.5:80
http://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
unknown
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=spi2.tyui54345.xyz&type=16
unknown
binary
253 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
1268
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5248
82343c82
223.5.5.5:443
dns.alidns.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
down.nugong.asia
unknown
dns.alidns.com
  • 223.5.5.5
  • 223.6.6.6
whitelisted
down.xy58.top
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
0d78fe00f48f2148.tyui54345.xyz
unknown
yzzcommon.tyui54345.xyz
unknown

Threats

PID
Process
Class
Message
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
5248
82343c82
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_f474d84ebd544e2e6d1d19fbed8614c6_amadey_elex_mafia_rhadamanthys_smoke-loader_stop