File name:

2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/38f55814-54fb-4a28-92d3-27a2c98c0313
Verdict: Malicious activity
Analysis date: June 21, 2025, 02:44:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

815350B875A4B0C71F26EE764424FDED

SHA1:

40CA289225C12D7AE0924BDE99711412A49978E0

SHA256:

6D8E94B2B53389075C4F3ED0B846CFB413EE2C58A28A70218C44BBDD7E540DC6

SSDEEP:

3072:Jwq/8QK9YSYOeZmr5zRo2xQZVVVVVV8pdarVs4fSCQ:JD/VKlYOeKUlVVVVVV8pduQCQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes appearance of the Explorer extensions

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • Changes the autorun value in the registry

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • Reads security settings of Internet Explorer

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • Executable content was dropped or overwritten

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

  • INFO

    • Creates files or folders in the user directory

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • Launching a file from a Registry key

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • Checks supported languages

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • Reads the computer name

      • 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1984)

    • Checks proxy server information

      • slui.exe (PID: 5532)

    • Reads the software policy settings

      • slui.exe (PID: 5532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1981:01:11 11:13:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 256512
InitializedDataSize: 46592
UninitializedDataSize: -
EntryPoint: 0x4189
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe rundll32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1880C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1984"C:\Users\admin\Desktop\2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
5532C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 358
Read events
8 345
Write events
13
Delete events
0

Modification events

(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:Hidden
Value:
2
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:HideFileExt
Value:
1
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:WebViewBarricade
Value:
0
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\Start
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\Start
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
040000000000000003000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
010000000000000003000000050000000400000002000000FFFFFFFF
(PID) Process:(1984) 2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
941C566800000000
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
19842025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Start\update.exeexecutable
MD5:815350B875A4B0C71F26EE764424FDED
SHA256:6D8E94B2B53389075C4F3ED0B846CFB413EE2C58A28A70218C44BBDD7E540DC6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4456
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4456
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4456
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4456
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_815350b875a4b0c71f26ee764424fded_amadey_elex_rhadamanthys_smoke-loader_stop