File name:

2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc

Full analysis: https://app.any.run/tasks/6428ea9e-7c82-48a5-be48-06166f1af940
Verdict: Malicious activity
Analysis date: April 29, 2025, 00:38:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

054DF59A46C9B518F199F9FA32271C36

SHA1:

9C63229F16D142CD17C66D17A5EFE3AF3B6C6283

SHA256:

70F00FEE3505568898D2525EB81694F8A782A36D3A4107A082D87F943A426747

SSDEEP:

98304:8zv6Cv0ppppppppppppppppppppppppppppppppppppppppppppppppppppppppa:Xe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)

    • TOFSEE has been detected (YARA)

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)
      • oiiadnrd.exe (PID: 7720)
      • oiiadnrd.exe (PID: 7860)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)

    • Reads security settings of Internet Explorer

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 7876)
      • svchost.exe (PID: 7740)

  • INFO

    • Reads the computer name

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)
      • oiiadnrd.exe (PID: 7720)
      • oiiadnrd.exe (PID: 7860)

    • Create files in a temporary directory

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)

    • Checks supported languages

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)
      • oiiadnrd.exe (PID: 7720)
      • oiiadnrd.exe (PID: 7860)

    • Process checks computer location settings

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)

    • Auto-launch of the file from Registry key

      • 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe (PID: 7564)

    • Manual execution by a user

      • oiiadnrd.exe (PID: 7860)

    • Checks proxy server information

      • slui.exe (PID: 8084)

    • Reads the software policy settings

      • slui.exe (PID: 8084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Tofsee

(PID) Process(7564) 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
(PID) Process(7720) oiiadnrd.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
(PID) Process(7860) oiiadnrd.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:08 11:22:26+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 158720
InitializedDataSize: 32339456
UninitializedDataSize: -
EntryPoint: 0x5369
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 51.0.0.0
ProductVersionNumber: 19.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0293)
CharacterSet: Unknown (85B1)
CompanyName: Silly
FileDescriptions: PlasticFantastic
FileVersion: 13.78.85.48
InternalName: GrowTrees.exe
LegalCopyrights: Challangers kenia
ProductName: Game
ProductVersion: 4.80.40.45
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TOFSEE 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe wusa.exe no specs wusa.exe #TOFSEE oiiadnrd.exe no specs svchost.exe no specs #TOFSEE oiiadnrd.exe no specs svchost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7564"C:\Users\admin\Desktop\2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Tofsee
(PID) Process(7564) 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
7640"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7708"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
7720"C:\Users\admin\oiiadnrd.exe" /d"C:\Users\admin\Desktop\2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe" /e5E0402100000007FC:\Users\admin\oiiadnrd.exe
2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\oiiadnrd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Tofsee
(PID) Process(7720) oiiadnrd.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
7740svchost.exeC:\Windows\SysWOW64\svchost.exeoiiadnrd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7860"C:\Users\admin\oiiadnrd.exe"C:\Users\admin\oiiadnrd.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\oiiadnrd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Tofsee
(PID) Process(7860) oiiadnrd.exe
C2 (2)vanaheim.cn
jotunheim.name
Encrypted Strings (59)c:\Windows
\system32\
ImagePath
.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig
/r
.exe
cmd /C move /Y "%s" %s sc config %s binPath= "%s%s /d\"%s\"" sc start %s
svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
PromptOnSecureDesktop
MSConfig
:.repos
USERPROFILE
\Local Settings:.repos
USERPROFILE
\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
USERPROFILE
\wincookie.repos
TMP
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
Config
Control Panel\Buses
Config
SOFTWARE\Microsoft\Buses
SYSTEM\CurrentControlSet\services
ImagePath
SYSTEM\CurrentControlSet\services
SYSTEM\CurrentControlSet\services
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
qazwsxed
%s%i%i%i%i.bat
@echo off :next_try del "%s">nul if exist "%s" ( ping 127.0.0.1 >nul goto next_try ) del %%0
svchost.exe
.exe
/u
USERPROFILE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/d
/e
/d
/e
.exe
"%s" /u"%s"
USERPROFILE
.exe
USERPROFILE
USERPROFILE
ver=%d lid=%d win=%X/%d sid=%s rep=%s
7876svchost.exeC:\Windows\SysWOW64\svchost.exeoiiadnrd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225501
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
8084C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 646
Read events
4 641
Write events
3
Delete events
2

Modification events

(PID) Process:(7564) 2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:jrwhdivd
Value:
"C:\Users\admin\oiiadnrd.exe"
(PID) Process:(7876) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008DCC3F05CD1E3D24EDB47D450DD49D084297DCE82E72BAA4C2638AB7BC491D03D29786D3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D48248723AE4A8644490BDB57926EC935507CEFCBE54758DF21D5904E0A66E10DF8C4D7335E39D084295D9E13F4BB4C06D00FDA1F5377894D92B546AABFB5D2E9BD10F7934E0BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED962F03CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945F76CAF2B8652CEEF2154539FDA46D14DD844D75048BFF1C10C48DB47D24ED945D3DA2A7F5692DD6EF477B36F8D2547B89CC40743F96AE221FC28A8D1267B4995D06BFF7CB675CA7A42B596DF0A46F66DEF24F723ADDC2065DC98DB60F279B972F0CF49BFE2420D49F360E42FFA61E2E9FD109793DE6DF5315C58CB44464EC995D06BFFCBD662BD0A4040F39FDA46D14DD844D7404A4AE591DC48DB47D24ED946444C9F9BD665FD7EB477834C7E63850D0844F063A95A9516BFDCDB57024EFE65A0DBCF2CF5D6DD690440F46FAAD1C12AFBD0D7730E4AF2719C68DB47D1DAD905004CFF4BF642FD49F7E4F61B9A96A12D5863B074EED94141CC98DB60E20EF945D04F4B4BF692AD295467B478FA45454DE894D764FE7DB271CCCB4F47929EA935802CA87B8111794C1134E3EC794
(PID) Process:(7876) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
(PID) Process:(7740) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008DB03F05CD1E3D24EDB47D450DD49D084297DCE82E72BAA4C2638AB7BC491D399B9A3BD3CC945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D48248723AE4A8644490BDB57926EC935507CEFCBE54758DF21D5904E0A66E10DF8C4D7335E39D084295D9E13F4BB4C06D00FDA1F5377894D92B546AABFB5D2E9BD10F7934E0BD004C80D8B90775B3845C07DDF6BD6525C49C460734F5AE6E16E7D740273DE4AD541DC5D9A42C29ED962E07CAF7BE113D92CC497B34F5A51B12D881487138E1A85115B69DF12872E0945F77CEF2B8652CEEF2154539FDA46D14DD844D75048BFF1C10C48DB47D24ED945D3DA2A7F5692DD694327B36FBD6547B89CC40743FEDDB221FC38E8D1267B4995D06C482CB675FDCA42B596DF0A46F1DABF24F733EDDC2065DC98DB674529B972E00F49BFE2420D49F4D7B42FFA7652E9FD109793DE6DE5715C58CB44464EC995D06BEF0BD662BD0A4040F39FDA46D14DD844D7404A4AE591DC48DB47D24ED946444C9F9BD6624A2EB477847C7E63850D0844F073E95A9516BFDCDB57024EFE75E0DBCF2CF5D6DD690440F47FEAD1C12AFBD0D7730E4AF2569C78DB47D1DAD905004CFF4BF642FD49F7E4F61B9A96A12D5863B074EED94141CC98DB60C50EE945D04F4B4BF692AD295467B478FA45454DE894D743DE4AD541DC4B4F47929EA935802CA87B8111794C1134E3EC794
(PID) Process:(7740) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75642025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\ushpiytp.exeexecutable
MD5:B3C03079DC114D1D7720D4D0B3433762
SHA256:4825465E10CA221311EB804F8C55B5768969258599B247F0C64CDEF9A05930E0
75642025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc.exeC:\Users\admin\oiiadnrd.exeexecutable
MD5:4F164E27D42E60500D472CF6D274AD96
SHA256:901FAF6E35206B2D2CCA5403CD587510D2402AE7CB52F09A23A8C819C344F1A2
7876svchost.exeC:\Users\admin:.reposbinary
MD5:139A211AE7EFB75111D712A97385FDA0
SHA256:FAD25E31B7DDD70BF2281613170AB36BE5A72EC4CBADA84BC7D752365182E18B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6700
RUXIMICS.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6700
RUXIMICS.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6700
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6700
RUXIMICS.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6700
RUXIMICS.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.38.73.129
whitelisted
microsoft.com
whitelisted
yahoo.com
whitelisted
mail.ru
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_054df59a46c9b518f199f9fa32271c36_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stealc