File name:

2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe

Full analysis: https://app.any.run/tasks/938ccfd8-f359-4469-84df-685a4c2faa4a
Verdict: Malicious activity
Analysis date: July 18, 2025, 12:37:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

212648863BAB01F6027CCC1BC4833658

SHA1:

B1D7E64FAC030938DBA631602FF2DB2871EA0849

SHA256:

8EE3948ED34846A5C643B1693BE579E5855558D1761DF66E2181787557B469F6

SSDEEP:

12288:jU3cAXlyQvYqsxjiVTV54VTV7Jbfut3VTVH:w3cAVyQKJbf4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • scaa.exe (PID: 3640)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)

    • Starts itself from another location

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)

    • Executable content was dropped or overwritten

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)
      • scaa.exe (PID: 3640)

    • Process drops legitimate windows executable

      • scaa.exe (PID: 3640)

  • INFO

    • Reads the computer name

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)
      • scaa.exe (PID: 3640)

    • Reads the software policy settings

      • slui.exe (PID: 6764)

    • Create files in a temporary directory

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)
      • scaa.exe (PID: 3640)

    • Creates files or folders in the user directory

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)
      • scaa.exe (PID: 3640)

    • Checks supported languages

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe  (PID: 2716)
      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)
      • scaa.exe (PID: 3640)

    • The sample compiled with english language support

      • 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe (PID: 1232)
      • scaa.exe (PID: 3640)

    • Launching a file from a Registry key

      • scaa.exe (PID: 3640)

    • Checks proxy server information

      • slui.exe (PID: 6764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:08:29 03:42:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 69632
InitializedDataSize: 8192
UninitializedDataSize: -
EntryPoint: 0x11a8
OSVersion: 4
ImageVersion: 6.29
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.2900.0.2180
ProductVersionNumber: 6.2900.0.2180
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
LegalCopyright: License: MPL 1.1/GPL 2.0/LGPL 2.1
CompanyName: Mozilla Foundation
FileDescription: Firefox Software Updater
FileVersion: 1.9.0.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe  no specs scaa.exe slui.exe 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1232"C:\Users\admin\Desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe
explorer.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
HIGH
Description:
Firefox Software Updater
Exit code:
0
Version:
1.9.0.1
Modules
Images
c:\users\admin\desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
2716C:\Users\admin\Desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe  C:\Users\admin\Desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
HIGH
Description:
Firefox Software Updater
Exit code:
1
Version:
1.9.0.1
Modules
Images
c:\users\admin\desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3640"c:\Documents and Settings\admin\Application Data\Microsoft\scaa.exe" 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stopC:\Users\admin\AppData\Roaming\Microsoft\scaa.exe
2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
HIGH
Description:
Firefox Software Updater
Version:
1.9.0.1
Modules
Images
c:\users\admin\appdata\roaming\microsoft\scaa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6704"C:\Users\admin\Desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeexplorer.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Description:
Firefox Software Updater
Exit code:
3221226540
Version:
1.9.0.1
Modules
Images
c:\users\admin\desktop\2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6764C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 687
Read events
3 549
Write events
138
Delete events
0

Modification events

(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
Operation:writeName:AlternateShell
Value:
c:\windows\system32\CommandPrompt.Sysm
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
Operation:writeName:AlternateShell
Value:
c:\windows\system32\CommandPrompt.Sysm
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.Msd
Operation:writeName:NeverShowExt
Value:
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm
Operation:writeName:NeverShowExt
Value:
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:writeName:CheckedValue
Value:
1
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Operation:writeName:DefaultValue
Value:
1
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:writeName:CheckedValue
Value:
1
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Operation:writeName:DefaultValue
Value:
1
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPathAddress
Operation:writeName:DefaultValue
Value:
1
(PID) Process:(1232) 2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath
Operation:writeName:DefaultValue
Value:
1
Executable files
48
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3640scaa.exe
MD5:
SHA256:
12322025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeC:\Windows\SysWOW64\Windows 3D.screxecutable
MD5:CF83B5117863D86A71CDC5D25A3BE24D
SHA256:486B486079CBBD9771CAA8F199EE41A95D1B9465A5121AAC1F45414DEFF9A55F
3640scaa.exeC:\Users\admin\AppData\Roaming\Microsoft\2151text
MD5:210CF7AA5E2682C9C9D4511F88FE2789
SHA256:3BE481CA29E74A01367CEACA0B5C7F5EE53E9A407D26D4368EDD539541F7B13C
12322025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exeC:\Windows\SysWOW64\maxtrox.txttext
MD5:24865CA220AA1936CBAC0A57685217C5
SHA256:841E95FA333ED89085BFBAB19BB658D96ED0C837D25721411233FA55C860C743
3640scaa.exeC:\Windows\SysWOW64\CommandPrompt.Sysmexecutable
MD5:3B46A2ECFED41926A9E580BB9BB239B1
SHA256:17A3E912605410BF3BB7D76F594C29B95D028404D6EBBFD5AE27C0DDEFFA11B3
3640scaa.exeC:\Program Files\CUAssistant\culauncher.exeexecutable
MD5:0ECE18D7EB88A29F377300F021C0ED29
SHA256:56CB4A1AC92CE1FDDF68119037A7F38B80DC1FED531C505D466B4314DE9AEF07
3640scaa.exeC:\Windows\SysWOW64\Desktop.sysmexecutable
MD5:3B46A2ECFED41926A9E580BB9BB239B1
SHA256:17A3E912605410BF3BB7D76F594C29B95D028404D6EBBFD5AE27C0DDEFFA11B3
3640scaa.exeC:\Users\admin\AppData\Local\Temp\WRPD935.tmpexecutable
MD5:AAFFBD021B47C542BD9D7A3F5D024DB2
SHA256:F69D2D078985B0DE351E29D831D5F27616F603D0F88F4060DE026157F9B8A456
3640scaa.exeC:\Program Files\FileZilla FTP Client\uninstall.exeexecutable
MD5:4D64552915EF2E86FBDD2DD626A32810
SHA256:2B9A366EAB870BAB0C3052573E0EB049E92EE9AD7F646E5917F3D7DE403E8DD7
3640scaa.exeC:\Program Files\FileZilla FTP Client\fzputtygen.exeexecutable
MD5:130694B589E018DAE6CCCC00176AA043
SHA256:1638C2C03A5F4B45389B6245985D00BE09B9A4CA589A249F437A24D146B8CD15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
42
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5876
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5876
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5876
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5876
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5876
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.68
  • 20.190.160.128
  • 20.190.160.14
  • 20.190.160.4
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.140
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 52.168.117.175
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-18_212648863bab01f6027ccc1bc4833658_elex_rhadamanthys_smoke-loader_stop.exe