File name:

2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/547ae006-3a4b-4697-89ce-6b92ca300387
Verdict: Malicious activity
Analysis date: July 05, 2025, 21:58:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

B9C5C7A81C44237F6D8481E0BD2D4B53

SHA1:

F981C58D526625AEE96AF61EB4FD5B0B13C0CEF0

SHA256:

9EC3D2CB46D57D5D5203E860E08C4B2D73E68875A95350E4F72B889B7A1C88A5

SSDEEP:

49152:JChOrTUrXMm7+/ykdxyzF43hdvwCQYEOFZdOFL3BA0R650:JC9Hg7gmsCQYEqZdOt+0r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 2356)
      • 71815dc0 (PID: 3952)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)

    • Application launched itself

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 2356)

    • Executable content was dropped or overwritten

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)

    • Executes as Windows Service

      • 71815dc0 (PID: 3952)

    • Connects to unusual port

      • 71815dc0 (PID: 3952)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)

    • Connects to the server without a host name

      • 71815dc0 (PID: 3952)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)

  • INFO

    • Checks supported languages

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 2356)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)
      • 71815dc0 (PID: 3952)

    • The sample compiled with chinese language support

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 2356)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)

    • Reads the computer name

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 2356)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)
      • 71815dc0 (PID: 3952)

    • Process checks computer location settings

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 2356)

    • Reads the machine GUID from the registry

      • 71815dc0 (PID: 3952)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)

    • Reads the software policy settings

      • 71815dc0 (PID: 3952)
      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)
      • slui.exe (PID: 1936)

    • Checks proxy server information

      • 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe (PID: 3924)
      • slui.exe (PID: 1936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:02 05:12:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 145408
InitializedDataSize: 236544
UninitializedDataSize: -
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe no specs 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe 71815dc0 slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1936C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2356"C:\Users\admin\Desktop\2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3924"C:\Users\admin\Desktop\2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3952C:\Windows\Syswow64\71815dc0C:\Windows\SysWOW64\71815dc0
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\71815dc0
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
11 279
Read events
11 276
Write events
3
Delete events
0

Modification events

(PID) Process:(3924) 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3924) 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3924) 2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
39242025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeC:\Windows\SysWOW64\71815dc0executable
MD5:18AC23208B5855761DF4F7395BC00B31
SHA256:575FA55F6D13A6C8717EB7B2634D491CB68F6AA9232086A30F26446A567A3554
395271815dc0C:\Windows\43a8e0text
MD5:BA46AD76A0E6E86C84AA234E1DA9CBCE
SHA256:70CF21F0A4E78AFBD2981103237036A8A4D80EFDCBE746B0A193AE0259B927A4
39242025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop.exeC:\Windows\432e28text
MD5:8D454125C0788A97D89CA0BA05205789
SHA256:342E58477508584DDA55665D1DEF0F1522D4AD88BFB6F444F8BB8BF84AC9EB1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
103
DNS requests
36
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
400
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
302
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
302
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3396
RUXIMICS.exe
GET
302
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
binary
257 b
whitelisted
3952
71815dc0
GET
302
223.5.5.5:80
http://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
whitelisted
POST
400
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3396
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3396
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
159.255.184.60:803
TOM-NET s.c. Dariusz Koper, Radoslaw Koper
PL
unknown
3396
RUXIMICS.exe
159.255.184.60:803
TOM-NET s.c. Dariusz Koper, Radoslaw Koper
PL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.168.114
  • 2.16.168.124
whitelisted
down.nugong.asia
unknown
login.live.com
  • 20.190.159.23
  • 20.190.159.0
  • 40.126.31.2
  • 20.190.159.129
  • 40.126.31.128
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.130
whitelisted
dns.alidns.com
  • 223.5.5.5
  • 223.6.6.6
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-05_b9c5c7a81c44237f6d8481e0bd2d4b53_amadey_elex_mafia_rhadamanthys_smoke-loader_stop