File name:

2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc

Full analysis: https://app.any.run/tasks/973591f1-b1d8-4f2e-93d9-1b56ff71ea56
Verdict: Malicious activity
Analysis date: April 28, 2025, 12:07:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

04D3AEA888B47507D37BD90D5DC874C5

SHA1:

1DB902B1AA8931B69E41DD855AEC8F1E64F2A856

SHA256:

B7AAA2BC03F546351BF1D55519AE85D5D998E4AC46C8003BE7A45AB309482CFA

SSDEEP:

3072:605xcWAXLADLegYfDScQhGuhO6TUu5qwdnx9PRxpyMunQZg/3Rp44Ws5z:R5xbA7ADSgYfecGt5qUnxVl5uQZapq+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 5552)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)

    • Reads security settings of Internet Explorer

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)

    • Executes application which crashes

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)
      • pysxpojf.exe (PID: 2152)
      • pysxpojf.exe (PID: 6268)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 5116)
      • svchost.exe (PID: 5552)

    • Connects to SMTP port

      • svchost.exe (PID: 5116)
      • svchost.exe (PID: 5552)

  • INFO

    • The sample compiled with english language support

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)

    • Create files in a temporary directory

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)

    • Reads the computer name

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)
      • pysxpojf.exe (PID: 2152)
      • pysxpojf.exe (PID: 6268)

    • Checks supported languages

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)
      • pysxpojf.exe (PID: 2152)
      • pysxpojf.exe (PID: 6268)

    • Process checks computer location settings

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)

    • Auto-launch of the file from Registry key

      • 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 2108)

    • Manual execution by a user

      • pysxpojf.exe (PID: 6268)

    • Checks proxy server information

      • slui.exe (PID: 1272)

    • Reads the software policy settings

      • slui.exe (PID: 1272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:01 11:14:28+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 154112
InitializedDataSize: 96164864
UninitializedDataSize: -
EntryPoint: 0x480e
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 44.0.0.0
ProductVersionNumber: 44.0.0.0
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileV: 44.0.0.55
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe wusa.exe no specs wusa.exe pysxpojf.exe werfault.exe no specs svchost.exe werfault.exe no specs pysxpojf.exe #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1244"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1272C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2108"C:\Users\admin\Desktop\2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
2152"C:\Users\admin\pysxpojf.exe" /d"C:\Users\admin\Desktop\2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe" /e550302100000007FC:\Users\admin\pysxpojf.exe
2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\pysxpojf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
4112C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6268 -s 556C:\Windows\SysWOW64\WerFault.exepysxpojf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4448C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2152 -s 584C:\Windows\SysWOW64\WerFault.exepysxpojf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5116svchost.exeC:\Windows\SysWOW64\svchost.exe
pysxpojf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5552svchost.exeC:\Windows\SysWOW64\svchost.exe
pysxpojf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
5720"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6028C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2108 -s 1032C:\Windows\SysWOW64\WerFault.exe2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 319
Read events
5 316
Write events
2
Delete events
1

Modification events

(PID) Process:(2108) 2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:klutjvne
Value:
"C:\Users\admin\pysxpojf.exe"
(PID) Process:(5116) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D273D259D1D3D24EDB47D450DD49D084297DCE82E72BAA4C2638A1901B41D25B647E64FCD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4824C753BECAC644490BDB57425E8935C01C9C4E53D428DC9741035F9AC6E10D582457C35D4F10B4C90D8F6127DB9A45E34
(PID) Process:(5116) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
21082025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\qztyqpkg.exeexecutable
MD5:FB89B0BC3B43D0905DEBD1B8CC87EADC
SHA256:978F776CC8EE047E9D55409D0D276457F78ED97BE34E6837AD1464F514B21DAE
21082025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc.exeC:\Users\admin\pysxpojf.exeexecutable
MD5:23A84B399107E415C94BC3E1C72334A0
SHA256:5108AD81F69847448BF5B737D26C6460185CEE94A331AA806B5E24F25A31A6FB
5116svchost.exeC:\Users\admin:.reposbinary
MD5:212A8F380D76ADE4CCAB27B562A60EE3
SHA256:F0AFA753271C3413F55B4CD85198F472380F5699EA474A4EF2089EF202754B04
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
27
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5116
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5116
svchost.exe
52.101.40.2:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5116
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown
5552
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5552
svchost.exe
52.101.40.2:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5552
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.40.2
  • 52.101.10.10
  • 52.101.11.13
  • 52.101.41.3
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-28_04d3aea888b47507d37bd90d5dc874c5_elex_rhadamanthys_smoke-loader_stealc