File name:

2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe

Full analysis: https://app.any.run/tasks/2ae0e193-4655-44f4-b087-0597e2cd9f5d
Verdict: Malicious activity
Threats:

Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.

Malware Trends Tracker     >>>
Analysis date: July 20, 2025, 02:53:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sality
auto-reg
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

4B0EACA270965960BD67A84121DF9F9A

SHA1:

456579FEDFEB059E81292CFC985934E2D498CE0A

SHA256:

B8E6A6343C8A312131A69E59ECA5EB1956049335D0B8AB37DFD6AF5893694DD7

SSDEEP:

12288:W0A9zxrTpRn2QGW5cY9QYvRUOf5IvAvHgB901:YlX5avAvHgn01

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Security Center notification settings

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

    • Changes firewall settings

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

    • UAC/LUA settings modification

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

    • SALITY mutex has been found

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6160)

    • SALITY has been detected

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)

    • Disables Windows firewall

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)

    • Changes the autorun value in the registry

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)

    • Executes as Windows Service

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

    • Application launched itself

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 6492)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

    • Process drops legitimate windows executable

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)

    • Creates file in the systems drive root

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

  • INFO

    • Reads the computer name

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6160)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)
      • ShellExperienceHost.exe (PID: 6492)

    • Checks supported languages

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6160)
      • ShellExperienceHost.exe (PID: 6492)

    • Launching a file from a Registry key

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)

    • UPX packer has been detected

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

    • Manual execution by a user

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 4120)

    • The sample compiled with english language support

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 6408)

    • Checks proxy server information

      • slui.exe (PID: 4200)

    • Reads the software policy settings

      • slui.exe (PID: 4200)

    • Create files in a temporary directory

      • 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe (PID: 5500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:19 03:34:28+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 113664
InitializedDataSize: 107008
UninitializedDataSize: -
EntryPoint: 0xff3d
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.4.12.813
ProductVersionNumber: 1.4.12.813
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0009)
CharacterSet: Unicode
Comments: -
CompanyName: Feitian Technologies Co.,Ltd.
FileDescription: Setup NetROCKEY4ND Service
FileVersion: 1, 4, 12, 813
InternalName: nrSvr
LegalCopyright: Copyright (C) 2012 Feitian Technologies Co.,Ltd.
LegalTrademarks: ROCKEY
OriginalFileName: nrSvr.exe
PrivateBuild: -
ProductName: NetROCKEY4ND Service
ProductVersion: 1, 4, 12, 813
SpecialBuild: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe #SALITY 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe no specs #SALITY 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe shellexperiencehost.exe no specs 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe no specs slui.exe 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe" C:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeexplorer.exe
User:
admin
Company:
Feitian Technologies Co.,Ltd.
Integrity Level:
MEDIUM
Description:
Setup NetROCKEY4ND Service
Exit code:
3221226540
Version:
1, 4, 12, 813
Modules
Images
c:\users\admin\desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4120C:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe -systrayC:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeexplorer.exe
User:
admin
Company:
Feitian Technologies Co.,Ltd.
Integrity Level:
MEDIUM
Description:
Setup NetROCKEY4ND Service
Exit code:
3221226540
Version:
1, 4, 12, 813
Modules
Images
c:\users\admin\desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4200C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5500"C:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe" C:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
explorer.exe
User:
admin
Company:
Feitian Technologies Co.,Ltd.
Integrity Level:
HIGH
Description:
Setup NetROCKEY4ND Service
Version:
1, 4, 12, 813
Modules
Images
c:\users\admin\desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6160C:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe -startC:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
User:
admin
Company:
Feitian Technologies Co.,Ltd.
Integrity Level:
HIGH
Description:
Setup NetROCKEY4ND Service
Exit code:
0
Version:
1, 4, 12, 813
Modules
Images
c:\users\admin\desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6408C:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe -dispatchC:\Users\admin\Desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
services.exe
User:
SYSTEM
Company:
Feitian Technologies Co.,Ltd.
Integrity Level:
SYSTEM
Description:
Setup NetROCKEY4ND Service
Version:
1, 4, 12, 813
Modules
Images
c:\users\admin\desktop\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6492"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
Total events
5 414
Read events
5 262
Write events
151
Delete events
1

Modification events

(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UacDisableNotify
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(6408) 2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallOverride
Value:
1
Executable files
21
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
55002025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
MD5:
SHA256:
64082025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Windows\Temp\winyptht.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
64082025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Windows\Temp\winshny.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
55002025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:C9ABEE9F34C84D2DD2D83F1C3CDA50FD
SHA256:913A8BEC5063D2FEDF5B3BFB9B3394585B912494622C37E7014691CFC6F7DA90
55002025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\autorun.infbinary
MD5:662696BB3EB540AB2F409DA28A95775C
SHA256:1DD2A134110F01F11ACBEE823C13959E322D5D61FF3F9C7DB4162325AB6597F6
64082025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Users\admin\Desktop\svrlog.txttext
MD5:9ACA99ECC4CC243C16B83F7110414211
SHA256:2780996A65DA918B7C95207F78E23DDBEC214933E4F776A48E2E89E4B6539126
64082025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Windows\Temp\0018E683_Rar\2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeexecutable
MD5:4B0EACA270965960BD67A84121DF9F9A
SHA256:B8E6A6343C8A312131A69E59ECA5EB1956049335D0B8AB37DFD6AF5893694DD7
55002025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Users\admin\AppData\Local\Temp\winvgttrs.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
55002025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeexecutable
MD5:8E28D0B408C981B517CF90D6DCE6BD29
SHA256:FE03F76CD7ED1782E58FA77C12576042F56FC494C94163E9C74E33B11D4EAA14
55002025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeexecutable
MD5:219C90C5E07DEEAD56FA501947359A52
SHA256:55A39E3980E2BEF9D6488144305D088628FBBFF47E7107688A60B6AC8BC4EE0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4172
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4172
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4172
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4172
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4172
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 51.116.246.105
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
Process
Message
2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
c9231c8c
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-20_4b0eaca270965960bd67a84121df9f9a_elex_rhadamanthys_smoke-loader_stop_tofsee.exe