File name:

2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe

Full analysis: https://app.any.run/tasks/fc6062b6-0e81-40d1-a302-8f64449d9a07
Verdict: Malicious activity
Analysis date: July 14, 2025, 20:50:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

BECCAD8FD2AF1C34B8DB540ABF58A7AE

SHA1:

67D8016005D417F20A9F44E0C9DA5E73F6274C05

SHA256:

C063AD16A4BFA44F84448062665942AFA142CDA028AEE1E23CE7D7A838C3A8DA

SSDEEP:

6144:eNWQOONqU4oCP4OzRvXcDqpEKigVNEsK6uwfQNOWjnCTF629WxplHymhWub9fcNw:ecqN7OlvXtJ7VoCTBilHjdb9oG6Oew

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • backgroundTaskHost.exe (PID: 4920)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Executable content was dropped or overwritten

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Starts CMD.EXE for commands execution

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Executing commands from a ".bat" file

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 1204)

    • Executes application which crashes

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Process run an executable payload

      • rundll32.exe (PID: 2680)

  • INFO

    • Reads the computer name

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Creates files in the program directory

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Reads the machine GUID from the registry

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Checks supported languages

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Create files in a temporary directory

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Reads the software policy settings

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)
      • slui.exe (PID: 1512)

    • Checks proxy server information

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)
      • backgroundTaskHost.exe (PID: 4920)
      • slui.exe (PID: 1512)

    • Creates files or folders in the user directory

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Process checks computer location settings

      • 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 6460)

    • Launching a file from a Registry key

      • backgroundTaskHost.exe (PID: 4920)

    • Reads security settings of Internet Explorer

      • backgroundTaskHost.exe (PID: 4920)
      • rundll32.exe (PID: 2680)

    • Manual execution by a user

      • rundll32.exe (PID: 2680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:08:06 10:25:55+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 221184
InitializedDataSize: 192512
UninitializedDataSize: -
EntryPoint: 0x3aa3
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
9
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe backgroundtaskhost.exe cmd.exe no specs conhost.exe no specs attrib.exe no specs werfault.exe no specs werfault.exe no specs rundll32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\srt4A0E.tmp.bat" "C:\Users\admin\Desktop\2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe""C:\Windows\SysWOW64\cmd.exe2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1512C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2180C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6460 -s 1872C:\Windows\SysWOW64\WerFault.exe2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
2147942405
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2220C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6460 -s 1416C:\Windows\SysWOW64\WerFault.exe2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
2147942405
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2680rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\DBD2HF~1.EXEC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
1223
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4920"backgroundTaskHost.exe"C:\Windows\SysWOW64\backgroundTaskHost.exe
2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Background Task Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\backgroundtaskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6384attrib -r -s -h "C:\Users\admin\Desktop\2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"C:\Windows\SysWOW64\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6460"C:\Users\admin\Desktop\2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
14 398
Read events
14 392
Write events
6
Delete events
0

Modification events

(PID) Process:(4920) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
Operation:writeName:65a7ba
Value:
00000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4920) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
Operation:writeName:65a7ba
Value:
00000000000000000000000000000000000000000000000000000000010000000000000000000000433A5C50726F6772616D446174615C646264326866666864322E65786500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4920) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:IntelPowerAgent5
Value:
rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\DBD2HF~1.EXE
(PID) Process:(4920) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4920) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4920) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
2
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
64602025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\65a7ba9885b9ed5d98fbtext
MD5:81ED121DE665C020931CEC0E942AB38A
SHA256:68E7017B46A9C0DB7BE97F1ACCFD5BC32BE04047C942CD69EAF05D6F5D55050F
64602025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CD1F910DD5DC23C234E99A91DE345C0der
MD5:1C377FFC470964E618886611D50CD89D
SHA256:68F63C2B85F7A54CF432D286F6F262F2A99B0D6F53EEDA3D56801D4DDA29C588
64602025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\ProgramData\dbd2hffhd2.exeexecutable
MD5:158A3DB93DFF89BD5798E6CA1B7D9CDE
SHA256:8A6387355AE989246A3781999812C2E6972138778CFD1424494008E02C0FDB02
64602025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CD1F910DD5DC23C234E99A91DE345C0binary
MD5:E5721298F376B1F456AB46A8BDB369EE
SHA256:D607478269D7287B4B338C29EE2E2B23BCAEC9E55AE98A3A884A725392DD5D3D
64602025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850der
MD5:144D698C7F3CCD662F9460D8F443A2BB
SHA256:C5714AC85358D727F4EA913F814CCADCD7F6E063D95B54B886CCF6BFC31612C1
64602025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:0398D172B46F1048AF3A555100DA0E3F
SHA256:F8831968B1013EA4301255247409CABBD8837C929DBC35B6C09A5FD9D0B23F76
64602025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\srt4A0E.tmp.battext
MD5:44126905BC2CB78AB51D16F2E5FDB285
SHA256:6D14E1A53A09969E144D4843887056A31745B68A9BF49373B683FF03C0CC0A77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3964
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6460
2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
6460
2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3964
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3964
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6024
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.30
  • 23.216.77.22
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
download.windowsupdate.com
  • 23.7.245.137
  • 23.7.245.202
whitelisted
eboduftazce-ru.com
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-14_beccad8fd2af1c34b8db540abf58a7ae_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe