File name:

2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/207f6976-8acb-4d55-94ce-c504c1a39875
Verdict: Malicious activity
Analysis date: March 24, 2025, 14:27:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

E7606BC849A7DC2DB381B70136B35C15

SHA1:

638C42F5238BEFEBC81D7E82534E916B9C2A1195

SHA256:

CEE7942098B341865743C6A5EDA78B02EA54BA14D0003EA0AB8FE8387D66B081

SSDEEP:

12288:/B8mcng5H8JxCE9I2kOblMuvWVlhzVnVkI:/B8mVhCgoI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe (PID: 7436)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 7660)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe (PID: 7436)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 7660)

    • Reads security settings of Internet Explorer

      • 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe (PID: 7436)

    • Connects to SMTP port

      • svchost.exe (PID: 7660)

  • INFO

    • Checks supported languages

      • 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe (PID: 7436)
      • baoqebcu.exe (PID: 7636)

    • Create files in a temporary directory

      • 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe (PID: 7436)

    • Process checks computer location settings

      • 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe (PID: 7436)

    • Reads the computer name

      • 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe (PID: 7436)
      • baoqebcu.exe (PID: 7636)

    • Checks proxy server information

      • slui.exe (PID: 7848)

    • Reads the software policy settings

      • slui.exe (PID: 7848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:02 11:40:42+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 124416
InitializedDataSize: 5467648
UninitializedDataSize: -
EntryPoint: 0x1cf50
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 28.0.0.0
ProductVersionNumber: 28.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe wusa.exe no specs wusa.exe baoqebcu.exe no specs #TOFSEE svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7436"C:\Users\admin\Desktop\2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7484"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7596"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7636"C:\Users\admin\baoqebcu.exe" /d"C:\Users\admin\Desktop\2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe" /e550302100000007FC:\Users\admin\baoqebcu.exe2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\baoqebcu.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7660svchost.exeC:\Windows\SysWOW64\svchost.exe
baoqebcu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7848C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 128
Read events
4 127
Write events
1
Delete events
0

Modification events

(PID) Process:(7436) 2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ghqpfrja
Value:
"C:\Users\admin\baoqebcu.exe"
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74362025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exeC:\Users\admin\baoqebcu.exeexecutable
MD5:B99E6D8EC515DD8B9AE89B122004C2FC
SHA256:B79FA0153AA1B6B877DD38F29A7A69C95C1251723510C65CB6CC9A5077BDEA94
74362025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\afpkeqnp.exeexecutable
MD5:D34F4C5FB6DF0650DAA448E2F964B3DA
SHA256:4840303DD78E405AC368D7EE34D0052E52DD716EE80C117AB85C41DB73EE859E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
26
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
7660
svchost.exe
20.236.44.162:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7660
svchost.exe
52.101.194.3:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7660
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown
5576
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7848
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
microsoft.com
  • 20.236.44.162
  • 20.231.239.246
  • 20.76.201.171
  • 20.112.250.133
  • 20.70.246.20
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.194.3
  • 52.101.8.42
  • 52.101.9.5
  • 52.101.41.0
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_e7606bc849a7dc2db381b70136b35c15_amadey_rhadamanthys_smoke-loader