File name:

2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/14aaed1e-cb2c-40e9-8ff3-407ba2001d3a
Verdict: Malicious activity
Analysis date: July 06, 2025, 00:53:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

31BF0B823750CF1D60F9C62936FCF4F3

SHA1:

7B1E8C1A0AE5B5DC5138593CFC6858EFA5424BD5

SHA256:

F0EF650ABAA0FABA187628D9F22047BF3A36C16F98BABABA10CD0215ED4156FD

SSDEEP:

6144:eQWQOONqU4oCP4OzRvXcDqpEKigVNEsK6uwfQNOWjnCTF629WxplHymhWub9fcNw:ehqN7OlvXtJ7VoCTBilHjdb9oG6Oew

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • backgroundTaskHost.exe (PID: 1984)

  • SUSPICIOUS

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 952)

    • Executable content was dropped or overwritten

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Reads security settings of Internet Explorer

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Executing commands from a ".bat" file

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Starts CMD.EXE for commands execution

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Executes application which crashes

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Process run an executable payload

      • rundll32.exe (PID: 2800)

  • INFO

    • Checks supported languages

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Reads the computer name

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Creates files in the program directory

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Reads the machine GUID from the registry

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Reads the software policy settings

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)
      • slui.exe (PID: 5616)

    • Creates files or folders in the user directory

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Checks proxy server information

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)
      • backgroundTaskHost.exe (PID: 1984)
      • slui.exe (PID: 5616)

    • Launching a file from a Registry key

      • backgroundTaskHost.exe (PID: 1984)

    • Reads security settings of Internet Explorer

      • backgroundTaskHost.exe (PID: 1984)
      • rundll32.exe (PID: 2800)

    • Create files in a temporary directory

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Process checks computer location settings

      • 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe (PID: 1800)

    • Manual execution by a user

      • rundll32.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:08:06 10:25:55+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 221184
InitializedDataSize: 192512
UninitializedDataSize: -
EntryPoint: 0x3aa3
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
9
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe backgroundtaskhost.exe cmd.exe no specs conhost.exe no specs attrib.exe no specs werfault.exe no specs werfault.exe no specs rundll32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
952C:\WINDOWS\system32\cmd.exe /c ""C:\ProgramData\ydt80A9.tmp.bat" "C:\Users\admin\Desktop\2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe""C:\Windows\SysWOW64\cmd.exe2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1800"C:\Users\admin\Desktop\2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1984"backgroundTaskHost.exe"C:\Windows\SysWOW64\backgroundTaskHost.exe
2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Background Task Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\backgroundtaskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2800rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\DBD2HF~1.EXEC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
1223
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3740C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1800 -s 1948C:\Windows\SysWOW64\WerFault.exe2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
2147942405
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5548attrib -r -s -h "C:\Users\admin\Desktop\2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"C:\Windows\SysWOW64\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5616C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6400C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1800 -s 2056C:\Windows\SysWOW64\WerFault.exe2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
2147942405
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 368
Read events
14 362
Write events
6
Delete events
0

Modification events

(PID) Process:(1984) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
Operation:writeName:65a7ba
Value:
00000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1984) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:IntelPowerAgent5
Value:
rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\DBD2HF~1.EXE
(PID) Process:(1984) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1984) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
Operation:writeName:65a7ba
Value:
00000000000000000000000000000000000000000000000000000000010000000000000000000000433A5C50726F6772616D446174615C6462643268666668666A2E65786500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1984) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1984) backgroundTaskHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
18002025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:144D698C7F3CCD662F9460D8F443A2BB
SHA256:C5714AC85358D727F4EA913F814CCADCD7F6E063D95B54B886CCF6BFC31612C1
18002025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\65a7ba9885b9ed5d98fbtext
MD5:C3B9C43E9E088210EA5A7C2827DF26EC
SHA256:2523626869FE9453435410901339751F4D0D6486D39AB132451D9CF024CC049C
18002025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CD1F910DD5DC23C234E99A91DE345C0binary
MD5:999F18B229A3BE4FE54BA752523824C3
SHA256:31570767386CAECEF0F8907AFB58D20C77A6AB91A07FA4B3620802FE205D417E
18002025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:7FC51C8B7A257A01E9413717842F9DF9
SHA256:7A843C9FBBC3931C644FAFE6A9E461C67B95DEB5DCDC5B65FD4EF00772833952
18002025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CD1F910DD5DC23C234E99A91DE345C0binary
MD5:B97262F104B708129ED5089B8204E3D1
SHA256:15D3B9A4D0E28E70BDB66B0D53132F562618A193BC075DD19F0906B3B5025A4A
18002025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\ProgramData\dbd2hffhfj.exeexecutable
MD5:C5FDCB87644E73A05D6F650BEE6634D8
SHA256:E8FB9FA308AD13BCEDF91A924AC04A16CF638D94FE1CFC7D0A31B6737D157266
18002025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exeC:\ProgramData\ydt80A9.tmp.battext
MD5:5E2BA29CC313AF63F807AF312A4B6AF3
SHA256:5B9EFCD8BE62946DE4F6EF1C4D5735C2946D630595EBAFE7E563BCD0944AD7B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
27
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4888
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4888
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1800
2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1800
2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4888
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4888
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.74.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
download.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
eboduftazce-ru.com
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
self.events.data.microsoft.com
  • 52.168.117.175
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_31bf0b823750cf1d60f9c62936fcf4f3_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop