File name:

2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc

Full analysis: https://app.any.run/tasks/df736c0a-7993-4e45-b773-dbf34ab2624e
Verdict: Malicious activity
Analysis date: June 21, 2025, 21:50:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
mpress
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

14E78429AA388F0E8B3AC9EADAA00FFE

SHA1:

DE637D2204BB80B9BFA7DD089149B7744DBBC3FF

SHA256:

06F8D4E7915F2B964790661DC8E524C50C509F9F5686AAA6374647C218522CD9

SSDEEP:

98304:kBQkX2vHCoYuUSJL2yt/KmP7B+LdhVOxRBAaiKc36/srnQpgGmcmGDhrHM:i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)

    • Executable content was dropped or overwritten

      • 6C18.tmp (PID: 5712)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Starts itself from another location

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)

    • Reads security settings of Internet Explorer

      • 6C18.tmp (PID: 5712)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Application launched itself

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)

    • Reads Microsoft Outlook installation path

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Adds/modifies Windows certificates

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Reads Internet Explorer settings

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

  • INFO

    • Reads the computer name

      • 6C18.tmp (PID: 5712)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Checks supported languages

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)
      • 6C18.tmp (PID: 5712)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • The sample compiled with english language support

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)
      • 6C18.tmp (PID: 5712)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Reads the machine GUID from the registry

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 5644)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Process checks computer location settings

      • 6C18.tmp (PID: 5712)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)

    • Reads the software policy settings

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1564)
      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)
      • slui.exe (PID: 1484)

    • Checks proxy server information

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)
      • slui.exe (PID: 1484)

    • Creates files or folders in the user directory

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)

    • Mpress packer has been detected

      • 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:10:19 18:35:31+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 172032
InitializedDataSize: 2598912
UninitializedDataSize: -
EntryPoint: 0x1d311
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.5.4.24
ProductVersionNumber: 2.0.2.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Adobe
FileDescription: Adobe Installation Helper
FileVersion: 3.5.4.24
InternalName: host.exe
LegalCopyright: Copyright © Adobe Systems Incorporated
OriginalFileName: host.exe
ProductName: Adobe Installation Helper
ProductVersion: 2.0.2.4
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe 6c18.tmp 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe no specs 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1484C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1564"C:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe6C18.tmp
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe Installation Helper
Exit code:
0
Version:
3.5.4.24
Modules
Images
c:\users\admin\desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2280"C:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe" -ElevatedC:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe
2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe
User:
admin
Company:
Adobe
Integrity Level:
HIGH
Description:
Adobe Installation Helper
Version:
3.5.4.24
Modules
Images
c:\users\admin\desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5644"C:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe
explorer.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe Installation Helper
Exit code:
0
Version:
3.5.4.24
Modules
Images
c:\users\admin\desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
5712"C:\Users\admin\AppData\Local\Temp\6C18.tmp" --pingC:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe AAED39B733073D6FB61B71558C5018106E2CEB17A8CE9A0267D7CD8BB2D73A2F2969B56733B0EDB9F1A8473C324FD89E30289E7E6671B0199B305FFE0C135357C:\Users\admin\AppData\Local\Temp\6C18.tmp
2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe Installation Helper
Exit code:
0
Version:
3.5.4.24
Modules
Images
c:\users\admin\appdata\local\temp\6c18.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
12 391
Read events
12 382
Write events
6
Delete events
3

Modification events

(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:742C3192E607E424EB4549542BE1BBC53E6174E2
Value:
(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:writeName:Blob
Value:
04000000010000001000000010FC635DF6263E0DF325BE5F79CD67677E0000000100000008000000000010C51E92D2011D000000010000001000000027B3517667331CE2C1E74002B5FF2298620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E7009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030119000000010000001000000091161B894B117ECDC257628DB460CC04030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E20F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD80B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D00610072007900200043004100000053000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C0140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB69777A000000010000000E000000300C060A2B0601040182375E010268000000010000000800000000003DB65BD9D5012000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:writeName:Blob
Value:
5C00000001000000040000000004000068000000010000000800000000003DB65BD9D5017A000000010000000E000000300C060A2B0601040182375E0102140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697753000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C00B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D0061007200790020004300410000000F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD8030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E219000000010000001000000091161B894B117ECDC257628DB460CC0409000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E701D000000010000001000000027B3517667331CE2C1E74002B5FF22987E0000000100000008000000000010C51E92D20104000000010000001000000010FC635DF6263E0DF325BE5F79CD67672000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:4F65566336DB6598581D584A596C87934D5F2AB4
Value:
(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
Operation:writeName:Blob
Value:
5C00000001000000040000000004000019000000010000001000000091161B894B117ECDC257628DB460CC040300000001000000140000004F65566336DB6598581D584A596C87934D5F2AB41D000000010000001000000027B3517667331CE2C1E74002B5FF2298140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697709000000010000002A000000302806082B0601050507030406082B0601050507030206082B0601050507030306082B060105050703010B000000010000003800000056006500720069005300690067006E00200043006C006100730073002000330020005000720069006D006100720079002000430041000000040000000100000010000000782A02DFDB2E14D5A75F0ADFB68E9C5D0F0000000100000010000000F1BBAC2D9038DDEC8DB173C53BC72A2A2000000001000000410200003082023D308201A6021100E49EFDF33AE80ECFA5113E19A4240232300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3034303130373233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D0101020500038181006170EC2F3F9EFD2BE6685421B06779080C2096318A0D7ABEB626DF792C22694936E397776261A232D77A542136BA02C934E725DA4435B0D25C805DB394F8F9ACEEA460752A1F954923B14A7CF4B34772215B7E97AB54AC62E75DECAE9BD2C9B224FB82ADE967154BBAAAA6F097A0F6B0975700C80C3C09A08204BA41DAF799A4
(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
1
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\mainwindow[1].csstext
MD5:263326825DF0644CC94694B9709A5F4C
SHA256:F4397303A819A98CB2DA22C2B960E34D42ECC8CBAA555C5B968D12B727846B6E
57126C18.tmpC:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeexecutable
MD5:03B18EE5AE548B01CF455CA56AA2DAAE
SHA256:9F581B5730B3F10DE2A3B3A21D3E476F3094FEEF3E4DD92FFDAA103F6C410802
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\bg-close-program[1].pngimage
MD5:7B5E8F1FFFE864DE7B1F916D2D036904
SHA256:50C0578EFC9C2E4AF433860BAF9BB6E24C6E1C948186382F7AEA2871A8B7DD62
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\icon-blank[1].gifimage
MD5:047722E6940449B36DC7507352170004
SHA256:E749A443EF9436DB67B0FF16DBB3BBBF4CC7E3BA3424EA83F1EE9181B74DCFAA
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\mainwindow[1].htmhtml
MD5:0749DA7ECD810D2FE5300A6538FBB114
SHA256:0AC31F9BE06A9200968462EE577CD0E7132162F28AEF542205D9286456EE2F69
56442025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\6C18.tmpexecutable
MD5:99D894E55C021545084DA413B1AC83E4
SHA256:432EA70F9AD5FB97FBA13DB1FDE2EC108A7BD35D8DDA2A7E2BCA86A644BA43A8
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\logo-adobe[1].gifimage
MD5:2D32D489B011C582232B70FEBFC866B0
SHA256:3829F33115FF4CD0FC3EC2505FB4603578F040FEBEABAFFF16C9446D53E68A3B
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\compact.min[1].jsbinary
MD5:270FAD4C7A848ABBA47DA44EFE9B78C0
SHA256:396D96CFD7F81E04FF79BA1194066765334FE932D9A6A1F590074F35E4982C8C
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\icon-complete[1].gifimage
MD5:17667B07D2444A37AC55753434371AAB
SHA256:E1061FB7966D14C69DF93A15BDDD6D0331A79B162D9D788632B4E35FA5406A7F
22802025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\icon-complete-error[1].gifimage
MD5:9C0FB23D2B2F05454E4CE898B2F79052
SHA256:DEFF98C9B6E64B7BBC2516EAE50E5BEAB2C2A4EC8C3942525B5197C7F5BA6166
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
32
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2976
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2976
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/sls/ping
unknown
2976
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5476
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5476
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5476
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
  • 184.24.77.38
  • 184.24.77.39
  • 184.24.77.19
  • 184.24.77.23
  • 184.24.77.33
  • 184.24.77.37
  • 184.24.77.26
  • 184.24.77.16
  • 184.24.77.27
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
get.adobe.com
  • 95.100.110.14
  • 95.100.110.8
whitelisted
www.adobe.com
  • 2.19.126.140
  • 2.19.126.162
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc