File name:	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc
Full analysis:	https://app.any.run/tasks/df736c0a-7993-4e45-b773-dbf34ab2624e
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 21:50:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	mpress
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	14E78429AA388F0E8B3AC9EADAA00FFE
SHA1:	DE637D2204BB80B9BFA7DD089149B7744DBBC3FF
SHA256:	06F8D4E7915F2B964790661DC8E524C50C509F9F5686AAA6374647C218522CD9
SSDEEP:	98304:kBQkX2vHCoYuUSJL2yt/KmP7B+LdhVOxRBAaiKc36/srnQpgGmcmGDhrHM:i

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2006:10:19 18:35:31+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	172032
InitializedDataSize:	2598912
UninitializedDataSize:	-
EntryPoint:	0x1d311
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	3.5.4.24
ProductVersionNumber:	2.0.2.4
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Adobe
FileDescription:	Adobe Installation Helper
FileVersion:	3.5.4.24
InternalName:	host.exe
LegalCopyright:	Copyright © Adobe Systems Incorporated
OriginalFileName:	host.exe
ProductName:	Adobe Installation Helper
ProductVersion:	2.0.2.4


(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:	delete value	Name:	742C3192E607E424EB4549542BE1BBC53E6174E2
Value:
(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:	write	Name:	Blob
Value: 04000000010000001000000010FC635DF6263E0DF325BE5F79CD67677E0000000100000008000000000010C51E92D2011D000000010000001000000027B3517667331CE2C1E74002B5FF2298620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E7009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030119000000010000001000000091161B894B117ECDC257628DB460CC04030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E20F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD80B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D00610072007900200043004100000053000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C0140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB69777A000000010000000E000000300C060A2B0601040182375E010268000000010000000800000000003DB65BD9D5012000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:	write	Name:	Blob
Value: 5C00000001000000040000000004000068000000010000000800000000003DB65BD9D5017A000000010000000E000000300C060A2B0601040182375E0102140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697753000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C00B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D0061007200790020004300410000000F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD8030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E219000000010000001000000091161B894B117ECDC257628DB460CC0409000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E701D000000010000001000000027B3517667331CE2C1E74002B5FF22987E0000000100000008000000000010C51E92D20104000000010000001000000010FC635DF6263E0DF325BE5F79CD67672000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:	delete value	Name:	4F65566336DB6598581D584A596C87934D5F2AB4
Value:
(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
Operation:	write	Name:	Blob
Value: 5C00000001000000040000000004000019000000010000001000000091161B894B117ECDC257628DB460CC040300000001000000140000004F65566336DB6598581D584A596C87934D5F2AB41D000000010000001000000027B3517667331CE2C1E74002B5FF2298140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697709000000010000002A000000302806082B0601050507030406082B0601050507030206082B0601050507030306082B060105050703010B000000010000003800000056006500720069005300690067006E00200043006C006100730073002000330020005000720069006D006100720079002000430041000000040000000100000010000000782A02DFDB2E14D5A75F0ADFB68E9C5D0F0000000100000010000000F1BBAC2D9038DDEC8DB173C53BC72A2A2000000001000000410200003082023D308201A6021100E49EFDF33AE80ECFA5113E19A4240232300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3034303130373233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D0101020500038181006170EC2F3F9EFD2BE6685421B06779080C2096318A0D7ABEB626DF792C22694936E397776261A232D77A542136BA02C934E725DA4435B0D25C805DB394F8F9ACEEA460752A1F954923B14A7CF4B34772215B7E97AB54AC62E75DECAE9BD2C9B224FB82ADE967154BBAAAA6F097A0F6B0975700C80C3C09A08204BA41DAF799A4
(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2280) 2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\logo-adobe[1].gif		image
		MD5:2D32D489B011C582232B70FEBFC866B0	SHA256:3829F33115FF4CD0FC3EC2505FB4603578F040FEBEABAFFF16C9446D53E68A3B
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\bg-header-error[1].gif		image
		MD5:3A05B98BBC864762A5CFC1C2EF14AE54	SHA256:7785156C3B5B7DD395260C85DE82A5DD3435322376F85E9E98693B083FBFD770
5712	6C18.tmp	C:\Users\admin\Desktop\2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe		executable
		MD5:03B18EE5AE548B01CF455CA56AA2DAAE	SHA256:9F581B5730B3F10DE2A3B3A21D3E476F3094FEEF3E4DD92FFDAA103F6C410802
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\mainwindow[1].css		text
		MD5:263326825DF0644CC94694B9709A5F4C	SHA256:F4397303A819A98CB2DA22C2B960E34D42ECC8CBAA555C5B968D12B727846B6E
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\mainwindow[1].htm		html
		MD5:0749DA7ECD810D2FE5300A6538FBB114	SHA256:0AC31F9BE06A9200968462EE577CD0E7132162F28AEF542205D9286456EE2F69
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\bg-close-program[1].png		image
		MD5:7B5E8F1FFFE864DE7B1F916D2D036904	SHA256:50C0578EFC9C2E4AF433860BAF9BB6E24C6E1C948186382F7AEA2871A8B7DD62
5644	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Temp\6C18.tmp		executable
		MD5:99D894E55C021545084DA413B1AC83E4	SHA256:432EA70F9AD5FB97FBA13DB1FDE2EC108A7BD35D8DDA2A7E2BCA86A644BA43A8
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\button-center[1].png		image
		MD5:424E1545C97D7A617B912D3949CE7D39	SHA256:BE540529637F65267B866D66DF77F64DA5F431E2BF984B750E75C9CB80F27D37
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\button-right[1].png		image
		MD5:BD3BD139A7C6356DB8EB1C1CB4D9D7E4	SHA256:35FA1A9D18A39B8421DEDC37BB253DBAD61A44302EFC6C3A16873517D43EC181
2280	2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\button-left[1].png		image
		MD5:1BA47DCDFDFD441272C7194499AB3368	SHA256:97FDDBD8DEAD2451387D2E50D0991BB78BEBB86B4A4C2CF504BB6F23CD1D4302

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5476	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
2976	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5476	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
5944	MoUsoCoreWorker.exe	23.55.104.190:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5476	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
crl.microsoft.com	23.55.104.190 23.55.104.172 184.24.77.38 184.24.77.39 184.24.77.19 184.24.77.23 184.24.77.33 184.24.77.37 184.24.77.26 184.24.77.16 184.24.77.27	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
get.adobe.com	95.100.110.14 95.100.110.8	whitelisted
www.adobe.com	2.19.126.140 2.19.126.162	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	20.189.173.1	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

General Info

2025-06-21_14e78429aa388f0e8b3ac9eadaa00ffe_amadey_elex_gcleaner_smoke-loader_stealc

14E78429AA388F0E8B3AC9EADAA00FFE

DE637D2204BB80B9BFA7DD089149B7744DBBC3FF

06F8D4E7915F2B964790661DC8E524C50C509F9F5686AAA6374647C218522CD9

98304:kBQkX2vHCoYuUSJL2yt/KmP7B+LdhVOxRBAaiKc36/srnQpgGmcmGDhrHM:i

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Starts itself from another location

Executable content was dropped or overwritten

Starts application with an unusual extension

Reads security settings of Internet Explorer

Application launched itself

Adds/modifies Windows certificates

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

The sample compiled with english language support

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Checks proxy server information

Reads the software policy settings

Mpress packer has been detected

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings