File name:

2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee

Full analysis: https://app.any.run/tasks/1d5c27e1-3f9a-449e-a74d-e39b0c73b8a2
Verdict: Malicious activity
Analysis date: May 16, 2025, 01:36:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9A9BE911F031AAFE2FD29308F8238B1F

SHA1:

41579672BA505ABE1B8030B64B8A2BEB1E8D48E5

SHA256:

575138CAC5DBCC42AF9B614442DD8290FD29C3AAA06D997AD3C3F4AAB4E9DFA5

SSDEEP:

98304:oGPR08+0CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCV:o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 3956)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)

    • Reads security settings of Internet Explorer

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)

    • Executes application which crashes

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)
      • iccteneg.exe (PID: 5380)
      • iccteneg.exe (PID: 5892)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 5800)
      • svchost.exe (PID: 3956)

    • Connects to SMTP port

      • svchost.exe (PID: 5800)
      • svchost.exe (PID: 3956)

  • INFO

    • Create files in a temporary directory

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)

    • Reads the computer name

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)
      • iccteneg.exe (PID: 5380)
      • iccteneg.exe (PID: 5892)

    • Process checks computer location settings

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)

    • Checks supported languages

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)
      • iccteneg.exe (PID: 5380)
      • iccteneg.exe (PID: 5892)

    • Auto-launch of the file from Registry key

      • 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 6516)

    • Manual execution by a user

      • iccteneg.exe (PID: 5892)

    • Checks proxy server information

      • slui.exe (PID: 1188)

    • Reads the software policy settings

      • slui.exe (PID: 1188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (64.5)
.dll | Win32 Dynamic Link Library (generic) (13.6)
.exe | Win32 Executable (generic) (9.3)
.exe | Clipper DOS Executable (4.1)
.exe | Generic Win/DOS Executable (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:06:05 14:28:24+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 132096
InitializedDataSize: 822272
UninitializedDataSize: -
EntryPoint: 0xbd1a
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x007f
FileFlags: (none)
FileOS: Unknown (0x40324)
ObjectFileType: Static library
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe wusa.exe no specs wusa.exe iccteneg.exe werfault.exe no specs svchost.exe werfault.exe no specs iccteneg.exe #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
496C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5892 -s 524C:\Windows\SysWOW64\WerFault.exeiccteneg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2108C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6516 -s 1296C:\Windows\SysWOW64\WerFault.exe2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2432"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3956svchost.exeC:\Windows\SysWOW64\svchost.exe
iccteneg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
4408C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5380 -s 228C:\Windows\SysWOW64\WerFault.exeiccteneg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5380"C:\Users\admin\iccteneg.exe" /d"C:\Users\admin\Desktop\2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe" /e550302100000007FC:\Users\admin\iccteneg.exe
2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\iccteneg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
5800svchost.exeC:\Windows\SysWOW64\svchost.exe
iccteneg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5892"C:\Users\admin\iccteneg.exe"C:\Users\admin\iccteneg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\iccteneg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
6516"C:\Users\admin\Desktop\2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
Total events
5 315
Read events
5 312
Write events
2
Delete events
1

Modification events

(PID) Process:(6516) 2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:abkjzldu
Value:
"C:\Users\admin\iccteneg.exe"
(PID) Process:(5800) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D933D43BA343D24EDB47D450DD49D084297DCE82E72BAA4C2638A8213481D9036F2B548CD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B16DC854F7D3DE7AC644490BDB77825E8945906C5FD8D3C74BBC4103D29FCA76D10DC8145723FED9D084295D9E13F4BB4C06D07FD
(PID) Process:(5800) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5800svchost.exeC:\Users\admin:.reposbinary
MD5:49D0C0CA2CD76E1BD04DB7F49640F4B7
SHA256:ADFD90F30002566391D1428D8CDE8EC95C29CD9EF7A914880F5252A2A73E9FF6
65162025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\iccteneg.exeexecutable
MD5:482865F665936651E907B0F4C936E34A
SHA256:56A31398460C8C75E8964F51ADA4CB61A30C55D21E8B2215E4A0BB818E2EC5B0
65162025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\embfsqzz.exeexecutable
MD5:F59F4DF75906C0163784A16C9DA6BD43
SHA256:5ACCCEBC78BDFCFF4247AA504B4922767664820D957E452412AEF236D26F938C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
49
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3008
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3008
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3008
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
3008
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3008
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3008
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3008
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3008
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5800
svchost.exe
13.107.246.45:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5800
svchost.exe
52.101.42.6:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5800
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown
3956
svchost.exe
13.107.246.45:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3956
svchost.exe
52.101.42.6:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3956
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
microsoft.com
  • 13.107.246.45
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.42.6
  • 52.101.194.0
  • 52.101.11.13
  • 52.101.194.15
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_9a9be911f031aafe2fd29308f8238b1f_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee