File name:

2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop

Full analysis: https://app.any.run/tasks/60326c83-7453-44fe-abd9-e4b8387bbf7d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 24, 2025, 22:04:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
mpress
auto-reg
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

971A62657A1021D9C912D7E0019663F8

SHA1:

4A8C0FE4A296A89E3541D7233C0E35AB2BA6C61D

SHA256:

795EB921393C543CABE3A816D616DB3705042F71F7F45A530FAE36F119D6C965

SSDEEP:

6144:kfXQJCSl7XEu7yqmtllAn6tp7LCKn3YqCBKvd6I:/7XtyqEAnI2Kn3IBkdF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

    • Changes the autorun value in the registry

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

    • Reads security settings of Internet Explorer

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

  • INFO

    • The sample compiled with english language support

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

    • Reads the computer name

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)
      • ielowutil.exe (PID: 2880)

    • Failed to create an executable file in Windows directory

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

    • Checks supported languages

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)
      • rasctfobj.exe (PID: 2276)
      • ielowutil.exe (PID: 2880)

    • Create files in a temporary directory

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

    • Manual execution by a user

      • rasctfobj.exe (PID: 2276)

    • Checks proxy server information

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)
      • slui.exe (PID: 1332)

    • Mpress packer has been detected

      • rasctfobj.exe (PID: 2276)
      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

    • Reads the software policy settings

      • slui.exe (PID: 1332)

    • Launching a file from a Registry key

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)

    • Creates files or folders in the user directory

      • 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe (PID: 4264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:05 14:48:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 8
CodeSize: 102400
InitializedDataSize: 4096
UninitializedDataSize: 114688
EntryPoint: 0x12362
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Intel NGO
FileDescription: Intel Motherboard Service
FileVersion: 6, 5, 1, 1
InternalName: Intel NGO
LegalCopyright: Copyright (C) 2007
LegalTrademarks: Intel Corp.
OriginalFileName: NGO
ProductName: NGO
ProductVersion: 6, 5, 0, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe rasctfobj.exe no specs ielowutil.exe no specs iexplore.exe iexplore.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1332C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2276C:\Users\admin\AppData\Local\rasctfobj.exeC:\Users\admin\AppData\Local\rasctfobj.exeexplorer.exe
User:
admin
Company:
Intel NGO
Integrity Level:
MEDIUM
Description:
Intel Motherboard Service
Exit code:
0
Version:
6, 5, 1, 1
Modules
Images
c:\users\admin\appdata\local\rasctfobj.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2880"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -EmbeddingC:\Program Files (x86)\Internet Explorer\ielowutil.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Low-Mic Utility Tool
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\ielowutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4264"C:\Users\admin\Desktop\2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe" C:\Users\admin\Desktop\2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe
explorer.exe
User:
admin
Company:
Intel NGO
Integrity Level:
MEDIUM
Description:
Intel Motherboard Service
Version:
6, 5, 1, 1
Modules
Images
c:\users\admin\desktop\2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6664"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7100"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6664 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
10 151
Read events
10 086
Write events
61
Delete events
4

Modification events

(PID) Process:(4264) 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:recovery
Value:
C:\Users\admin\AppData\Local\rasctfobj.exe
(PID) Process:(4264) 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\CommonFiles
Operation:writeName:IconsStorage0
Value:
C:\Users\admin\AppData\Local\dnsrasdns.exe
(PID) Process:(4264) 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\82.146.51.22
Operation:writeName:*
Value:
2
(PID) Process:(4264) 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:Check_Associations
Value:
no
(PID) Process:(4264) 2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Operation:writeName:SerialIID
Value:
B1000000DBFE341249657714FFA02875
(PID) Process:(6664) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(6664) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(6664) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{4B62ED0C-5147-11F0-B4F0-18F7786F96EE}
Value:
0
(PID) Process:(6664) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(6664) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:FullScreen
Value:
no
Executable files
13
Suspicious files
2
Text files
13
Unknown types
2

Dropped files

PID
Process
Filename
Type
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Local\Temp\b3e5376e-4f2d-458f-893b-02cc56eddd8etext
MD5:25AA83C73F326B7DA0C0168662EEA84A
SHA256:AC25C62F2F5527321BCA57D2B5E5B18D9C1DE978524AD41AA936D456B1F570FA
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Local\Temp\a101b184-f775-4acd-9164-b4e04821bcc3xml
MD5:3F32200A254E7007BE309F60AC1B5503
SHA256:92CFAFBB5073CD0BB9311B4BD58F56D6332D029812FE312B643F1B3BA531F556
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exe
MD5:
SHA256:
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Local\rasdnsras.ocxexecutable
MD5:97C92F4457DD94D678D4C9E4BDD8352F
SHA256:EED7377EB708D163AD0E8C50EF40D8EA8D15124832904AC1318A3FD10728FFD3
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Local\Temp\ddf6bdd0-b635-45a6-b290-e583bda2973cxml
MD5:D38E7D98F66D84F15C09CC105EE9E716
SHA256:E22A49E63506152FAC042F8C40BF116A9C8E1089A8D5CE65E5EC8D1A2CD215F0
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\extensions\{8919CE9F-23FD-411a-A2D3-A91DAC20C4FA}\content\fsoverlay.xulxml
MD5:D38E7D98F66D84F15C09CC105EE9E716
SHA256:E22A49E63506152FAC042F8C40BF116A9C8E1089A8D5CE65E5EC8D1A2CD215F0
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\extensions\{8919CE9F-23FD-411a-A2D3-A91DAC20C4FA}\components\IGalaxyComponent.xptxpt
MD5:3D5CA4D696EFC88D9DA9F00EB12B66B1
SHA256:A00F9E9D5CEC7671E5CDD1E5C5016CBFD05A061CEA54F86013F31B2C0F48EE73
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\extensions\{8919CE9F-23FD-411a-A2D3-A91DAC20C4FA}\components\firefox-cln.exeexecutable
MD5:0B0363DFD4AA10417A98D35F5CA120B8
SHA256:07C1E7FF71F3446C351B1BCEDD5FFA09653812139205ADE18FCE2D05EF51A5A1
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\extensions\{8919CE9F-23FD-411a-A2D3-A91DAC20C4FA}\chrome.manifesttext
MD5:25AA83C73F326B7DA0C0168662EEA84A
SHA256:AC25C62F2F5527321BCA57D2B5E5B18D9C1DE978524AD41AA936D456B1F570FA
42642025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop.exeC:\Users\admin\AppData\Local\Temp\fafc466d-b918-4a9f-8890-248e806608dftext
MD5:A299D2318A64091035D19AD1C482A75C
SHA256:B234C180D9459079CF28DF27B95D7B2E58586B763FADAE7EBD6769157948278E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
65
DNS requests
22
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
3048
SIHClient.exe
GET
200
23.48.23.192:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3048
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6284
svchost.exe
20.190.159.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 23.48.23.192
  • 23.48.23.137
  • 23.48.23.140
  • 23.48.23.141
  • 23.48.23.194
  • 23.48.23.193
  • 23.48.23.191
  • 23.48.23.139
  • 23.48.23.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.159.129
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.130
  • 40.126.31.129
  • 20.190.159.68
  • 20.190.159.2
  • 40.126.31.69
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed UA-CPU Header
Misc activity
ET INFO Observed UA-CPU Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-24_971a62657a1021d9c912d7e0019663f8_elex_stop