File name:

2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc

Full analysis: https://app.any.run/tasks/52904b9c-ecd0-4376-86d1-37f373e6e1eb
Verdict: Malicious activity
Analysis date: June 21, 2025, 03:06:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
mpress
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

55E63676BC509C1B683302E5DF4177CB

SHA1:

ABA10557DC772881CE92AA90EABC401E5E083B80

SHA256:

7CAF16BE288C032581B7CF73F44BDB7F52FFA6DE204626E107460867593202F8

SSDEEP:

98304:kBr8DSrRhd14EJL2yt/KmP7B+LdhVOxRBAaiKc36/srnQpgGmcmGDhrHM:jek

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)
      • 6968.tmp (PID: 6428)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Starts itself from another location

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)

    • Starts application with an unusual extension

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)

    • Reads security settings of Internet Explorer

      • 6968.tmp (PID: 6428)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Application launched itself

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)

    • Adds/modifies Windows certificates

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Reads Microsoft Outlook installation path

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Reads Internet Explorer settings

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

  • INFO

    • The sample compiled with english language support

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)
      • 6968.tmp (PID: 6428)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Checks supported languages

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)
      • 6968.tmp (PID: 6428)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Reads the computer name

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)
      • 6968.tmp (PID: 6428)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Reads the machine GUID from the registry

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 2044)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Process checks computer location settings

      • 6968.tmp (PID: 6428)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)

    • Reads the software policy settings

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 1700)
      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)
      • slui.exe (PID: 5496)

    • Checks proxy server information

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)
      • slui.exe (PID: 5496)

    • Creates files or folders in the user directory

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)

    • Mpress packer has been detected

      • 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe (PID: 4520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:10:19 18:35:31+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 172032
InitializedDataSize: 2598912
UninitializedDataSize: -
EntryPoint: 0x1d311
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.5.4.24
ProductVersionNumber: 2.0.2.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Adobe
FileDescription: Adobe Installation Helper
FileVersion: 3.5.4.24
InternalName: host.exe
LegalCopyright: Copyright © Adobe Systems Incorporated
OriginalFileName: host.exe
ProductName: Adobe Installation Helper
ProductVersion: 2.0.2.4
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe 6968.tmp 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe no specs 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1700"C:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe6968.tmp
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe Installation Helper
Exit code:
0
Version:
3.5.4.24
Modules
Images
c:\users\admin\desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2044"C:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe
explorer.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe Installation Helper
Exit code:
0
Version:
3.5.4.24
Modules
Images
c:\users\admin\desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4520"C:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe" -ElevatedC:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe
2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe
User:
admin
Company:
Adobe
Integrity Level:
HIGH
Description:
Adobe Installation Helper
Version:
3.5.4.24
Modules
Images
c:\users\admin\desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5496C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6428"C:\Users\admin\AppData\Local\Temp\6968.tmp" --pingC:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe B9C2A9926DF280CCCB8D49FED85D0D23533CF7BE8B7575C78F7E7C5AB634FE484F86D65BE083A5D0E7BBEB7BB049F717738DC702DA8839AB941FFC96AA8F36C5C:\Users\admin\AppData\Local\Temp\6968.tmp
2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe Installation Helper
Exit code:
0
Version:
3.5.4.24
Modules
Images
c:\users\admin\appdata\local\temp\6968.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
12 402
Read events
12 393
Write events
6
Delete events
3

Modification events

(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:742C3192E607E424EB4549542BE1BBC53E6174E2
Value:
(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:writeName:Blob
Value:
04000000010000001000000010FC635DF6263E0DF325BE5F79CD67677E0000000100000008000000000010C51E92D2011D000000010000001000000027B3517667331CE2C1E74002B5FF2298620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E7009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030119000000010000001000000091161B894B117ECDC257628DB460CC04030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E20F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD80B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D00610072007900200043004100000053000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C0140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB69777A000000010000000E000000300C060A2B0601040182375E010268000000010000000800000000003DB65BD9D5012000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:writeName:Blob
Value:
5C00000001000000040000000004000068000000010000000800000000003DB65BD9D5017A000000010000000E000000300C060A2B0601040182375E0102140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697753000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C00B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D0061007200790020004300410000000F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD8030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E219000000010000001000000091161B894B117ECDC257628DB460CC0409000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E701D000000010000001000000027B3517667331CE2C1E74002B5FF22987E0000000100000008000000000010C51E92D20104000000010000001000000010FC635DF6263E0DF325BE5F79CD67672000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:4F65566336DB6598581D584A596C87934D5F2AB4
Value:
(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
Operation:writeName:Blob
Value:
5C00000001000000040000000004000019000000010000001000000091161B894B117ECDC257628DB460CC040300000001000000140000004F65566336DB6598581D584A596C87934D5F2AB41D000000010000001000000027B3517667331CE2C1E74002B5FF2298140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697709000000010000002A000000302806082B0601050507030406082B0601050507030206082B0601050507030306082B060105050703010B000000010000003800000056006500720069005300690067006E00200043006C006100730073002000330020005000720069006D006100720079002000430041000000040000000100000010000000782A02DFDB2E14D5A75F0ADFB68E9C5D0F0000000100000010000000F1BBAC2D9038DDEC8DB173C53BC72A2A2000000001000000410200003082023D308201A6021100E49EFDF33AE80ECFA5113E19A4240232300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3034303130373233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D0101020500038181006170EC2F3F9EFD2BE6685421B06779080C2096318A0D7ABEB626DF792C22694936E397776261A232D77A542136BA02C934E725DA4435B0D25C805DB394F8F9ACEEA460752A1F954923B14A7CF4B34772215B7E97AB54AC62E75DECAE9BD2C9B224FB82ADE967154BBAAAA6F097A0F6B0975700C80C3C09A08204BA41DAF799A4
(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
1
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\mainwindow[1].htmhtml
MD5:0749DA7ECD810D2FE5300A6538FBB114
SHA256:0AC31F9BE06A9200968462EE577CD0E7132162F28AEF542205D9286456EE2F69
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\icon-blank[1].gifimage
MD5:047722E6940449B36DC7507352170004
SHA256:E749A443EF9436DB67B0FF16DBB3BBBF4CC7E3BA3424EA83F1EE9181B74DCFAA
64286968.tmpC:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeexecutable
MD5:03B18EE5AE548B01CF455CA56AA2DAAE
SHA256:9F581B5730B3F10DE2A3B3A21D3E476F3094FEEF3E4DD92FFDAA103F6C410802
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\icon-complete[1].gifimage
MD5:17667B07D2444A37AC55753434371AAB
SHA256:E1061FB7966D14C69DF93A15BDDD6D0331A79B162D9D788632B4E35FA5406A7F
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\bg-header-error[1].gifimage
MD5:3A05B98BBC864762A5CFC1C2EF14AE54
SHA256:7785156C3B5B7DD395260C85DE82A5DD3435322376F85E9E98693B083FBFD770
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\mainwindow[1].csstext
MD5:263326825DF0644CC94694B9709A5F4C
SHA256:F4397303A819A98CB2DA22C2B960E34D42ECC8CBAA555C5B968D12B727846B6E
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeexecutable
MD5:03B18EE5AE548B01CF455CA56AA2DAAE
SHA256:9F581B5730B3F10DE2A3B3A21D3E476F3094FEEF3E4DD92FFDAA103F6C410802
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\bg-download-bar-full[1].pngimage
MD5:90A9AFFBB7538CBB4E09AA3D96F15BA9
SHA256:6969C34E593E50249C6E4D53305AC58B556F0F33AEF3F05D789CB103ABEB37B2
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\button-center[1].pngimage
MD5:424E1545C97D7A617B912D3949CE7D39
SHA256:BE540529637F65267B866D66DF77F64DA5F431E2BF984B750E75C9CB80F27D37
45202025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\bg-close-program[1].pngimage
MD5:7B5E8F1FFFE864DE7B1F916D2D036904
SHA256:50C0578EFC9C2E4AF433860BAF9BB6E24C6E1C948186382F7AEA2871A8B7DD62
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
50
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
1644
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1644
RUXIMICS.exe
GET
200
184.24.77.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1644
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1644
RUXIMICS.exe
184.24.77.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 184.24.77.12
  • 184.24.77.35
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.31.0
  • 40.126.31.130
  • 40.126.31.3
  • 40.126.31.1
  • 20.190.159.4
  • 20.190.159.128
  • 40.126.31.71
  • 40.126.31.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
get.adobe.com
  • 104.126.37.168
  • 104.126.37.177
whitelisted
www.adobe.com
  • 193.108.153.153
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc