File name:	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc
Full analysis:	https://app.any.run/tasks/52904b9c-ecd0-4376-86d1-37f373e6e1eb
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 03:06:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	mpress
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	55E63676BC509C1B683302E5DF4177CB
SHA1:	ABA10557DC772881CE92AA90EABC401E5E083B80
SHA256:	7CAF16BE288C032581B7CF73F44BDB7F52FFA6DE204626E107460867593202F8
SSDEEP:	98304:kBr8DSrRhd14EJL2yt/KmP7B+LdhVOxRBAaiKc36/srnQpgGmcmGDhrHM:jek

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2006:10:19 18:35:31+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	172032
InitializedDataSize:	2598912
UninitializedDataSize:	-
EntryPoint:	0x1d311
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	3.5.4.24
ProductVersionNumber:	2.0.2.4
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Adobe
FileDescription:	Adobe Installation Helper
FileVersion:	3.5.4.24
InternalName:	host.exe
LegalCopyright:	Copyright © Adobe Systems Incorporated
OriginalFileName:	host.exe
ProductName:	Adobe Installation Helper
ProductVersion:	2.0.2.4


(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:	delete value	Name:	742C3192E607E424EB4549542BE1BBC53E6174E2
Value:
(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:	write	Name:	Blob
Value: 04000000010000001000000010FC635DF6263E0DF325BE5F79CD67677E0000000100000008000000000010C51E92D2011D000000010000001000000027B3517667331CE2C1E74002B5FF2298620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E7009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030119000000010000001000000091161B894B117ECDC257628DB460CC04030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E20F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD80B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D00610072007900200043004100000053000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C0140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB69777A000000010000000E000000300C060A2B0601040182375E010268000000010000000800000000003DB65BD9D5012000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:	write	Name:	Blob
Value: 5C00000001000000040000000004000068000000010000000800000000003DB65BD9D5017A000000010000000E000000300C060A2B0601040182375E0102140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697753000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C00B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D0061007200790020004300410000000F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD8030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E219000000010000001000000091161B894B117ECDC257628DB460CC0409000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E701D000000010000001000000027B3517667331CE2C1E74002B5FF22987E0000000100000008000000000010C51E92D20104000000010000001000000010FC635DF6263E0DF325BE5F79CD67672000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:	delete value	Name:	4F65566336DB6598581D584A596C87934D5F2AB4
Value:
(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
Operation:	write	Name:	Blob
Value: 5C00000001000000040000000004000019000000010000001000000091161B894B117ECDC257628DB460CC040300000001000000140000004F65566336DB6598581D584A596C87934D5F2AB41D000000010000001000000027B3517667331CE2C1E74002B5FF2298140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697709000000010000002A000000302806082B0601050507030406082B0601050507030206082B0601050507030306082B060105050703010B000000010000003800000056006500720069005300690067006E00200043006C006100730073002000330020005000720069006D006100720079002000430041000000040000000100000010000000782A02DFDB2E14D5A75F0ADFB68E9C5D0F0000000100000010000000F1BBAC2D9038DDEC8DB173C53BC72A2A2000000001000000410200003082023D308201A6021100E49EFDF33AE80ECFA5113E19A4240232300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3034303130373233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D0101020500038181006170EC2F3F9EFD2BE6685421B06779080C2096318A0D7ABEB626DF792C22694936E397776261A232D77A542136BA02C934E725DA4435B0D25C805DB394F8F9ACEEA460752A1F954923B14A7CF4B34772215B7E97AB54AC62E75DECAE9BD2C9B224FB82ADE967154BBAAAA6F097A0F6B0975700C80C3C09A08204BA41DAF799A4
(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4520) 2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
2044	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Temp\6968.tmp		executable
		MD5:62AE840468A0242F59E75F3C3752A281	SHA256:CEE8CB548A43C255AA43940805B944197CB64C182FDA0845DAAAC8965A447D00
6428	6968.tmp	C:\Users\admin\Desktop\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe		executable
		MD5:03B18EE5AE548B01CF455CA56AA2DAAE	SHA256:9F581B5730B3F10DE2A3B3A21D3E476F3094FEEF3E4DD92FFDAA103F6C410802
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\mainwindow[1].css		text
		MD5:263326825DF0644CC94694B9709A5F4C	SHA256:F4397303A819A98CB2DA22C2B960E34D42ECC8CBAA555C5B968D12B727846B6E
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\bg-download-bar-empty[1].png		image
		MD5:0063AB52A8C5146685F50FA07CC6BFB3	SHA256:7D2A741B4C13DBCA817F0CD62B669736674BEE570E508431E487C0CED4BD248D
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\logo-adobe[1].gif		image
		MD5:2D32D489B011C582232B70FEBFC866B0	SHA256:3829F33115FF4CD0FC3EC2505FB4603578F040FEBEABAFFF16C9446D53E68A3B
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\bg-header-error[1].gif		image
		MD5:3A05B98BBC864762A5CFC1C2EF14AE54	SHA256:7785156C3B5B7DD395260C85DE82A5DD3435322376F85E9E98693B083FBFD770
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\icon-complete[1].gif		image
		MD5:17667B07D2444A37AC55753434371AAB	SHA256:E1061FB7966D14C69DF93A15BDDD6D0331A79B162D9D788632B4E35FA5406A7F
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Temp\2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe		executable
		MD5:03B18EE5AE548B01CF455CA56AA2DAAE	SHA256:9F581B5730B3F10DE2A3B3A21D3E476F3094FEEF3E4DD92FFDAA103F6C410802
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\button-left[1].png		image
		MD5:1BA47DCDFDFD441272C7194499AB3368	SHA256:97FDDBD8DEAD2451387D2E50D0991BB78BEBB86B4A4C2CF504BB6F23CD1D4302
4520	2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\button-center[1].png		image
		MD5:424E1545C97D7A617B912D3949CE7D39	SHA256:BE540529637F65267B866D66DF77F64DA5F431E2BF984B750E75C9CB80F27D37

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.24.77.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1644	RUXIMICS.exe	GET	200	184.24.77.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1644	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.130:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.160.131:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	20.190.160.4:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	40.126.32.136:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1644	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	184.24.77.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1644	RUXIMICS.exe	184.24.77.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	184.24.77.12 184.24.77.35 184.24.77.37	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
login.live.com	40.126.31.0 40.126.31.130 40.126.31.3 40.126.31.1 20.190.159.4 20.190.159.128 40.126.31.71 40.126.31.131	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
get.adobe.com	104.126.37.168 104.126.37.177	whitelisted
www.adobe.com	193.108.153.153	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted

General Info

2025-06-21_55e63676bc509c1b683302e5df4177cb_amadey_elex_gcleaner_smoke-loader_stealc

55E63676BC509C1B683302E5DF4177CB

ABA10557DC772881CE92AA90EABC401E5E083B80

7CAF16BE288C032581B7CF73F44BDB7F52FFA6DE204626E107460867593202F8

98304:kBr8DSrRhd14EJL2yt/KmP7B+LdhVOxRBAaiKc36/srnQpgGmcmGDhrHM:jek

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Starts itself from another location

Starts application with an unusual extension

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Application launched itself

Reads Internet Explorer settings

Reads Microsoft Outlook installation path

Adds/modifies Windows certificates

There is functionality for taking screenshot (YARA)

INFO

Reads the machine GUID from the registry

Checks supported languages

The sample compiled with english language support

Reads the computer name

Process checks computer location settings

Reads the software policy settings

Checks proxy server information

Creates files or folders in the user directory

Mpress packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings