File name:

2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee

Full analysis: https://app.any.run/tasks/bca2298b-2ab3-4736-abf2-afb9f6437200
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 23:28:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-reg
botnet
phorpiex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

41EB0B74281580CF6B30539BFCB3CC9D

SHA1:

D6B39737670707D56572E0B2A91D0514D4A78BE7

SHA256:

85632CA2BCBAD0D652167CF81C5B6F510FF90EE4C1F1B7C216CB1EC1FDF222C5

SSDEEP:

49152:RIyyflIGwuJlZ/koJ2LdbHDdEQwWiS4G1RlTnVVi9jA4xOCQ6l7/1gPBkNP2zEDh:uyiyTu7xR2LdbHDhwPsRlTVojA4xOCFO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7616)

    • Changes the autorun value in the registry

      • 1247726186.exe (PID: 8032)

    • PHORPIEX has been detected (YARA)

      • syscrondvr.exe (PID: 8156)

    • PHORPIEX has been detected (SURICATA)

      • syscrondvr.exe (PID: 8156)

    • Connects to the CnC server

      • syscrondvr.exe (PID: 8156)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)

    • Executable content was dropped or overwritten

      • C93D.exe (PID: 7792)
      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)
      • 1247726186.exe (PID: 8032)

    • Starts a Microsoft application from unusual location

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7616)
      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)

    • Reads security settings of Internet Explorer

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)
      • C93D.exe (PID: 7792)
      • syscrondvr.exe (PID: 8156)

    • Connects to the server without a host name

      • C93D.exe (PID: 7792)
      • syscrondvr.exe (PID: 8156)

    • Process requests binary or script from the Internet

      • C93D.exe (PID: 7792)

    • Connects to unusual port

      • syscrondvr.exe (PID: 8156)

    • Potential Corporate Privacy Violation

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)
      • C93D.exe (PID: 7792)

    • Contacting a server suspected of hosting an CnC

      • syscrondvr.exe (PID: 8156)

    • Starts itself from another location

      • 1247726186.exe (PID: 8032)

  • INFO

    • The sample compiled with english language support

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)

    • Create files in a temporary directory

      • C93D.exe (PID: 7792)
      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)

    • Checks supported languages

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)
      • C93D.exe (PID: 7792)
      • 1247726186.exe (PID: 8032)
      • syscrondvr.exe (PID: 8156)
      • syscrondvr.exe (PID: 5072)

    • Reads the computer name

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)
      • syscrondvr.exe (PID: 8156)
      • C93D.exe (PID: 7792)

    • Checks proxy server information

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)
      • C93D.exe (PID: 7792)
      • slui.exe (PID: 7372)
      • syscrondvr.exe (PID: 8156)

    • Creates files or folders in the user directory

      • 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7724)
      • C93D.exe (PID: 7792)

    • Reads the machine GUID from the registry

      • syscrondvr.exe (PID: 8156)

    • Auto-launch of the file from Registry key

      • 1247726186.exe (PID: 8032)

    • Manual execution by a user

      • syscrondvr.exe (PID: 5072)

    • Reads the software policy settings

      • slui.exe (PID: 7372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:01 15:50:05+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 160256
InitializedDataSize: 29184
UninitializedDataSize: -
EntryPoint: 0x35000
OSVersion: 5.1
ImageVersion: 10
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 4.7.3081.0
ProductVersionNumber: 4.7.3081.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft .NET Framework 4.7.2 Setup
FileVersion: 4.7.03081.00
InternalName: NDP472-KB4054531-Web.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: NDP472-KB4054531-Web.exe
ProductName: Microsoft .NET Framework 4.7.2
ProductVersion: 4.7.03081.00
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe c93d.exe 1247726186.exe #PHORPIEX syscrondvr.exe syscrondvr.exe no specs slui.exe 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5072C:\WINDOWS\syscrondvr.exeC:\Windows\syscrondvr.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\syscrondvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
7372C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7616"C:\Users\admin\Desktop\2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework 4.7.2 Setup
Exit code:
3221226540
Version:
4.7.03081.00
Modules
Images
c:\users\admin\desktop\2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7724"C:\Users\admin\Desktop\2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.7.2 Setup
Exit code:
131
Version:
4.7.03081.00
Modules
Images
c:\users\admin\desktop\2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7792"C:\Users\admin\AppData\Local\Temp\C93D.exe"C:\Users\admin\AppData\Local\Temp\C93D.exe
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\c93d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
8032C:\Users\admin\AppData\Local\Temp\1247726186.exeC:\Users\admin\AppData\Local\Temp\1247726186.exe
C93D.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1247726186.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
8156C:\WINDOWS\syscrondvr.exeC:\Windows\syscrondvr.exe
1247726186.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\windows\syscrondvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
7 176
Read events
7 166
Write events
10
Delete events
0

Modification events

(PID) Process:(7724) 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7724) 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7724) 2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7792) C93D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7792) C93D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7792) C93D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8032) 1247726186.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Settings
Value:
C:\WINDOWS\syscrondvr.exe
(PID) Process:(8156) syscrondvr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8156) syscrondvr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8156) syscrondvr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7792C93D.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\newtpp[1].exeexecutable
MD5:F30FDBF3448F67CBC3566F31729CB7A6
SHA256:3A902ABB21D204ED6A0776789C9661F8B98E561FD0CA661EE37A7D8BD079E57B
77242025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\dd_2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee_decompression_log.txtcsv
MD5:190D84FDA84F4F407899A994DAF25507
SHA256:5F7C16117A5E95139BEED4C3B6623FF50CE51726E74C3013BE07DE79010EE174
80321247726186.exeC:\Windows\syscrondvr.exeexecutable
MD5:F30FDBF3448F67CBC3566F31729CB7A6
SHA256:3A902ABB21D204ED6A0776789C9661F8B98E561FD0CA661EE37A7D8BD079E57B
8156syscrondvr.exeC:\Users\admin\tbtnds.datbinary
MD5:0B6A7549C1F0CD8FB602D52A391BF518
SHA256:C2412332AB89B51A12ACFA4E37CB071CD10AF1950883DC98B2EF93777C7858A9
77242025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\C93D.exeexecutable
MD5:0EC46393976EB51F307CC11D80BAE845
SHA256:9175BA77AC91AFDC513CA64788A72BF12915247F64BB1F95C06B5A1938FA4A84
7792C93D.exeC:\Users\admin\AppData\Local\Temp\1247726186.exeexecutable
MD5:F30FDBF3448F67CBC3566F31729CB7A6
SHA256:3A902ABB21D204ED6A0776789C9661F8B98E561FD0CA661EE37A7D8BD079E57B
77242025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\32[1].exeexecutable
MD5:0EC46393976EB51F307CC11D80BAE845
SHA256:9175BA77AC91AFDC513CA64788A72BF12915247F64BB1F95C06B5A1938FA4A84
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
80
DNS requests
18
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7792
C93D.exe
GET
200
185.156.72.39:80
http://185.156.72.39/newtpp.exe
unknown
malicious
8052
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8156
syscrondvr.exe
GET
404
185.156.72.39:80
http://185.156.72.39/2
unknown
malicious
7724
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
GET
200
185.156.72.39:80
http://185.156.72.39/32.exe
unknown
malicious
2104
svchost.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8156
syscrondvr.exe
GET
404
185.156.72.39:80
http://185.156.72.39/5
unknown
malicious
7792
C93D.exe
GET
200
185.156.72.39:80
http://185.156.72.39/peinstall.php
unknown
malicious
8052
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8052
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7724
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
185.156.72.39:80
Tov Vaiz Partner
RU
malicious
2104
svchost.exe
104.124.11.17:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6544
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 104.124.11.17
  • 104.124.11.58
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.66
  • 20.190.160.20
  • 20.190.160.131
  • 40.126.32.140
  • 20.190.160.2
  • 20.190.160.5
  • 20.190.160.22
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

PID
Process
Class
Message
7724
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
7724
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7724
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
A Network Trojan was detected
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
7724
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee.exe
A Network Trojan was detected
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
7792
C93D.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7792
C93D.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7792
C93D.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
8156
syscrondvr.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Phorpiex CnC Communication
8156
syscrondvr.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Phorpiex CnC Communication
8156
syscrondvr.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Phorpiex CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_41eb0b74281580cf6b30539bfcb3cc9d_amadey_elex_smoke-loader_stealc_tofsee