Malware analysis 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader Malicious activity

Add for printing

File name:	2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader
Full analysis:	https://app.any.run/tasks/8a09e807-04a1-4216-82b0-0c6ef05f6a67
Verdict:	Malicious activity
Threats:	DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	May 12, 2025, 04:20:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	darkcomet rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	43637CD23DA0511E26C3F3DBB27CABC6
SHA1:	40F1B9B9D4C5EF305BADD847DC731ECAC94582C9
SHA256:	C56D70051097BD2D186B81177D1E211DFF2FB493DEA37214207CA4085C4F8F8F
SSDEEP:	98304:6YKgYQ2iJIntKffM6z/wudo9jj3vCJbzjCDkZHguw75ODBqtppaxcZZusI9qfjIO:ZLeNQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - SCAM0001338.exe (PID: 5112)
- DARKCOMET mutex has been found
  - SCAM0001338.exe (PID: 5112)
SUSPICIOUS
- Starts a Microsoft application from unusual location
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
- Process drops legitimate windows executable
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
- Reads the date of Windows installation
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM00~1.EXE (PID: 5008)
- Reads security settings of Internet Explorer
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM00~1.EXE (PID: 5008)
- Executable content was dropped or overwritten
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM0001341.EXE (PID: 4180)
  - SCAM00~1.EXE (PID: 5008)
  - SCAM0001338.exe (PID: 5112)
- The process creates files with name similar to system file names
  - SCAM0001338.exe (PID: 5112)
INFO
- The sample compiled with Italian language support
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
- Creates files or folders in the user directory
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM00~1.EXE (PID: 5008)
  - SCAM0001338.exe (PID: 5112)
- Checks supported languages
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM0001341.EXE (PID: 4180)
  - SCAM00~1.EXE (PID: 5008)
  - SCAM0001338.exe (PID: 5112)
  - _iexplore.exe (PID: 4408)
  - explorer.exe (PID: 1228)
- Reads the computer name
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM0001341.EXE (PID: 4180)
  - SCAM00~1.EXE (PID: 5008)
  - SCAM0001338.exe (PID: 5112)
- Reads the machine GUID from the registry
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM00~1.EXE (PID: 5008)
- Checks proxy server information
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM00~1.EXE (PID: 5008)
- Process checks computer location settings
  - 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe (PID: 2656)
  - SCAM00~1.EXE (PID: 5008)
- Create files in a temporary directory
  - SCAM0001341.EXE (PID: 4180)
- The sample compiled with english language support
  - SCAM0001341.EXE (PID: 4180)
  - SCAM00~1.EXE (PID: 5008)
- Manual execution by a user
  - mspaint.exe (PID: 2504)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (20.7)
.exe	\|	Win32 Executable MS Visual C++ (generic) (15)
.dll	\|	Win32 Dynamic Link Library (generic) (3.1)
.exe	\|	Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:11:19 09:11:39+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	16384
InitializedDataSize:	45056
UninitializedDataSize:	-
EntryPoint:	0x4007
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	6.0.2900.5512
ProductVersionNumber:	6.0.2900.5512
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Italian
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Programma di autoestrazione di file CAB Win32
FileVersion:	6.00.2900.5512 (xpsp.080413-2105)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. Tutti i diritti riservati.
OriginalFileName:	WEXTRACT.EXE
ProductName:	Sistema operativo Microsoft® Windows®
ProductVersion:	6.00.2900.5512

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1228

"C:\WINDOWS\explorer.exe"

C:\Users\admin\AppData\Local\Spoon\Sandbox\Roxio ScreenSaver 4\4.539.254.128\local\stubexe\0xBAB7ACF5DA21772B\explorer.exe

—

SCAM0001338.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\spoon\sandbox\roxio screensaver 4\4.539.254.128\local\stubexe\0xbab7acf5da21772b\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2504

"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\superlatest.png"

C:\Windows\System32\mspaint.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Paint

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2656

"C:\Users\admin\Desktop\2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe"

C:\Users\admin\Desktop\2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Programma di autoestrazione di file CAB Win32

Version:

6.00.2900.5512 (xpsp.080413-2105)

Modules

Images
c:\users\admin\desktop\2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4180

"C:\Users\admin\Desktop\SCAM0001341.EXE"

C:\Users\admin\AppData\Local\Spoon\Sandbox\WnSoft PicturesToExe\7.5.5.4\local\stubexe\0xAF5DCA131B6C3A5F\SCAM0001341.EXE

2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\spoon\sandbox\wnsoft picturestoexe\7.5.5.4\local\stubexe\0xaf5dca131b6c3a5f\scam0001341.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4408

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Users\admin\AppData\Local\Spoon\Sandbox\Roxio ScreenSaver 4\4.539.254.128\local\stubexe\0x669E9037ADCF49BE\_iexplore.exe

—

SCAM0001338.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\spoon\sandbox\roxio screensaver 4\4.539.254.128\local\stubexe\0x669e9037adcf49be\_iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4980

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

5008

C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SCAM00~1.EXE

SCAM0001341.EXE

User:

admin

Company:

ROXIO

Integrity Level:

MEDIUM

Description:

Remote Service Application

Version:

1, 0, 0, 1

Modules

Images
c:\users\admin\appdata\local\temp\ixp000.tmp\scam00~1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

5112

"C:\Users\admin\Desktop\SCAM0001338.exe"

C:\Users\admin\AppData\Local\Spoon\Sandbox\Roxio ScreenSaver 4\4.539.254.128\local\stubexe\0x770423AF92A05AD0\SCAM0001338.exe

SCAM00~1.EXE

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\spoon\sandbox\roxio screensaver 4\4.539.254.128\local\stubexe\0x770423af92a05ad0\scam0001338.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

5544

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

—

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

3 437

Read events

3 387

Write events

Delete events

Modification events


(PID) Process:	(2656) 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2656) 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2656) 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2656) 2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5008) SCAM00~1.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5008) SCAM00~1.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5008) SCAM00~1.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5008) SCAM00~1.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5112) SCAM0001338.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MicroUpdate
Value: C:\Users\admin\Documents\MSDCSC\msdcsc.exe
(PID) Process:	(2504) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Text
Operation:	write	Name:	CharSet
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2656	2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	C:\Users\admin\AppData\Local\Spoon\Sandbox\WnSoft PicturesToExe\7.5.5.4\local\stubexe\0xAF5DCA131B6C3A5F\SCAM0001341.EXE		executable
		MD5:2F0662E216E1F71D495A75D210ED2684	SHA256:F91039CB312249BA5ED342DAAA7FB280E111C15213BF82531C5A6BF2D6CCC18A
2656	2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	C:\Users\admin\AppData\Local\Spoon\Sandbox\WnSoft PicturesToExe\7.5.5.4\xsandbox.bin		binary
		MD5:EC3D19E8E9B05D025CB56C2A98EAD8E7	SHA256:EDB7BE3EF6098A1E24D0C72BBC6F968DEA773951A0DD07B63BAD6D9009AE3BF4
4180	SCAM0001341.EXE	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SCAM00~1.EXE		executable
		MD5:E7C5F8D76D47ECA23FCFDA58C718C6BD	SHA256:4A160717B0165A880F75CDC97D6D3CABB8AA1BC7131B677270021DF45B824D21
2656	2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	C:\Users\admin\AppData\Local\Spoon\Sandbox\WnSoft PicturesToExe\7.5.5.4\local\modified\@DESKTOP@\SCAM0001341.EXE		executable
		MD5:868389745C0A5300A7FB5CF3C25F7278	SHA256:4DBCC28E121E64325A83B50BB9CDAA91343F3C4A3E06BB3C406ABE65E46013F9
5008	SCAM00~1.EXE	C:\Users\admin\AppData\Local\Spoon\Sandbox\Roxio ScreenSaver 4\4.539.254.128\local\modified\@DESKTOP@\SCAM0001338.exe		executable
		MD5:8497938F0F0D134F1A1F2FCD69F92EE0	SHA256:4206B0CD1C5D511C40C4E41B414CC6D9DB6E3981BF4B3D267C60D2DC1AFA41F9
2656	2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader.exe	C:\Users\admin\AppData\Local\Spoon\Sandbox\WnSoft PicturesToExe\7.5.5.4\local\meta\@DESKTOP@\SCAM0001341.EXE.__meta__		binary
		MD5:9E4E39FC5E109CACE16A2DF788417FA3	SHA256:3E7D87313E58DE817F6793ADC8938E316EA512577EE1789CBB3DE9E17F098491
5008	SCAM00~1.EXE	C:\Users\admin\AppData\Local\Spoon\Sandbox\Roxio ScreenSaver 4\4.539.254.128\local\stubexe\0x770423AF92A05AD0\SCAM0001338.exe		executable
		MD5:DE67C4B66C0B9C24A9AE0A1862F06799	SHA256:B03E7A0FF4029C30F2A79047ACEC145D5D7692F1C6F437AFEEF13656ACDA9B42
5008	SCAM00~1.EXE	C:\Users\admin\AppData\Local\Spoon\Sandbox\Roxio ScreenSaver 4\4.539.254.128\xsandbox.bin		binary
		MD5:EC3D19E8E9B05D025CB56C2A98EAD8E7	SHA256:EDB7BE3EF6098A1E24D0C72BBC6F968DEA773951A0DD07B63BAD6D9009AE3BF4
5008	SCAM00~1.EXE	C:\Users\admin\AppData\Local\Spoon\Sandbox\Roxio ScreenSaver 4\4.539.254.128\local\meta\@DESKTOP@\SCAM0001338.exe.__meta__		binary
		MD5:3EEBFC7B5C2A776FB04B925EFB0DC4BE	SHA256:CC71D1CB97AA3A5A510A57A8501FE58D1670E719173FB5AA3AA7D202297C4C4D
4180	SCAM0001341.EXE	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ELISAP~1.EXE		executable
		MD5:6718BC457109E03B0B1EFBF359EFCE81	SHA256:8FFE0C24DE434A4C2CDDA55F6581E74904DB94C213D2F137FBEC94EB4D9D9762

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6272	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6272	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
2104	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2112	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.3:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	2.23.246.101 184.30.21.171	whitelisted
google.com	142.250.185.206	whitelisted
start.spoon.net	—	unknown
logic32.no-ip.org	—	malicious
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.160.3 20.190.160.14 40.126.32.140 20.190.160.64 20.190.160.5 40.126.32.134 20.190.160.130 40.126.32.68	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a Suspicious no-ip Domain

Add for printing

No debug info

General Info

2025-05-11_43637cd23da0511e26c3f3dbb27cabc6_amadey_elex_smoke-loader

43637CD23DA0511E26C3F3DBB27CABC6

40F1B9B9D4C5EF305BADD847DC731ECAC94582C9

C56D70051097BD2D186B81177D1E211DFF2FB493DEA37214207CA4085C4F8F8F

98304:6YKgYQ2iJIntKffM6z/wudo9jj3vCJbzjCDkZHguw75ODBqtppaxcZZusI9qfjIO:ZLeNQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

DARKCOMET mutex has been found

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

The sample compiled with Italian language support

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Process checks computer location settings

Create files in a temporary directory

The sample compiled with english language support

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings