File name:

2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee

Full analysis: https://app.any.run/tasks/1e9a51aa-6a8e-451f-a512-f05ed3370aa8
Verdict: Malicious activity
Analysis date: June 21, 2025, 12:31:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 5 sections
MD5:

383F98425FD164CF3A3065464691D157

SHA1:

E7958C1C3F707AE250E542939838EBF77557A472

SHA256:

E3847D60111DF84386AFE7F39E35B5328EF1B49792BD415E9B9CDE6140A7124E

SSDEEP:

98304:GCaSg767sYTVXo1R3t+0L9jJv/WQcbNdFZMjHfG/kRzg7gmsCQYEqZdOt+0z7:mmFZMjHfD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 1296)
      • c3fc4c85 (PID: 4552)
      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)

    • Application launched itself

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 1296)

    • Connects to the server without a host name

      • c3fc4c85 (PID: 4552)
      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)

    • Executable content was dropped or overwritten

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)

    • Executes as Windows Service

      • c3fc4c85 (PID: 4552)

  • INFO

    • Reads the computer name

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 1296)
      • c3fc4c85 (PID: 4552)
      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)

    • Checks supported languages

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 1296)
      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)
      • c3fc4c85 (PID: 4552)

    • The sample compiled with chinese language support

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 1296)
      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)

    • Process checks computer location settings

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 1296)

    • Reads the machine GUID from the registry

      • c3fc4c85 (PID: 4552)
      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)

    • UPX packer has been detected

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)
      • c3fc4c85 (PID: 4552)

    • Reads the software policy settings

      • c3fc4c85 (PID: 4552)
      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)
      • slui.exe (PID: 1944)

    • Checks proxy server information

      • 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe (PID: 7140)
      • slui.exe (PID: 1944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:20 10:56:30+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 9
CodeSize: 143360
InitializedDataSize: 139264
UninitializedDataSize: 274432
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe no specs 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe c3fc4c85 slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Users\admin\Desktop\2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe" C:\Users\admin\Desktop\2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1944C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4552C:\Windows\Syswow64\c3fc4c85C:\Windows\SysWOW64\c3fc4c85
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\c3fc4c85
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7140"C:\Users\admin\Desktop\2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe" C:\Users\admin\Desktop\2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe
2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
11 878
Read events
11 875
Write events
3
Delete events
0

Modification events

(PID) Process:(7140) 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7140) 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7140) 2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4552c3fc4c85C:\Windows\4dee90text
MD5:523500AD7416E2E85BEF2D152643BC25
SHA256:B6437D4EBB6E52147DC2849123F59C7C1CEC72B85B64D1E8C409C92F8E516C0B
71402025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exeC:\Windows\SysWOW64\c3fc4c85executable
MD5:A3728A3FDF319F43236D5705B1FA103F
SHA256:D7B20C80FF8A6B3C395A9A57CDB4805DF2A375A63623D611B6E5898B27DACC5B
71402025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee.exeC:\Windows\7a3d48text
MD5:00C37F017284A2C9EE35B5E7760CCE9B
SHA256:E0B71DAE817FB27BF095A04B3C0811ABA07CE20C301CF66E7FFF86FADB148B1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
207
TCP/UDP connections
282
DNS requests
54
Threats
61

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4984
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4984
RUXIMICS.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
20.190.159.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
4552
c3fc4c85
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=down.nugong.asia&type=1
unknown
unknown
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
binary
257 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4984
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
4984
RUXIMICS.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
  • 184.24.77.13
  • 184.24.77.17
  • 184.24.77.11
  • 184.24.77.27
  • 184.24.77.10
  • 184.24.77.9
  • 184.24.77.16
  • 184.24.77.14
  • 184.24.77.26
whitelisted
down.nugong.asia
unknown
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.20
  • 40.126.32.133
  • 20.190.160.131
  • 20.190.160.5
  • 20.190.160.66
  • 20.190.160.17
  • 40.126.32.76
whitelisted
dns.alidns.com
  • 223.6.6.6
  • 223.5.5.5
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
down.xy58.top
unknown

Threats

PID
Process
Class
Message
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4552
c3fc4c85
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_383f98425fd164cf3a3065464691d157_amadey_cryptolocker_elex_smoke-loader_stealc_stop_tofsee