File name:

2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop

Full analysis: https://app.any.run/tasks/20c44b05-b969-40d0-8a78-13af3baa8da3
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 13:50:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DC4FA4AB54A59261FA1CEB7498BF8873

SHA1:

44FB140C78E269D9F024A5D3BFF2BA86DF434258

SHA256:

F76C6E38B2B4555C070954A401D013B1E5B9CE16475903E3997C6106C2DF6D96

SSDEEP:

49152:ZaxjWjvJKODgiFcsAJwDmxCKIBBBKERCLVDEEaRmlhMF:ZxIDwyxCbYl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • Process requests binary or script from the Internet

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • Access to an unwanted program domain was detected

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • Executes application which crashes

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

  • INFO

    • Checks supported languages

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • The sample compiled with english language support

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • Reads the computer name

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • Checks proxy server information

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)
      • WerFault.exe (PID: 316)
      • slui.exe (PID: 5628)
      • WerFault.exe (PID: 620)

    • Reads the software policy settings

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)
      • slui.exe (PID: 5628)
      • WerFault.exe (PID: 316)
      • WerFault.exe (PID: 620)

    • Reads the machine GUID from the registry

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • Create files in a temporary directory

      • 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe (PID: 1700)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 316)
      • WerFault.exe (PID: 620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (18.4)
.exe | Win32 Executable MS Visual C++ (generic) (13.3)
.exe | Win64 Executable (generic) (11.8)
.dll | Win32 Dynamic Link Library (generic) (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:07:03 17:02:29+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 552960
InitializedDataSize: 390656
UninitializedDataSize: -
EntryPoint: 0x641dc
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.6.3.44
ProductVersionNumber: 3.6.3.44
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: SetupManager
FileDescription: Setup
FileVersion: 3.6.3.44
InternalName: Setup.exe
OriginalFileName: Setup.exe
ProductName: SetupManager.exe
ProductVersion: 3.6.3.44
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe werfault.exe slui.exe werfault.exe 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1700 -s 2604C:\Windows\SysWOW64\WerFault.exe
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
620C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1700 -s 2604C:\Windows\SysWOW64\WerFault.exe
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1700"C:\Users\admin\Desktop\2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
explorer.exe
User:
admin
Company:
SetupManager
Integrity Level:
HIGH
Description:
Setup
Version:
3.6.3.44
Modules
Images
c:\users\admin\desktop\2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
5628C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6684"C:\Users\admin\Desktop\2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exeexplorer.exe
User:
admin
Company:
SetupManager
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
3221226540
Version:
3.6.3.44
Modules
Images
c:\users\admin\desktop\2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
20 009
Read events
19 992
Write events
11
Delete events
6

Modification events

(PID) Process:(1700) 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1700) 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1700) 2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(316) WerFault.exeKey:\REGISTRY\A\{839850ec-f600-d305-4466-3867aed6b6aa}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(316) WerFault.exeKey:\REGISTRY\A\{839850ec-f600-d305-4466-3867aed6b6aa}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(316) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
C6B8566800000000
(PID) Process:(316) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
6011180000000000
(PID) Process:(620) WerFault.exeKey:\REGISTRY\A\{39959d2d-0f30-a0a0-3aac-43999abd24b0}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(620) WerFault.exeKey:\REGISTRY\A\{39959d2d-0f30-a0a0-3aac-43999abd24b0}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
4
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
316WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-06-21_dc4fa_4421eb9b3355986698ec3d267dd2a305e38948c_041f4b9b_3c426564-4b2d-4dce-af09-8853e085e8f8\Report.wer
MD5:
SHA256:
620WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-06-21_dc4fa_8d62952ee23a2983eac4f381ff417626cd7e21ef_041f4b9b_2eeb4331-a163-4429-b648-c626d04ed809\Report.wer
MD5:
SHA256:
17002025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\side.jpgimage
MD5:60F34E6B09D2244E5576131DC91E1631
SHA256:317CCB762831C8CD4E64E45A5368AB53E34EB64B0FC09FB6CF68DDDE97119C1A
316WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1078.tmp.xmlxml
MD5:2D1CA79C7EFB08AB8D57306C7264DF09
SHA256:27A9921F524C98A20193EC0F4DDEF624B39B9C4BB9569A53BC41637C11F24DCE
316WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D.tmp.dmpbinary
MD5:B8F411A4AF66B11157935A85AD8A8335
SHA256:E3D5DC70B2973AD8D980FD0D9403D4CBABB1D0A4C6B59F9EB73CEC78E738CA3E
17002025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\lock.temptext
MD5:1EE85F6C60017A7F0646BA8DC5824DE6
SHA256:59DBF36D9930A99BFC1E13A10518CD5CF42D29EF9B21993C424B4146A81AA30E
620WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1813.tmp.WERInternalMetadata.xmlxml
MD5:0C732ADC5C1FE54227AF63065A580E4F
SHA256:6C2C0A8E2D9DCF7ACA7257367ADF075F21DEB9C925BF7AE8317374A715720D54
316WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe.1700.dmpbinary
MD5:C296BE6131C8FB0F79ED1422FDAAB4C7
SHA256:FCB503E45EF62CFF2E33F45A1DB1744DBCD959123D1706766E906D0F99854D25
316WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:8B7FF051800239A3370994D628448A2F
SHA256:CD7CA0B12467EBFB39ACD312813286DFD4D6C0A283DD406F94EF0844A98543C2
620WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1776.tmp.dmpbinary
MD5:50ED277889E469E5B1DBE4356CD6285F
SHA256:E84573E84BC02ACF365A32D973885CEE2E2C4D05341149CBDD1BD064DA95151D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
35
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
GET
302
13.216.111.180:80
http://imp.optimuminstaller.com/impression.do/?user_id=1881e903-a0d8-4588-9d13-02cf82c20ab1&event=dotnet_version_4.0&spsource=&implementation_id=3.6.3.44&offer_id=browser_safeguard
unknown
unknown
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
GET
302
13.216.111.180:80
http://config.optimuminstaller.com/config/browser_safeguard/offers.json?pid=installer&ts=2014-07-08T06:18:56.2874941Z&br=IE&adprovider=&version=3.6.3.44
unknown
unknown
GET
403
172.67.70.191:443
https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com&utm_source=hdrhttpstest
unknown
html
5.35 Kb
whitelisted
GET
403
104.26.6.37:443
https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com&utm_source=hdrhttpstest
unknown
html
5.35 Kb
whitelisted
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
GET
302
13.216.111.180:80
http://imp.optimuminstaller.com/impression.do/?user_id=1881e903-a0d8-4588-9d13-02cf82c20ab1&event=textfromURL_error&spsource=&implementation_id=3.6.3.44&offer_id=browser_safeguard&referrer=HTTP%20Status%20403%7Chttp%3A%2F%2Fconfig.optimuminstaller.com%2Fconfig%2Fbrowser_safeguard%2Foffers.json%3Fpid%3Dinstaller%26ts%3D2014-07-08T06%3A18%3A56.2874941Z%26br%3DIE%26adprovider%3D%26version%3D3.6.3.44
unknown
unknown
GET
403
104.26.6.37:443
https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com&utm_source=hdrhttpstest
unknown
html
5.35 Kb
whitelisted
GET
403
104.26.7.37:443
https://www.hugedomains.com/domain_profile.cfm?d=optimuminstaller.com&utm_source=hdrhttpstest
unknown
html
5.35 Kb
whitelisted
2468
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
GET
302
13.216.111.180:80
http://imp.optimuminstaller.com/impression.do/?user_id=1881e903-a0d8-4588-9d13-02cf82c20ab1&event=admin_true&spsource=&implementation_id=3.6.3.44&offer_id=browser_safeguard
unknown
unknown
2468
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2468
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
13.216.111.180:80
imp.optimuminstaller.com
US
unknown
2468
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
172.67.70.191:443
www.hugedomains.com
CLOUDFLARENET
US
whitelisted
2468
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
imp.optimuminstaller.com
  • 13.216.111.180
unknown
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.hugedomains.com
  • 172.67.70.191
  • 104.26.6.37
  • 104.26.7.37
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
config.optimuminstaller.com
  • 13.216.111.180
unknown
watson.events.data.microsoft.com
  • 20.189.173.21
  • 52.182.143.212
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted

Threats

PID
Process
Class
Message
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32.AdWare.iBryte.C Install
1700
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32.AdWare.iBryte.C Install
Process
Message
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
Token null, does not start with item in list [epom,smg,propeller,cpx,dsnr,linkbucks,adfly,gunggo,adnxs,web3,adcash,revhits]
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
The Source is []
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop.exe
Token null, not found in SkipAllSources list [google*]
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_dc4fa4ab54a59261fa1ceb7498bf8873_amadey_elex_smoke-loader_stop