File name:

2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee

Full analysis: https://app.any.run/tasks/793c0b4d-922c-4af8-a24a-933343db3b16
Verdict: Malicious activity
Analysis date: June 21, 2025, 04:29:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

7CB57638E63CF6AF28A1808F6927C949

SHA1:

B5E4AB073DED1809D953FA732553512EA57A2827

SHA256:

F84F1512967322D6E4747619468C132952AF0106DC54639901C140979941285B

SSDEEP:

98304:5C9Pg767sYTVXo1R3t+0L9jJv/WQcbNdFZMjHfG/kRzg7gmsCQYEqZdOt+0z7:stFZMjHfD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 3976)

    • Reads security settings of Internet Explorer

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 3976)
      • e34ec7dd (PID: 4760)
      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)

    • Executable content was dropped or overwritten

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)

    • Executes as Windows Service

      • e34ec7dd (PID: 4760)

    • Connects to the server without a host name

      • e34ec7dd (PID: 4760)
      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)

  • INFO

    • The sample compiled with chinese language support

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 3976)
      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)

    • Process checks computer location settings

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 3976)

    • Reads the computer name

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 3976)
      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)
      • e34ec7dd (PID: 4760)

    • Checks supported languages

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 3976)
      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)
      • e34ec7dd (PID: 4760)

    • Reads the machine GUID from the registry

      • e34ec7dd (PID: 4760)
      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)

    • Reads the software policy settings

      • e34ec7dd (PID: 4760)
      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)
      • slui.exe (PID: 1216)

    • Checks proxy server information

      • 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe (PID: 6376)
      • slui.exe (PID: 1216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:22 06:37:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 145408
InitializedDataSize: 236544
UninitializedDataSize: -
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe no specs 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe e34ec7dd slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1216C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3976"C:\Users\admin\Desktop\2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe" C:\Users\admin\Desktop\2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4760C:\Windows\Syswow64\e34ec7ddC:\Windows\SysWOW64\e34ec7dd
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\e34ec7dd
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6376"C:\Users\admin\Desktop\2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe" C:\Users\admin\Desktop\2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe
2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
11 823
Read events
11 820
Write events
3
Delete events
0

Modification events

(PID) Process:(6376) 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6376) 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6376) 2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
63762025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exeC:\Windows\SysWOW64\e34ec7ddexecutable
MD5:8971355C0E8DD079DD7AA9F8D5D65C57
SHA256:8C9733A80CECCE0212FA8953ABB9A34AE8A17A165DD6465B51C5017806AA83A2
63762025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee.exeC:\Windows\6d28d0text
MD5:E68727A0453E1D0F956DB0C8F8F942F1
SHA256:2E84A12AA00DC4E4D8A63A3E847389C0998DBE6F73CB15453D571B26FCFD9850
4760e34ec7ddC:\Windows\517e30text
MD5:C21C4D6F9EB0F657E6C42DDA3D507541
SHA256:1A6BCA242377E5FC046B0F0DA497D3E7FD93BDC806C2D307EF61AB87671722AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
174
TCP/UDP connections
243
DNS requests
44
Threats
57

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5708
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5708
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
unknown
binary
253 b
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
binary
255 b
whitelisted
4760
e34ec7dd
GET
200
223.6.6.6:80
http://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
whitelisted
4760
e34ec7dd
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=down.nugong.asia&type=1
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5708
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5708
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
down.nugong.asia
unknown
www.microsoft.com
  • 184.30.21.171
whitelisted
dns.alidns.com
  • 223.6.6.6
  • 223.5.5.5
whitelisted
down.xy58.top
unknown
31bd9b27a24e0be9.tyui54345.xyz
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
yzzcommon.tyui54345.xyz
unknown

Threats

PID
Process
Class
Message
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
4760
e34ec7dd
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_7cb57638e63cf6af28a1808f6927c949_amadey_cryptolocker_elex_mafia_rhadamanthys_smoke-loader_stealc_stop_tofsee