Analysis
-
max time kernel
104s -
max time network
105s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe
-
Size
278KB
-
MD5
8dfb9eb86ac79a8bfa8edf9c720fbcf9
-
SHA1
45270926ce72bdfa345bf6c04619de1af344dd40
-
SHA256
6f5a07dbd1e3e8975fded7630b89cfb1fac97928bcecb339a53aa44541973d72
-
SHA512
0773fd54cc568763b9d7d6dfe59686368089ede9e991e19850e21396d7b32492fce6c0da51e1db315e23544f81e2a1c16b82698f3e2c81084b27a2761551e56f
-
SSDEEP
6144:qKAFwOu2CBtvvQ93MeDm6fLUqn8BMP+AA6k4D68wN:SCBtv+Meq6fYqn8BMWAACD68wN
Malware Config
Signatures
-
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 12 46.173.209.194 1636 Process not Found Destination IP 6 46.173.209.194 3608 iexplore.exe Destination IP 7 46.173.209.194 1636 Process not Found Destination IP 8 46.173.209.194 3468 IEXPLORE.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MAO Settings iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000fe8cad8f41683e5db4ad33a880d7058b6c69096484e1a827844a8990a8d8db73000000000e8000000002000020000000bde89d3c5b529720d27f21f3b5dc1d58387705352ad64c36585b9e4c332d8ea55000000031a9d869b7c9013d6d1beb10a394c072240092eb050f0f12d2252988ba3e78cdab60072a5cc1887fa358d45efdb8d7100e3503257edd72ed50ad23ff13e4427b559a7cc3cd1f01f0dba0deb99147206440000000ea48686277e5e6f8176d80c09c5ccd663d7d7acf122b958f8353ad8e62722ddd3e615d54198b53090393e9a5a71a1f44c5be4a8e5a8b8fc06d56a29ac867a0d3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = ff68669e6ee1db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0cf4ed9ddecdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "653568252" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "2ipm9jp" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Suggested Sites iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\SyncHomePage Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000d3a6c3544aa0e3d79e2b8a240cbac050d3db70db8018b13340bc99cc22de8305000000000e80000000020000200000006547a95fb088db2ec10b4bcad2d7a715c60339753f5862e20fafc73e2a643cee1000000076d8b49370b3f07eb9a25bcbfb0e34ce400000002d0de9c96f4e21c12da0b8d3cfface1c4cf896253ab8be10bd256ba2ad0833fb7d2eb818919675f4a3f04fd03a0ce462346641db5a25c5cf965716a7803b81b7 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000a3b05b2ac805200a2dd8895c2560fc6abf617897caa7fc4430a8ccd95db7389c000000000e8000000002000020000000493c54d087b9a006f7bdc7c0f58b61e8c32c10a4b49a3b4f98e9d77d014dbe4a20000000ff80527dacbfe39d2d33a7ee3e59d815006ecfb58ae91fc854f8b08ac151f0e44000000017a7b455e712aab53d9a446ad553da21a796807b10fb51f361006f73e66d2f3dc4afd12b496a8f1759d55631ac50e84285994c10bb65f0cc898d8eb076b1ec82 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256899f5e7dc5742b7446ebc152ce35100000000020000000000106600000001000020000000321de5727a31ac635d85152db60ba71bc815423c65db223428925fa30bbf2183000000000e8000000002000020000000705b5f119761cac6af6fbfa44c7e446f4e011190343866d3ec4eeba4e824998b100100007450e644c0804d8a42e1a29a189d2eb0fc4b31c7cd6b5b88fd97e62fd760b4fbf8bce8d34a0880dff53ba53389d0d6ee64f6cf5801f7cecb32c05c5e3604c9b605297751b3e0a812126f4b214f88cc3c5d4cd52d80b944907e4973e952ab6681d412936d915fa97956e33f9ae1a8d5e78e0619e39025d5a9210eaceed792eef3a59acc8b32d679b3c947bd5e0fce0f85fff473b4c66e75fb3a95710b285f1a281fbf99f8c74c8c7c62166840a88b89aad72a87ca5760f5b1fc8abb58252cf97d9b84a9f6c1cfe7d075d1b85945c8cca4b54e7754094fa79753dad60b9ad2644cc4ef28114e52b5d7da6d68f4c2dda6f050b6aeca37316ab29a68376812464da4fe4f98a02159f34df8197c2e51a0e079400000008ae6c05790e6bbf9825645b2b1f3fde9e25efa315e39e27da2310df88204efbdc33ca89efdb0059f110876253556fc121e4a13f2751344563718e9f2c3c90fa2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\Start Page_TIMESTAMP = a79e6fc7ddecdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF61E568-58D0-11F0-A270-F25F595D3B73} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\User Preferences iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31190297" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\SearchScopesUpgradeVersion = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = ff68669e6ee1db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3608 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2664 2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe 3608 iexplore.exe 3608 iexplore.exe 3468 IEXPLORE.EXE 3468 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3608 wrote to memory of 3468 3608 iexplore.exe 81 PID 3608 wrote to memory of 3468 3608 iexplore.exe 81 PID 3608 wrote to memory of 3468 3608 iexplore.exe 81 PID 3608 wrote to memory of 4948 3608 iexplore.exe 82 PID 3608 wrote to memory of 4948 3608 iexplore.exe 82 PID 3608 wrote to memory of 4948 3608 iexplore.exe 82 PID 3608 wrote to memory of 4864 3608 iexplore.exe 83 PID 3608 wrote to memory of 4864 3608 iexplore.exe 83 PID 3608 wrote to memory of 4864 3608 iexplore.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8dfb9eb86ac79a8bfa8edf9c720fbcf9_amadey_elex_gcleaner_smoke-loader_stop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:1612
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Unexpected DNS network traffic destination
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:22⤵
- Unexpected DNS network traffic destination
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3468
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:668708 /prefetch:22⤵PID:4948
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:668710 /prefetch:22⤵PID:4864
-