File name:

2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas

Full analysis: https://app.any.run/tasks/73fb7631-c0df-46c0-bc66-f154bd080526
Verdict: Malicious activity
Analysis date: May 18, 2025, 09:36:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 3 sections
MD5:

165AC65BEA1D8360CBE9C0561547A7DE

SHA1:

12FC68E619168573E204205199E9CD39E05DCFD1

SHA256:

2D80C8C2B4E931897E9733761BC471E8D38CFB6CC47821516F36E31C226502D4

SSDEEP:

12288:d8T263i00zxoZthdXnG3xRqpNGkPEGlPeB:d8a6y00zx0HG3xRUIkPEGlPeB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)
      • cmd.exe (PID: 5056)
      • rudur.exe (PID: 5404)
      • qofet.exe (PID: 6752)

    • URELAS mutex has been found

      • rudur.exe (PID: 5404)

    • URELAS has been detected (YARA)

      • rudur.exe (PID: 5404)
      • qofet.exe (PID: 6752)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)
      • rudur.exe (PID: 5404)

    • Starts itself from another location

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)

    • Executable content was dropped or overwritten

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)
      • rudur.exe (PID: 5404)
      • qofet.exe (PID: 6752)

    • Starts CMD.EXE for commands execution

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)

    • Executing commands from a ".bat" file

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)

    • Connects to unusual port

      • rudur.exe (PID: 5404)

    • There is functionality for taking screenshot (YARA)

      • qofet.exe (PID: 6752)

  • INFO

    • Reads the computer name

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)
      • rudur.exe (PID: 5404)

    • Create files in a temporary directory

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)
      • rudur.exe (PID: 5404)
      • qofet.exe (PID: 6752)

    • Process checks computer location settings

      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)
      • rudur.exe (PID: 5404)

    • Checks supported languages

      • rudur.exe (PID: 5404)
      • 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 5544)
      • qofet.exe (PID: 6752)

    • Checks proxy server information

      • slui.exe (PID: 1056)

    • Reads the software policy settings

      • slui.exe (PID: 1056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:09:09 07:29:59+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 110592
InitializedDataSize: 253952
UninitializedDataSize: -
EntryPoint: 0xc9e9
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe #URELAS rudur.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe #URELAS qofet.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5056C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5404"C:\Users\admin\AppData\Local\Temp\rudur.exe" C:\Users\admin\AppData\Local\Temp\rudur.exe
2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rudur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5544"C:\Users\admin\Desktop\2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe" C:\Users\admin\Desktop\2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6752"C:\Users\admin\AppData\Local\Temp\qofet.exe" C:\Users\admin\AppData\Local\Temp\qofet.exe
rudur.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\qofet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 225
Read events
4 225
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
55442025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:0FD7C006875FFECD6B80AD12EAB0D4A6
SHA256:BEC2E240C4CCF8344747DA4201362DAE7E2FF6BF6395793753372EB89EF23F6D
55442025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\rudur.exeexecutable
MD5:59B5F7407E4DDA7FA1DBCCFD45AAE1B6
SHA256:FEE3691A69534A3E880EBA76A101E0B047A016B8907132E64E06A59703CEE24E
5404rudur.exeC:\Users\admin\AppData\Local\Temp\qofet.exeexecutable
MD5:A464B4A303740CC5746C45A85DEAB4E6
SHA256:96C5C40656D71CC85A92B3C3767A8FB6326431F3FD46D2E8B84DBF2CC005DE5F
6752qofet.exeC:\Users\admin\AppData\Local\Temp\rudur.exeexecutable
MD5:45A4AE44E29CB0594B25938BF6E093FD
SHA256:F2030CD62C5F09F7D0DD1122A34F1B00E04AB3D7B3A776609DABC9931C7B9FF3
55442025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:46BE3A92D54125FB2BA896DC9408366B
SHA256:BE07F218B4FF0049255E828528F1D6270DC0A35BB606ECA0C25F964E00F3C017
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
52
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
20.190.160.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.65:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
400
20.190.160.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5404
rudur.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.20
  • 23.216.77.13
  • 23.216.77.8
  • 23.216.77.25
  • 23.216.77.21
  • 23.216.77.6
  • 23.216.77.19
  • 23.216.77.18
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.3
  • 20.190.160.2
  • 20.190.160.65
  • 20.190.160.67
  • 20.190.160.130
  • 20.190.160.66
  • 40.126.32.134
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_165ac65bea1d8360cbe9c0561547a7de_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas