File name:

2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys

Full analysis: https://app.any.run/tasks/39e92979-574b-4ee2-bdb1-70b7ec079e7e
Verdict: Malicious activity
Analysis date: May 18, 2025, 13:49:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

99F1945FC070377A6FB0D0EAC89FBCB4

SHA1:

6C48142F79AE3B7AD858D2F1D29C3B9E3C92D1BF

SHA256:

43145B00321390030080873FAAC68C91E2E4B51CA92E251CA6BE65850B5105D8

SSDEEP:

6144:ClOiXKgN72fkEnLn2OBkV0woiVLReYqGwcR6wWc0hodBpE1C:TguLn72Sw8YqbcR6wxZryQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe (PID: 6388)

  • SUSPICIOUS

    • Application launched itself

      • 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe (PID: 6644)

  • INFO

    • Checks supported languages

      • 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe (PID: 6644)
      • 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe (PID: 6388)

    • Create files in a temporary directory

      • 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe (PID: 6388)

    • Reads the computer name

      • 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe (PID: 6644)

    • Failed to create an executable file in Windows directory

      • 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe (PID: 6388)

    • Reads the software policy settings

      • slui.exe (PID: 4068)

    • Checks proxy server information

      • slui.exe (PID: 4068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:03:25 19:26:58+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 98304
InitializedDataSize: 307200
UninitializedDataSize: -
EntryPoint: 0x7e91
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe no specs #JEEFO 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4068C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6388C:\Users\admin\Desktop\2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exeC:\Users\admin\Desktop\2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe
2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6644"C:\Users\admin\Desktop\2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe" C:\Users\admin\Desktop\2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 407
Read events
3 405
Write events
2
Delete events
0

Modification events

(PID) Process:(6388) 2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
63882025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\~DFA5CB543D646D65BB.TMPbinary
MD5:35F95BBA3AFE987730EE004091FAC2B3
SHA256:9175F73C74848376CBFAEE3E31D94407EC920A42D4D225160E788467C66D3B90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
49
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2136
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2136
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2136
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2136
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2136
SIHClient.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2136
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.65
  • 40.126.32.138
  • 40.126.32.134
  • 20.190.160.22
  • 20.190.160.131
  • 20.190.160.128
  • 20.190.160.132
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_99f1945fc070377a6fb0d0eac89fbcb4_elex_gcleaner_hiddentear_rhadamanthys