File name:

2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas

Full analysis: https://app.any.run/tasks/ec1e6093-12a0-4f69-b151-91c6fca3f83d
Verdict: Malicious activity
Analysis date: May 18, 2025, 03:04:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 4 sections
MD5:

5F6EF8CABF98DFCAF5B42CAC152B165E

SHA1:

FF4F73D9D20E0BFBDBF05E358CF5479F7838719C

SHA256:

66EF66583C9905AD85D45E0CA40AA216D197983C3F83C7890F4462B5A620D017

SSDEEP:

12288:n8T263i00zxoZthdXnG3xRqpNGkPEGlPex:n8a6y00zx0HG3xRUIkPEGlPex

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)
      • dadeb.exe (PID: 7500)
      • cmd.exe (PID: 7520)
      • tyawx.exe (PID: 7956)

    • URELAS mutex has been found

      • dadeb.exe (PID: 7500)

    • URELAS has been detected (YARA)

      • dadeb.exe (PID: 7500)
      • tyawx.exe (PID: 7956)

  • SUSPICIOUS

    • Starts itself from another location

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)

    • Executable content was dropped or overwritten

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)
      • dadeb.exe (PID: 7500)
      • tyawx.exe (PID: 7956)

    • Reads security settings of Internet Explorer

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)
      • dadeb.exe (PID: 7500)

    • Connects to unusual port

      • dadeb.exe (PID: 7500)

    • Starts CMD.EXE for commands execution

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)

    • Executing commands from a ".bat" file

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)

    • There is functionality for taking screenshot (YARA)

      • tyawx.exe (PID: 7956)

  • INFO

    • Checks supported languages

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)
      • dadeb.exe (PID: 7500)
      • tyawx.exe (PID: 7956)

    • Process checks computer location settings

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)
      • dadeb.exe (PID: 7500)

    • Reads the computer name

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)
      • dadeb.exe (PID: 7500)

    • Create files in a temporary directory

      • 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe (PID: 7444)
      • dadeb.exe (PID: 7500)
      • tyawx.exe (PID: 7956)

    • Checks proxy server information

      • slui.exe (PID: 7880)

    • Reads the software policy settings

      • slui.exe (PID: 7880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:09:09 07:29:59+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 110592
InitializedDataSize: 253952
UninitializedDataSize: -
EntryPoint: 0xc9e9
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe #URELAS dadeb.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe #URELAS tyawx.exe

Process information

PID
CMD
Path
Indicators
Parent process
7444"C:\Users\admin\Desktop\2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe" C:\Users\admin\Desktop\2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7500"C:\Users\admin\AppData\Local\Temp\dadeb.exe" C:\Users\admin\AppData\Local\Temp\dadeb.exe
2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dadeb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7520C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7956"C:\Users\admin\AppData\Local\Temp\tyawx.exe" C:\Users\admin\AppData\Local\Temp\tyawx.exe
dadeb.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tyawx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 242
Read events
4 242
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
74442025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\dadeb.exeexecutable
MD5:E021A40076EFBEDEC14C1B37F1190294
SHA256:DAE16A55114F48B1C8AA727254B0AE5B1539BFC7C271BBEB59FBE6E026452C25
74442025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:E579512DB5B89D97A27F2484988BBA82
SHA256:9BE97C453484C47634AE82B2E88656C4D54971314076114D0805A9326FC9499B
7500dadeb.exeC:\Users\admin\AppData\Local\Temp\tyawx.exeexecutable
MD5:05EE29459756A24CCB8B333CFAC5D6CD
SHA256:AEAC0564E02971741876688D1F3C30B1DC951B6020CDE2BE6AED8A8810D226B6
74442025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:1870AA329FEB2BB5D518CC9791201C50
SHA256:6FF5E88B1A57E8F48EE8CF53A73BC05A5861D640AA553FE3F0E8FF7DAE07AA0D
7956tyawx.exeC:\Users\admin\AppData\Local\Temp\dadeb.exeexecutable
MD5:901C544AF02F6065D3123B71F12F045B
SHA256:CE19BA5A5B7B2D2D76DD630C29E115386CBD049F4B9CB4B777977EFA3978D712
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1196
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1196
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
1196
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1196
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1196
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7500
dadeb.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
7500
dadeb.exe
1.234.83.146:11170
SK Broadband Co Ltd
KR
unknown
7500
dadeb.exe
218.54.31.165:11110
SK Broadband Co Ltd
KR
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_5f6ef8cabf98dfcaf5b42cac152b165e_amadey_elex_gcleaner_rhadamanthys_smoke-loader_urelas