File name:

2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee

Full analysis: https://app.any.run/tasks/4a22332c-e050-48fe-bcfd-5292871ecbea
Verdict: Malicious activity
Analysis date: May 16, 2025, 11:32:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 3 sections
MD5:

EF936AE68ACC4FA6BB0D43E3C28B10E7

SHA1:

2090CB5C28B5983BB96C32D16708FFD797D6A2FA

SHA256:

8CC6D5271BFF1F3B4D0D4F058662FE03ECCFEFBB11288EBC90DC821701FA575A

SSDEEP:

6144:F2tBGuxAc7FJut9aVkc/pdFY5M2eucOZ2DKlASW/3AXeNSiMG/Pt2Z0OL3kC8Hyj:F+jnjY5gr3zNLbYZXgChU2YLfgVx1D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)
      • cidoax.exe (PID: 7520)
      • pouge.exe (PID: 8188)

    • URELAS has been detected (YARA)

      • cidoax.exe (PID: 7520)
      • pouge.exe (PID: 8188)

    • URELAS mutex has been found

      • cidoax.exe (PID: 7520)

  • SUSPICIOUS

    • Starts itself from another location

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)

    • Executable content was dropped or overwritten

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)
      • cidoax.exe (PID: 7520)
      • pouge.exe (PID: 8188)

    • Reads security settings of Internet Explorer

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)
      • cidoax.exe (PID: 7520)

    • Executing commands from a ".bat" file

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • cidoax.exe (PID: 7520)

    • Starts CMD.EXE for commands execution

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • cidoax.exe (PID: 7520)

    • Connects to unusual port

      • cidoax.exe (PID: 7520)

    • There is functionality for taking screenshot (YARA)

      • pouge.exe (PID: 8188)

  • INFO

    • Create files in a temporary directory

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)
      • cidoax.exe (PID: 7520)
      • pouge.exe (PID: 8188)

    • Checks supported languages

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)
      • cidoax.exe (PID: 7520)
      • pouge.exe (PID: 8188)

    • Process checks computer location settings

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)
      • cidoax.exe (PID: 7520)

    • Reads the computer name

      • 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7348)
      • uhich.exe (PID: 7404)
      • cidoax.exe (PID: 7520)

    • Reads the software policy settings

      • slui.exe (PID: 8096)

    • Checks proxy server information

      • slui.exe (PID: 8096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:08:07 12:40:06+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 110080
InitializedDataSize: 259584
UninitializedDataSize: -
EntryPoint: 0xc7fb
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe #URELAS uhich.exe cmd.exe no specs conhost.exe no specs #URELAS cidoax.exe slui.exe #URELAS pouge.exe cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7260C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_vslite.bat" "C:\Windows\SysWOW64\cmd.execidoax.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7348"C:\Users\admin\Desktop\2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7404"C:\Users\admin\AppData\Local\Temp\uhich.exe" hiC:\Users\admin\AppData\Local\Temp\uhich.exe
2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\uhich.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7424C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_vslite.bat" "C:\Windows\SysWOW64\cmd.exe2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7520"C:\Users\admin\AppData\Local\Temp\cidoax.exe" OKC:\Users\admin\AppData\Local\Temp\cidoax.exe
uhich.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\cidoax.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8096C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8188"C:\Users\admin\AppData\Local\Temp\pouge.exe" C:\Users\admin\AppData\Local\Temp\pouge.exe
cidoax.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\pouge.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 549
Read events
4 549
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
8188pouge.exeC:\Users\admin\AppData\Local\Temp\uhich.exeexecutable
MD5:5221C66308B56665BB505AAFAAD336DD
SHA256:525A58354512945945CBA9B58A5AB8DEC6E950E0673F2E2800117BDAFED182E4
7520cidoax.exeC:\Users\admin\AppData\Local\Temp\pouge.exeexecutable
MD5:6E3A3CA3FF39A16D031FD8476CB51050
SHA256:104FA18614CC10178F1C6302C776BDB18C688B746FE64FC1DEA405B54D63B2A9
73482025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:9434280D189E12E239BCF36541B5418C
SHA256:4355451A57650AEC98094E3EFCA80060CC2B69BE42DD84CA4E7B7DB58B0350F8
73482025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\_vslite.battext
MD5:8FF8EE971EA9BEF1AE037DE56F8255B0
SHA256:F8D1188059E47C8853D92CBFAEF889D8605FF2F5AD2333BBDF5AEDDCB261716C
73482025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\uhich.exeexecutable
MD5:149E5E88034427E6C593B4C90E90C1FB
SHA256:E8AB1F4F2A7A0EE920EC99C1FC14BFD35DCB607B86CF329051BAED5533744A17
7404uhich.exeC:\Users\admin\AppData\Local\Temp\cidoax.exeexecutable
MD5:E17739115515CB80E7FCA081469E1DFB
SHA256:FDB2CFCBA8688B57FF30A292F77BA0104B4E83376C319D52026D03B8470AD480
7520cidoax.exeC:\Users\admin\AppData\Local\Temp\_vslite.battext
MD5:9B6E4C1FF2AA3DBBAD348AF5A3572AB1
SHA256:CA15A49F2DBBA0C743068E99E1A3F08211D2C85398624280AEFEC44C23A72D1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
54
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4628
RUXIMICS.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4628
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4628
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4628
RUXIMICS.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4628
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.13
  • 23.216.77.16
  • 23.216.77.18
  • 23.216.77.19
  • 23.216.77.25
  • 23.216.77.39
  • 23.216.77.23
  • 23.216.77.10
  • 23.216.77.7
  • 23.216.77.11
  • 23.216.77.38
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.128
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.2
  • 20.190.159.0
  • 40.126.31.1
  • 40.126.31.69
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_ef936ae68acc4fa6bb0d43e3c28b10e7_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee