File name:	2025-06-21_7d3572f3ac92869f11db1b58e288ec33_elex_gcleaner_rhadamanthys_stop
Full analysis:	https://app.any.run/tasks/28d2f453-1f73-439d-a4fc-a432d7f68927
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 13:56:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg ransomware birele neconyd
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:	7D3572F3AC92869F11DB1B58E288EC33
SHA1:	BB53787B09795C48FA5F18C87C19933A4A26E9CC
SHA256:	90D8A7AC202EACEBE91CAD1730AA958D4090F8887CA727F1B01EEA3E6F45BDA2
SSDEEP:	768:slLaXdRadM5FuAkBLU8FnqBVMoXtQp6upVl2GyC:stMRJ5FPk9rnauUglPy

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:12:04 14:55:14+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	52736
InitializedDataSize:	104960
UninitializedDataSize:	-
EntryPoint:	0xb384
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6536) 2025-06-21_7d3572f3ac92869f11db1b58e288ec33_elex_gcleaner_rhadamanthys_stop.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	lalheau
Value: C:\Users\admin\AppData\Roaming\mx3xbv65.exe
(PID) Process:	(1324) mx3xbv65.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1324) mx3xbv65.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1324) mx3xbv65.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5564) mx3xbv65.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5564) mx3xbv65.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5564) mx3xbv65.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
6536	2025-06-21_7d3572f3ac92869f11db1b58e288ec33_elex_gcleaner_rhadamanthys_stop.exe	C:\Users\admin\AppData\Roaming\mx3xbv65.exe		executable
		MD5:49005E91A431DA3F786DAEF7B59730C6	SHA256:ECB3C0C0115C1DE0EB10E69AB8399FEF54B164B604B71CEB36B378C9B123956F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2028	RUXIMICS.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1324	mx3xbv65.exe	GET	200	52.27.79.221:80	http://ow5dirasuek.com/756/422.html	unknown	—	—	malicious
2028	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5564	mx3xbv65.exe	GET	200	52.27.79.221:80	http://ow5dirasuek.com/555/420.html	unknown	—	—	malicious
1324	mx3xbv65.exe	GET	200	52.27.79.221:80	http://ow5dirasuek.com/143/43.html	unknown	—	—	malicious
5564	mx3xbv65.exe	GET	200	52.27.79.221:80	http://ow5dirasuek.com/689/301.html	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2028	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2028	RUXIMICS.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
uwsozi.net	—	unknown
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
mkkuei4kdsz.com	—	malicious
ow5dirasuek.com	52.27.79.221	malicious
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
self.events.data.microsoft.com	51.104.15.252	whitelisted

PID	Process	Class	Message
1324	mx3xbv65.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5564	mx3xbv65.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
1324	mx3xbv65.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
5564	mx3xbv65.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin

General Info

2025-06-21_7d3572f3ac92869f11db1b58e288ec33_elex_gcleaner_rhadamanthys_stop

7D3572F3AC92869F11DB1B58E288EC33

BB53787B09795C48FA5F18C87C19933A4A26E9CC

90D8A7AC202EACEBE91CAD1730AA958D4090F8887CA727F1B01EEA3E6F45BDA2

768:slLaXdRadM5FuAkBLU8FnqBVMoXtQp6upVl2GyC:stMRJ5FPk9rnauUglPy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Neconyd has been detected

Connects to the CnC server

BIRELE has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

INFO

Creates files or folders in the user directory

Checks supported languages

Launching a file from a Registry key

Reads the computer name

Checks proxy server information

Manual execution by a user

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings