File name:

2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop

Full analysis: https://app.any.run/tasks/dc6d0e9c-85bd-4257-803c-16361b7fe293
Verdict: Malicious activity
Analysis date: June 21, 2025, 11:54:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

0AD2B36230E57B486EDC8A9CF058695A

SHA1:

596D26AC62EB00889807FAC05441841DAA01F917

SHA256:

9B9F8585819868CEB731F676995E26883B10163BB0F2D7EDED4305AEDE8786CA

SSDEEP:

12288:TUROkKYkIFvodpy/ol1HVGpSYNf/FH0rZjYi1Z7U:TyYpy/ol1HVG0Yx/po5Yi1Z4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)
      • cmd.exe (PID: 4112)
      • nuact.exe (PID: 2076)
      • qoamx.exe (PID: 2232)

    • URELAS mutex has been found

      • nuact.exe (PID: 2076)

    • URELAS has been detected (YARA)

      • nuact.exe (PID: 2076)
      • qoamx.exe (PID: 2232)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)
      • nuact.exe (PID: 2076)

    • Executable content was dropped or overwritten

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)
      • nuact.exe (PID: 2076)
      • qoamx.exe (PID: 2232)

    • Starts itself from another location

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)

    • Executing commands from a ".bat" file

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)

    • There is functionality for taking screenshot (YARA)

      • nuact.exe (PID: 2076)
      • qoamx.exe (PID: 2232)

    • Connects to unusual port

      • nuact.exe (PID: 2076)

  • INFO

    • Checks supported languages

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)
      • nuact.exe (PID: 2076)
      • qoamx.exe (PID: 2232)

    • Reads the computer name

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)
      • nuact.exe (PID: 2076)

    • Process checks computer location settings

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)
      • nuact.exe (PID: 2076)

    • Create files in a temporary directory

      • 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe (PID: 2132)
      • qoamx.exe (PID: 2232)
      • nuact.exe (PID: 2076)

    • UPX packer has been detected

      • nuact.exe (PID: 2076)

    • Checks proxy server information

      • slui.exe (PID: 5928)

    • Reads the software policy settings

      • slui.exe (PID: 5928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (25.2)
.exe | Win32 Executable MS Visual C++ (generic) (18.2)
.exe | Win64 Executable (generic) (16.1)
.exe | UPX compressed Win32 Executable (15.8)
.exe | Win32 EXE Yoda's Crypter (15.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:14 12:10:28+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 9
CodeSize: 323584
InitializedDataSize: 4096
UninitializedDataSize: 229376
EntryPoint: 0x16520
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe #URELAS nuact.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe #URELAS qoamx.exe

Process information

PID
CMD
Path
Indicators
Parent process
2076"C:\Users\admin\AppData\Local\Temp\nuact.exe" C:\Users\admin\AppData\Local\Temp\nuact.exe
2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nuact.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2132"C:\Users\admin\Desktop\2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2232"C:\Users\admin\AppData\Local\Temp\qoamx.exe" C:\Users\admin\AppData\Local\Temp\qoamx.exe
nuact.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\qoamx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2492\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4112C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5928C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 345
Read events
4 345
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
21322025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\nuact.exeexecutable
MD5:BEB81534330542A61E92701069781B2E
SHA256:842898FF95F7BDBC70655A58ADCDD340419429A63494A9C6D414013ED1C3B9E6
2232qoamx.exeC:\Users\admin\AppData\Local\Temp\nuact.exeexecutable
MD5:2CE8D04BD084F48E93ABBC03EB73E49C
SHA256:5A7E75BB3EC4BEB54DA1B459B121960E62560B351ACC8D9641410DAF2941E07C
21322025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:ED0BC810B771D9DDA73C3C9B969AFA1F
SHA256:F7368E026B6FE2285D06266675BEF27F324A6AA53EC762B9B9EB9660DAB6A4B1
21322025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:498B0F569079E812359B710AD2D990F1
SHA256:3EEAF753A9A0936A8B99F1A52B81CFE61A0EBF645D72D1CB7430CDEFCEA27DC1
2076nuact.exeC:\Users\admin\AppData\Local\Temp\qoamx.exeexecutable
MD5:A47BEE36954838B20F3C575721BFE623
SHA256:842163E30CF13CA8E76D2C9359D6A8C605E78CCCD705E6CF54F2050863DA078D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2028
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2028
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2028
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.39
  • 184.24.77.40
  • 184.24.77.33
  • 184.24.77.34
  • 184.24.77.36
  • 184.24.77.7
  • 184.24.77.9
  • 184.24.77.6
  • 184.24.77.18
  • 184.24.77.19
  • 184.24.77.12
  • 184.24.77.10
  • 184.24.77.23
  • 184.24.77.27
  • 184.24.77.11
  • 184.24.77.24
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.65
  • 20.190.160.131
  • 20.190.160.2
  • 20.190.160.17
  • 20.190.160.128
  • 20.190.160.4
  • 40.126.32.133
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_0ad2b36230e57b486edc8a9cf058695a_amadey_elex_smoke-loader_stop