File name:

2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop

Full analysis: https://app.any.run/tasks/61b64db2-96d9-4d6a-9532-96871f82d83b
Verdict: Malicious activity
Analysis date: June 21, 2025, 10:13:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

7E04027F5A8774427F89F55134992A29

SHA1:

3BEC146479B4EE46E1DB2C8B57DFF8D0CBC25023

SHA256:

A9A9C1AFDE59BD75A974EA0A9F1CA25C455F183E099AA1D92577C408E424EFC6

SSDEEP:

6144:k+/qSsHTtOwu4nBHYsjH0YjCoacTke2eO:jql3YsHO1/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • huter.exe (PID: 1944)
      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • URELAS mutex has been found

      • huter.exe (PID: 1944)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • Starts itself from another location

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • Executing commands from a ".bat" file

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • Reads security settings of Internet Explorer

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • Connects to unusual port

      • huter.exe (PID: 1944)

  • INFO

    • Process checks computer location settings

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • Checks supported languages

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)
      • huter.exe (PID: 1944)

    • Create files in a temporary directory

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • The sample compiled with korean language support

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)

    • Reads the computer name

      • 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe (PID: 3752)
      • huter.exe (PID: 1944)

    • Checks proxy server information

      • slui.exe (PID: 4372)

    • Reads the software policy settings

      • slui.exe (PID: 4372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:05:15 09:04:01+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 70656
InitializedDataSize: 74240
UninitializedDataSize: -
EntryPoint: 0x4fc4
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.4.228
ProductVersionNumber: 1.0.4.228
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Korean
CharacterSet: Unicode
CompanyName: Updater
FileDescription: Updater
FileVersion: 1.0.4.228
InternalName: Updater.exe
LegalCopyright: Copyright (C) 2015
OriginalFileName: Updater.exe
ProductName: Updater
ProductVersion: 1.0.4.228
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe #URELAS huter.exe cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
320C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\sanfdr.bat" "C:\Windows\SysWOW64\cmd.exe2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1944"C:\Users\admin\AppData\Local\Temp\huter.exe" C:\Users\admin\AppData\Local\Temp\huter.exe
2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe
User:
admin
Company:
Updater
Integrity Level:
MEDIUM
Description:
Updater
Exit code:
0
Version:
1.0.4.228
Modules
Images
c:\users\admin\appdata\local\temp\huter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3716\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3752"C:\Users\admin\Desktop\2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe" C:\Users\admin\Desktop\2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe
explorer.exe
User:
admin
Company:
Updater
Integrity Level:
MEDIUM
Description:
Updater
Exit code:
0
Version:
1.0.4.228
Modules
Images
c:\users\admin\desktop\2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4372C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 134
Read events
4 134
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
37522025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:24DAF3248DD1530974B7A8DBC2503FB6
SHA256:88DAAA580DB10AACED533F890A22E281B10BCDEFDAF64456E958A2C02A7BBAD1
37522025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exeC:\Users\admin\AppData\Local\Temp\sanfdr.battext
MD5:95CA2ED7A2F31EF14AC11EDD7BEE9CC2
SHA256:A86E4841AD2B2A4422814D498D4E87628E4DA694E843F2244FDFC5A330231275
37522025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop.exeC:\Users\admin\AppData\Local\Temp\huter.exeexecutable
MD5:C5EDDA6929031273E80722D0C909CCB1
SHA256:8294A5F7B306C4C4EF84031780B12DB0DAD202020F2AF867C2B72C0387A975F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4844
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
4844
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.42.73.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_7e04027f5a8774427f89f55134992a29_elex_gcleaner_rhadamanthys_stop