File name:

2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee

Full analysis: https://app.any.run/tasks/64c5343b-6f21-4715-a55d-58d4b5bcfdc4
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 10:36:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
amadey
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DB71726A2924751637F9954024268EB9

SHA1:

B2EFFD0E687F996EB325EC48B97024D7121403A3

SHA256:

B9A4E0FBBDAFA8569AFFE3F6CCB16D5B1631D62CD67701BC47EC9A8902B45E1A

SSDEEP:

12288:mPVhwSY8yKL+Jctz/+C8ZCnoyxFObvJ4aObvJ4:m08a+z/+C8ZCoyx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 6300)

    • AMADEY has been detected (YARA)

      • rween.exe (PID: 5508)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)

    • Starts itself from another location

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)

    • Reads security settings of Internet Explorer

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)
      • rween.exe (PID: 5508)

    • Executes application which crashes

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)

    • Starts CMD.EXE for commands execution

      • rween.exe (PID: 5508)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4988)

  • INFO

    • Checks supported languages

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)
      • rween.exe (PID: 5508)

    • The sample compiled with chinese language support

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)

    • Reads the computer name

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)
      • rween.exe (PID: 5508)

    • Creates files in the program directory

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)
      • rween.exe (PID: 5508)

    • Process checks computer location settings

      • 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe (PID: 1760)
      • rween.exe (PID: 5508)

    • Checks proxy server information

      • rween.exe (PID: 5508)
      • slui.exe (PID: 5720)

    • Reads the software policy settings

      • slui.exe (PID: 5720)

    • Auto-launch of the file from Registry key

      • reg.exe (PID: 6300)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:07:11 16:44:27+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 154112
InitializedDataSize: 77059584
UninitializedDataSize: -
EntryPoint: 0x2f33
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.5.1
ProductVersionNumber: 1.1.0.1
FileFlagsMask: 0x006f
FileFlags: Pre-release, Patched
FileOS: Unknown (0x40304)
ObjectFileType: Static library
FileSubtype: 81
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersions: 1.0.5.8
InternalSurname: debaukd.ekze
LegalCo: Copyri (C) 2019, permudationzy
Prod: 1.2.9
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe #AMADEY rween.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs reg.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1760"C:\Users\admin\Desktop\2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe" C:\Users\admin\Desktop\2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4988"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\3094e75976\C:\Windows\SysWOW64\cmd.exerween.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5508"C:\ProgramData\3094e75976\rween.exe" C:\ProgramData\3094e75976\rween.exe
2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\3094e75976\rween.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5720C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6300REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\3094e75976\C:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6872C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1760 -s 816C:\Windows\SysWOW64\WerFault.exe2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
6 005
Read events
6 001
Write events
4
Delete events
0

Modification events

(PID) Process:(5508) rween.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5508) rween.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5508) rween.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6300) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\ProgramData\3094e75976\
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
17602025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exeC:\ProgramData\152116936828606071450932
MD5:
SHA256:
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-05-18_db717_f5a2e03577fc4a5f4e8b2e49e149ef9eccf7b75_0bece7c0_498bad85-cd66-4073-83d1-8bdffef2b971\Report.wer
MD5:
SHA256:
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD449.tmp.dmpbinary
MD5:F9E5AC772135777F5A427B67C6A19D3A
SHA256:AD182815DD81F393CD84B75941C9587C52859B801C4D530D9A9D0E04D09342BD
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD5F1.tmp.xmlxml
MD5:C16459D238E17B33989866164B96C907
SHA256:72A11CD393D8B6CA2B44411B5107D0A212D3AB07DA76F53D4F77873B8A9FD772
17602025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exeC:\ProgramData\3094e75976\rween.exeexecutable
MD5:DB71726A2924751637F9954024268EB9
SHA256:B9A4E0FBBDAFA8569AFFE3F6CCB16D5B1631D62CD67701BC47EC9A8902B45E1A
6872WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee.exe.1760.dmpbinary
MD5:99F02D870D16A6EC0D9392CD243F6D3C
SHA256:625FE073AC066A1D61F44911A7AA5ACB1CBEF9440AC276D474CB1969AAE510D1
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD593.tmp.WERInternalMetadata.xmlbinary
MD5:06DE1C14B287345BBBB9CF975EF52744
SHA256:08095E0F57B9EF9506DEB05C4D8AE417484D7E8880AD0B4D64E900AC9452DAE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
41
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6724
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6724
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
23.216.77.27:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
23.216.77.27:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6724
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6724
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
6724
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6148
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5776
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
5776
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 23.216.77.27
  • 23.216.77.37
  • 23.216.77.26
  • 23.216.77.35
  • 23.216.77.32
  • 23.216.77.36
  • 23.216.77.5
  • 23.216.77.38
  • 23.216.77.8
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
dustontail.top
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_db71726a2924751637f9954024268eb9_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_tofsee