File name:

2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee

Full analysis: https://app.any.run/tasks/ee277135-6617-4590-8806-f0e247089179
Verdict: Malicious activity
Analysis date: May 17, 2025, 10:18:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

8BB005C2E62C0B7791C003368FA8DDD4

SHA1:

78C158FD3AAA86CE8298E0FC58A747F029DC5573

SHA256:

CDE536C9272BB5E6A55B4A1BC2C028D50AE80404B37D9505A031225A4BBA7F70

SSDEEP:

6144:Q2tBGuxAc7FJut9aVkc/pdFY5M2eucOZ2DKlASW/3AXeNSiMG/Pt2Z0OL3kC8Hyl:Q+jnjY5gr3zNLbYZXgChU2YLfgVx1rJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)
      • ynlud.exe (PID: 7468)
      • kudava.exe (PID: 7580)

    • Connects to the CnC server

      • kudava.exe (PID: 7580)

    • URELAS mutex has been found

      • kudava.exe (PID: 7580)

    • URELAS has been detected (YARA)

      • kudava.exe (PID: 7580)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)
      • ynlud.exe (PID: 7468)

    • Starts itself from another location

      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)
      • ynlud.exe (PID: 7468)

    • Reads security settings of Internet Explorer

      • ynlud.exe (PID: 7468)
      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)

    • Starts CMD.EXE for commands execution

      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)

    • Executing commands from a ".bat" file

      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)

    • Contacting a server suspected of hosting an CnC

      • kudava.exe (PID: 7580)

    • Connects to unusual port

      • kudava.exe (PID: 7580)

  • INFO

    • Checks supported languages

      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)
      • ynlud.exe (PID: 7468)
      • kudava.exe (PID: 7580)

    • Reads the computer name

      • ynlud.exe (PID: 7468)
      • kudava.exe (PID: 7580)
      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)

    • Create files in a temporary directory

      • ynlud.exe (PID: 7468)
      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)

    • Process checks computer location settings

      • ynlud.exe (PID: 7468)
      • 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe (PID: 7424)

    • Reads the software policy settings

      • slui.exe (PID: 1276)

    • Checks proxy server information

      • slui.exe (PID: 1276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:08:07 12:40:06+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 110080
InitializedDataSize: 259584
UninitializedDataSize: -
EntryPoint: 0xc7fb
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe #URELAS ynlud.exe cmd.exe no specs conhost.exe no specs #URELAS kudava.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1276C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7424"C:\Users\admin\Desktop\2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7468"C:\Users\admin\AppData\Local\Temp\ynlud.exe" hiC:\Users\admin\AppData\Local\Temp\ynlud.exe
2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ynlud.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7488C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_vslite.bat" "C:\Windows\SysWOW64\cmd.exe2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7500\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7580"C:\Users\admin\AppData\Local\Temp\kudava.exe" OKC:\Users\admin\AppData\Local\Temp\kudava.exe
ynlud.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\kudava.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 220
Read events
4 220
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
74242025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:9A6F09DD9276A57BE5AB1F12AF3D51D0
SHA256:4355451A57650AEC98094E3EFCA80060CC2B69BE42DD84CA4E7B7DB58B0350F8
74242025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\ynlud.exeexecutable
MD5:ECFDE4D1B73C5558A15C8C0E00A955AE
SHA256:7E60824623CD742410602CB0CC4AD59FE10225EC889E20B9D14E1942D8CC0F5F
74242025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\_vslite.battext
MD5:7ABCC90BDBF5E9D69E7CF1DCA5B8A72D
SHA256:02C80F1057717DE12B1A99386BD993D4F245604A29C374102CC0880E6C37F2DB
7468ynlud.exeC:\Users\admin\AppData\Local\Temp\kudava.exeexecutable
MD5:46746F03B5EDE98A62C835DE86E6654C
SHA256:78EBEBE8C052FB3CB72BC483EF76480A8246C0AE3B9C20E6822B1535671A081E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
53
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7880
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7880
SIHClient.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7880
SIHClient.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7880
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7880
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6572
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7880
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7880
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6572
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6572
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.37
  • 23.216.77.6
  • 23.216.77.15
  • 23.216.77.28
  • 23.216.77.21
  • 23.216.77.19
  • 23.216.77.42
  • 23.216.77.18
  • 23.216.77.41
  • 23.216.77.26
  • 23.216.77.29
  • 23.216.77.8
  • 23.216.77.25
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.4
  • 20.190.159.130
  • 20.190.159.75
  • 40.126.31.128
  • 20.190.159.73
  • 40.126.31.69
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

PID
Process
Class
Message
7580
kudava.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
7580
kudava.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_8bb005c2e62c0b7791c003368fa8ddd4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stealc_tofsee