File name:

2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/2e5e4477-a92e-42ea-8646-b2e73f80a2d0
Verdict: Malicious activity
Analysis date: May 18, 2025, 21:38:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 2 sections
MD5:

2438547B14E8D5A4E09535CE3A2F8505

SHA1:

1981ADFE63E7AB290554615779A18827EA9A2DF8

SHA256:

DD958E70902EF680A605A5AB8AD71FF7EF11E79A17ED32EB91419DFC31B4DA1C

SSDEEP:

12288:sJ6o6auNWany6qVsLmV0G77HUtA3Rw9uv:u6fpNWan5qVUmV0G7YtA3Rw9uv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)
      • cmd.exe (PID: 7700)
      • muzow.exe (PID: 7680)
      • tepeb.exe (PID: 7176)

    • URELAS mutex has been found

      • muzow.exe (PID: 7680)

    • URELAS has been detected (YARA)

      • muzow.exe (PID: 7680)
      • tepeb.exe (PID: 7176)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)
      • muzow.exe (PID: 7680)
      • tepeb.exe (PID: 7176)

    • Reads security settings of Internet Explorer

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)
      • muzow.exe (PID: 7680)

    • Starts itself from another location

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)

    • Starts CMD.EXE for commands execution

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)

    • Executing commands from a ".bat" file

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)

    • Connects to unusual port

      • muzow.exe (PID: 7680)

    • There is functionality for taking screenshot (YARA)

      • tepeb.exe (PID: 7176)

  • INFO

    • Reads the computer name

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)
      • muzow.exe (PID: 7680)

    • Checks supported languages

      • muzow.exe (PID: 7680)
      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)
      • tepeb.exe (PID: 7176)

    • Create files in a temporary directory

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)
      • muzow.exe (PID: 7680)
      • tepeb.exe (PID: 7176)

    • Process checks computer location settings

      • 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe (PID: 7616)
      • muzow.exe (PID: 7680)

    • Checks proxy server information

      • slui.exe (PID: 8104)

    • Reads the software policy settings

      • slui.exe (PID: 8104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:09:12 12:25:44+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 2
CodeSize: 114688
InitializedDataSize: 266240
UninitializedDataSize: -
EntryPoint: 0x3209
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe #URELAS muzow.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe #URELAS tepeb.exe

Process information

PID
CMD
Path
Indicators
Parent process
7176"C:\Users\admin\AppData\Local\Temp\tepeb.exe" C:\Users\admin\AppData\Local\Temp\tepeb.exe
muzow.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tepeb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7616"C:\Users\admin\Desktop\2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7680"C:\Users\admin\AppData\Local\Temp\muzow.exe" C:\Users\admin\AppData\Local\Temp\muzow.exe
2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\muzow.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7700C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8104C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 225
Read events
4 225
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
76162025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:201BF4302ACCF8CE7945E2A027D9C4DB
SHA256:B406AD5F2E3BBF6476C20D013EBF6B53220662D771799C56E9C7144104218CBA
76162025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\muzow.exeexecutable
MD5:DC1AE7CA3B96FF5E340E88314CCFCFDB
SHA256:681255EB933096973FD6A14759D0E8B66209C4540E823DA3B9FE74C2D82C966D
76162025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:53E442196547F4454237C5C8E8BD54D1
SHA256:CA498E0D3E6553D1DE526FA338D8F5332D85C64D88727F9B63B55F23B03CD366
7176tepeb.exeC:\Users\admin\AppData\Local\Temp\muzow.exeexecutable
MD5:FF76B6F455A969205575DA675ABD1323
SHA256:6E1D61914A2BE67C267DA015E6AF6D2C5AEA043D346CA068789EF6E061C61FD9
7680muzow.exeC:\Users\admin\AppData\Local\Temp\tepeb.exeexecutable
MD5:300ED57B9ADA90AD93A69A3392983059
SHA256:89887F04F74E960246A8F50136976C6082ACFFF7AC82E8C70135D247595B0804
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
25
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7680
muzow.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
7680
muzow.exe
1.234.83.146:11170
SK Broadband Co Ltd
KR
unknown
7680
muzow.exe
218.54.31.165:11110
SK Broadband Co Ltd
KR
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.29
  • 23.216.77.20
  • 23.216.77.30
  • 23.216.77.18
  • 23.216.77.27
  • 23.216.77.22
  • 23.216.77.25
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_2438547b14e8d5a4e09535ce3a2f8505_amadey_elex_gcleaner_rhadamanthys_smoke-loader