File name:

2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/02e329b1-3bde-4706-8c9e-4f600af4c670
Verdict: Malicious activity
Analysis date: June 21, 2025, 07:15:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ip-check
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B9213ED163DE4BD0AFAB314EF5B07A9D

SHA1:

E60AF4F956B7465F55A7580E8D821F25BCDF7D7C

SHA256:

E2E6E0A2730BFCFF68742EA4348A019D74F359973A8AD985086415C99C6E53D4

SSDEEP:

1536:SzSTuJLiYfJ8o3h/ruY5mIhpJZ6+CP9wlZfMlVkvK4Y9ycioVl5:tTuJLiYh8o3h/ruY5myZ6+8+O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts itself from another location

      • 2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe (PID: 3028)

    • Executable content was dropped or overwritten

      • 2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe (PID: 3028)

    • There is functionality for capture public ip (YARA)

      • izilysa.exe (PID: 7048)

    • Checks for external IP

      • izilysa.exe (PID: 7048)
      • svchost.exe (PID: 2200)

    • Reads security settings of Internet Explorer

      • izilysa.exe (PID: 7048)

    • Connects to unusual port

      • izilysa.exe (PID: 7048)

  • INFO

    • Checks supported languages

      • 2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe (PID: 3028)
      • izilysa.exe (PID: 7048)

    • Reads the computer name

      • 2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe (PID: 3028)
      • izilysa.exe (PID: 7048)

    • Create files in a temporary directory

      • 2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe (PID: 3028)

    • Checks proxy server information

      • izilysa.exe (PID: 7048)
      • slui.exe (PID: 3740)

    • Creates files or folders in the user directory

      • izilysa.exe (PID: 7048)

    • Reads the machine GUID from the registry

      • izilysa.exe (PID: 7048)

    • Reads the software policy settings

      • izilysa.exe (PID: 7048)
      • slui.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:11:18 14:53:57+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 34304
InitializedDataSize: 37376
UninitializedDataSize: -
EntryPoint: 0x3453
OSVersion: 5.1
ImageVersion: 7.4
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
4
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe izilysa.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3028"C:\Users\admin\Desktop\2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7048C:\Users\admin\AppData\Local\Temp\izilysa.exeC:\Users\admin\AppData\Local\Temp\izilysa.exe
2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\izilysa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 033
Read events
7 030
Write events
3
Delete events
0

Modification events

(PID) Process:(7048) izilysa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7048) izilysa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7048) izilysa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7048izilysa.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\AYTA062A.txttext
MD5:E991B58C8AC5A4CDEB6B435BAA2E608D
SHA256:8B8B82E8CEEA8D293895123D6ECBF941E90C2EBA11D708F3F3E0B7FE51319501
30282025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Local\Temp\izilysa.exeexecutable
MD5:6422994338C8D8D080DCCD5E59B34A3C
SHA256:CC969EF984F548A74A77B77ACE9635CA60F1F8A10E42DF02B3A63E96F04637C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
53
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
728
RUXIMICS.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
728
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.20:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.65:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
728
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
728
RUXIMICS.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
1268
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
728
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.14
  • 20.190.160.65
  • 20.190.160.64
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.132
  • 20.190.160.22
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
icanhazip.com
  • 104.16.184.241
  • 104.16.185.241
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
7048
izilysa.exe
Attempted Information Leak
ET INFO IP Check Domain (icanhazip. com in HTTP Host)
7048
izilysa.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_b9213ed163de4bd0afab314ef5b07a9d_amadey_elex_gcleaner_redline-stealer_rhadamanthys_smoke-loader_stop