Analysis Overview
SHA256
c984255885ef050929570c35651a271490db8d40febd38c8af4f12483c67869b
Threat Level: Shows suspicious behavior
The file 2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:24
Reported
2025-07-02 19:27
Platform
win10v2004-20250610-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aa64f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aa64f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3sx13d1q3t = "C:\\Users\\Admin\\AppData\\Roaming\\aa64f6.exe" | C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2866795425-63786011-2927312124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3x8wr4m = "C:\\Users\\Admin\\AppData\\Roaming\\guftbf3zfj.exe" | C:\Users\Admin\AppData\Roaming\aa64f6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aa64f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aa64f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-02_1d4361bcd7304537a6861c9605257750_elex_gcleaner_rhadamanthys_stop.exe"
C:\Users\Admin\AppData\Roaming\aa64f6.exe
C:\Users\Admin\AppData\Roaming\aa64f6.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\aa64f6.exe
C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
C:\Users\Admin\AppData\Roaming\aa64f6.exe
C:\Users\Admin\AppData\Roaming\aa64f6.exe
C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gysopui.net | udp |
| US | 8.8.8.8:53 | gysopui.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | gysopui.net | udp |
| US | 8.8.8.8:53 | gysopui.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| US | 52.27.79.221:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | gysopui.net | udp |
Files
C:\Users\Admin\AppData\Roaming\aa64f6.exe
| MD5 | 6de981925e53727f2201283565e6e0d4 |
| SHA1 | 9ae6fea487a6a99c15c3f11f7e0c2f632884f83c |
| SHA256 | 312fdca42a95c142267063e9b8c5caa38778b6a2f72db496c7402e0a477e4790 |
| SHA512 | 70b8cef170a1fc1779dbda03a1bf664253c4e63bfa56d25d938fe384e5d0563da6dbab63389f22d6deb2e67b4734d1b076787ce3012e1cb0436945719a95859d |
C:\Users\Admin\AppData\Roaming\guftbf3zfj.exe
| MD5 | f91b9ed0a230d34659c9f55e85227e73 |
| SHA1 | 439a0d9f2b83e9211302cb079cf272ad6da1f921 |
| SHA256 | cf308d150231760b2b0d88f6f5d5b77c4bd304ec33a9ea25884f9bde5844377a |
| SHA512 | 7da1e3033921d000ed3c104c8f95393e33343e53791ff5bb27bb9119e56e0d96b0cbcd821f7af4a2b3efc8a85f2fceaf94211489012aa8c0e84e6db2ca9409ae |