File name:

2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop

Full analysis: https://app.any.run/tasks/1ab8e4bb-0dbd-4356-afd1-d7ff8d457f4d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 19:09:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neconyd
ransomware
birele
mpress
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

0FB5FCBA83ABA1C74D16C7C59695D14B

SHA1:

CEDEEFC277332EC2AF174C203193BC129A489429

SHA256:

05E4788FB6439BB59A27A936D2DE37684F3F7D3712F6DA61D5B393467C6FE190

SSDEEP:

3072:DR65qaR6CRp/5y03CwJ3/HxMqMdA33M5tC1isyPFCALzv4mlkVVXV9da:DmqaRRRZ/MnA3cQYFCOzv3AVXV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BIRELE has been detected (SURICATA)

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 7060)

    • Connects to the CnC server

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 7060)

    • Neconyd has been detected

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 7060)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Application launched itself

      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6704)
      • omsecor.exe (PID: 3100)
      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 984)

    • Reads security settings of Internet Explorer

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 7060)

    • Executes application which crashes

      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6704)
      • omsecor.exe (PID: 3100)
      • omsecor.exe (PID: 984)

    • Contacting a server suspected of hosting an CnC

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 7060)

  • INFO

    • Checks supported languages

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 3100)
      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6704)
      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 4984)
      • omsecor.exe (PID: 984)
      • omsecor.exe (PID: 7060)

    • The sample compiled with english language support

      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6704)
      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 4984)

    • Checks proxy server information

      • omsecor.exe (PID: 1948)
      • WerFault.exe (PID: 5496)
      • omsecor.exe (PID: 7060)
      • WerFault.exe (PID: 4552)
      • WerFault.exe (PID: 4680)
      • slui.exe (PID: 2804)

    • Reads the computer name

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 7060)

    • Mpress packer has been detected

      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 6704)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4680)
      • WerFault.exe (PID: 5496)
      • 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe (PID: 4984)
      • WerFault.exe (PID: 4552)

    • Reads the software policy settings

      • WerFault.exe (PID: 5496)
      • WerFault.exe (PID: 4680)
      • slui.exe (PID: 2804)
      • WerFault.exe (PID: 4552)

    • Failed to create an executable file in Windows directory

      • omsecor.exe (PID: 1948)
      • omsecor.exe (PID: 7060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:11:26 07:24:34+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 8
CodeSize: 28672
InitializedDataSize: 98304
UninitializedDataSize: -
EntryPoint: 0x18b6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 2.1.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Comments
FileVersion: 0, 1, 2, 0
InternalName: CompanyName
LegalCopyright: LegalTrademarks
OriginalFileName: Build private
ProductName: Movie name
ProductVersion: 0, 0, 0, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe 2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe omsecor.exe #BIRELE omsecor.exe werfault.exe werfault.exe slui.exe omsecor.exe #BIRELE omsecor.exe werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
984C:\Users\admin\AppData\Roaming\omsecor.exe /nomoveC:\Users\admin\AppData\Roaming\omsecor.exe
omsecor.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Comments
Exit code:
3221225622
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\appdata\roaming\omsecor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1948C:\Users\admin\AppData\Roaming\omsecor.exeC:\Users\admin\AppData\Roaming\omsecor.exe
omsecor.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Comments
Exit code:
0
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\appdata\roaming\omsecor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2804C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3100C:\Users\admin\AppData\Roaming\omsecor.exeC:\Users\admin\AppData\Roaming\omsecor.exe
2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Comments
Exit code:
3221225622
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\appdata\roaming\omsecor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4552C:\WINDOWS\SysWOW64\WerFault.exe -u -p 984 -s 340C:\Windows\SysWOW64\WerFault.exe
omsecor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4680C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6704 -s 336C:\Windows\SysWOW64\WerFault.exe
2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4984C:\Users\admin\Desktop\2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\Desktop\2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe
2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Comments
Exit code:
0
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\desktop\2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5496C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3100 -s 368C:\Windows\SysWOW64\WerFault.exe
omsecor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6704"C:\Users\admin\Desktop\2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe" C:\Users\admin\Desktop\2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Comments
Exit code:
3221225622
Version:
0, 1, 2, 0
Modules
Images
c:\users\admin\desktop\2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
22 189
Read events
22 183
Write events
6
Delete events
0

Modification events

(PID) Process:(1948) omsecor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1948) omsecor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1948) omsecor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7060) omsecor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7060) omsecor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7060) omsecor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
4680WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-06-21_0fb5f_5c79221fbbb2cfcd53f948a45ccb624d4c116978_20102bf4_7d62771b-ac56-422f-aee2-cfcef622e976\Report.wer
MD5:
SHA256:
5496WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_omsecor.exe_d2fc304cb942bc3a5e1af79d61eeba21e7354f6_c5866977_722adefe-80d8-42e7-baff-ca5215431dd7\Report.wer
MD5:
SHA256:
4552WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_omsecor.exe_d2fc304cb942bc3a5e1af79d61eeba21e7354f6_c5866977_e0809981-d2a9-488b-8964-86ded4f41cfa\Report.wer
MD5:
SHA256:
5496WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER72CE.tmp.dmpbinary
MD5:DB710677DECD08883E2B61AEFEB29727
SHA256:6D705E4AE579B63A66CC0A842B6A35EFCA81C56ADD2219875346261B4A9A78B6
4680WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER72FD.tmp.dmpbinary
MD5:881B5D9837598D8C92C6171608739EBA
SHA256:AFB156FED1C5A35B8E0E55AF56241979DE9CDE5A4763658334DDBF07791EF3B2
5496WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER732D.tmp.WERInternalMetadata.xmlxml
MD5:340189C6AACCA326DD31A50B0A3D2E47
SHA256:6E27B9925A31ACF58556C885AC48C2DCD62513EB574FD9615789F4F389676F99
4680WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER735D.tmp.xmlxml
MD5:E09938AFE22B2784FCF251D1FA42FFB2
SHA256:A74F3DCEDF6F970EBB864659B711C76BA3927D167AF579DB6B47FA3A632CD10A
5496WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER734D.tmp.xmlxml
MD5:3454F413C4CB23953968672CE18AA9EF
SHA256:C134AAE44AB1A457BF28E0C6EF9C8B254F3E3328A2BD6941C4D77589C53C2712
49842025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop.exeC:\Users\admin\AppData\Roaming\omsecor.exeexecutable
MD5:025629B5D0AD7CB19252A86C69BB8F94
SHA256:D788AF6D37696FFF88E3B0464CE313F0097023506D4457BA539A52A32E84B257
4680WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER733D.tmp.WERInternalMetadata.xmlxml
MD5:D6BFEACEEBBDD3DAFA0834BC495AD3D7
SHA256:E6621CA8CB5AE34D46DF98D0570812A9CA76575231ED76018E7C8848C68673E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
63
DNS requests
25
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2792
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1948
omsecor.exe
GET
193.166.255.171:80
http://lousta.net/737/296.html
unknown
malicious
2792
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2792
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
2792
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2792
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
  • 184.24.77.34
  • 184.24.77.36
  • 184.24.77.29
  • 184.24.77.30
  • 184.24.77.38
  • 184.24.77.23
  • 184.24.77.31
  • 184.24.77.27
  • 184.24.77.24
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
lousta.net
  • 193.166.255.171
malicious
login.live.com
  • 40.126.31.0
  • 20.190.159.64
  • 40.126.31.3
  • 20.190.159.131
  • 40.126.31.128
  • 40.126.31.2
  • 20.190.159.128
  • 20.190.159.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
1948
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
1948
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
1948
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
1948
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
1948
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
1948
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
7060
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
7060
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
7060
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
7060
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_0fb5fcba83aba1c74d16c7c59695d14b_amadey_elex_rhadamanthys_smoke-loader_stop