File name:

2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys

Full analysis: https://app.any.run/tasks/2e02f7dc-9dda-492b-abec-eaf99c01e9e1
Verdict: Malicious activity
Analysis date: July 02, 2025, 07:49:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

27CCB92F85F8A0BC7FE0C24FB2F40DB8

SHA1:

3611E567E7F220AE7F23F3A298E250898C10F69A

SHA256:

33EDD17E4EA4095F9470EB7EE17CFEC5411A2A26568E09539636942A711A0A6F

SSDEEP:

3072:sEeHMiMmMfM9OcgD7eHFzpEbC7etIOxzd9UIx09d:BDyOcgDMFzwCCXnFi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)
      • CTS.exe (PID: 3688)
      • CTS.exe (PID: 3960)

  • SUSPICIOUS

    • Starts itself from another location

      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)

    • Executable content was dropped or overwritten

      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)
      • CTS.exe (PID: 3688)

  • INFO

    • Reads the computer name

      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)

    • Checks supported languages

      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)
      • CTS.exe (PID: 3688)
      • CTS.exe (PID: 3960)

    • Launching a file from a Registry key

      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)
      • CTS.exe (PID: 3688)
      • CTS.exe (PID: 3960)

    • Reads the machine GUID from the registry

      • CTS.exe (PID: 3688)
      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)
      • CTS.exe (PID: 3960)

    • Create files in a temporary directory

      • 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe (PID: 5480)

    • Manual execution by a user

      • CTS.exe (PID: 3960)

    • Checks proxy server information

      • slui.exe (PID: 4936)

    • Reads the software policy settings

      • slui.exe (PID: 4936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:12 09:13:02+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 60928
InitializedDataSize: 18944
UninitializedDataSize: -
EntryPoint: 0x5cde
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe cts.exe cts.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3688"C:\Users\admin\AppData\Local\Temp\CTS.exe"C:\Users\admin\AppData\Local\Temp\CTS.exe
2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\cts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3960C:\Users\admin\AppData\Local\Temp\CTS.exeC:\Users\admin\AppData\Local\Temp\CTS.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\cts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4936C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5480"C:\Users\admin\Desktop\2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe" C:\Users\admin\Desktop\2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 634
Read events
3 631
Write events
3
Delete events
0

Modification events

(PID) Process:(5480) 2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CTS
Value:
C:\Users\admin\AppData\Local\Temp\CTS.exe
(PID) Process:(3688) CTS.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CTS
Value:
C:\Users\admin\AppData\Local\Temp\CTS.exe
(PID) Process:(3960) CTS.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CTS
Value:
C:\Users\admin\AppData\Local\Temp\CTS.exe
Executable files
50
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3688CTS.exeC:\Users\admin\AppData\Local\dummy\officebackgroundtaskhandler.exe_c2rdll(2019032311484051C).logexecutable
MD5:F16382D15B30128566B05BB40237920C
SHA256:2DD4CE70BA42185D1D43D3F20EF3848E350E03FDCBCE90B978BECB93399FADBE
54802025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\BURkWFj6HPNBgl2.exesqlite
MD5:DB7DC8B4767E1B252C8B30A79EC8A799
SHA256:F5C727923367D6F87BBAEC0933F377057F1526610986B8EC7381A7401B7BFEE4
3688CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules.xmlexecutable
MD5:74D057332A477E75A41A760EAD591889
SHA256:F80C0352A7348D494B68CB2F36F10812DC7B616EAC67FB8717498F09D725B5DB
3688CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlexecutable
MD5:5C058E3F6B8EB8D73E181500C8CA1416
SHA256:A83D0D9F630B725460624909217AC085BC832BC6654DDC0E95859BB93768713F
3688CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\setup.def.en-us_professional2019retail_04640089-6fb7-4a4d-ae33-18e0c4a879d8_tx_db_platform_def_.exe_Rules.xmlexecutable
MD5:C455F801104E83A650829E1855887744
SHA256:C677E51BB3B40E9ABF3156B374C23AF73DA8E63908165D98BB3AE6B1054CB462
3688CTS.exeC:\Users\admin\AppData\Local\dummy\officeclicktorun.exe_c2ruidll(201903231148171364).logexecutable
MD5:2531B6A4B8C602237E7258FF0DF6CE8D
SHA256:D37DCB3B9A85091673964C01A0F33398C1F60B37D35AA971DB7C6DA547974D70
54802025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\CTS.exeexecutable
MD5:F9D4AB0A726ADC9B5E4B7D7B724912F1
SHA256:B43BE87E8586CA5E995979883468F3B3D9DC5212FBFD0B5F3341A5B7C56E0FBC
3688CTS.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.logexecutable
MD5:B4844D75B5CA6035255181F94E0EC787
SHA256:E901E5C716F20161368942ADE93FEA1162A81429E552616D6E957456D4926915
3688CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\mspub.exe_Rules.xmlexecutable
MD5:BA06B26F969D92B779144CCD05CEAE5B
SHA256:2C798F8A91756E84D0CFB42C20503A009FBA1059D7A3BB9E5AE6D1A21C92A764
3688CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\outlook.exe_Rules.xmlexecutable
MD5:AB366B3CEECC7037E1421FA4AACD53E7
SHA256:FAA3F2628B20D3603435B4BBDD138C27180209FB94F4990D7464E800DDB223B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
27
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4680
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4680
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4680
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4680
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4680
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.168.112.67
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-02_27ccb92f85f8a0bc7fe0c24fb2f40db8_bkransomware_elex_rhadamanthys