File name:

2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy

Full analysis: https://app.any.run/tasks/933557fa-9a94-48d5-98a6-e1d438fe91d1
Verdict: Malicious activity
Analysis date: June 02, 2025, 04:24:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

9345BF0B132C02745D3915BCAE079C07

SHA1:

3B0641C120AA5E54278F6D50D8F61411119173DA

SHA256:

455964E0658D3385ED0AF1BE571EB395464D243CEB17E3654D1B2E1C35AA9CEE

SSDEEP:

12288:KY/Y4tH0DJMzcXYq+EnEBKAc1Bs0xW1t45:KYwS6JMzc9+EpVBX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process verifies whether the antivirus software is installed

      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)
      • sidebar2.exe (PID: 6980)
      • sidebar2.exe (PID: 6036)

    • Reads security settings of Internet Explorer

      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)
      • sidebar2.exe (PID: 6980)

    • Application launched itself

      • sidebar2.exe (PID: 6980)

    • Changes default file association

      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)

    • Executable content was dropped or overwritten

      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)

    • There is functionality for taking screenshot (YARA)

      • sidebar2.exe (PID: 6980)

  • INFO

    • Creates files or folders in the user directory

      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)

    • Process checks computer location settings

      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)

    • Reads the computer name

      • sidebar2.exe (PID: 6980)
      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)

    • Checks supported languages

      • sidebar2.exe (PID: 6036)
      • 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe (PID: 7484)
      • sidebar2.exe (PID: 6980)

    • Checks proxy server information

      • sidebar2.exe (PID: 6980)
      • slui.exe (PID: 6368)

    • Reads the software policy settings

      • slui.exe (PID: 6368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:31 11:53:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 227328
InitializedDataSize: 107008
UninitializedDataSize: -
EntryPoint: 0x23d3e
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe sidebar2.exe no specs sidebar2.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6036"C:\Users\admin\AppData\Roaming\Microsoft\SView\sidebar2.exe" C:\Users\admin\AppData\Roaming\Microsoft\SView\sidebar2.exesidebar2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\sview\sidebar2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6368C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6980"C:\Users\admin\AppData\Roaming\Microsoft\SView\sidebar2.exe" /START "C:\Users\admin\AppData\Roaming\Microsoft\SView\sidebar2.exe" C:\Users\admin\AppData\Roaming\Microsoft\SView\sidebar2.exe2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\microsoft\sview\sidebar2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7484"C:\Users\admin\Desktop\2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe" C:\Users\admin\Desktop\2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 804
Read events
4 796
Write events
8
Delete events
0

Modification events

(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CLASSES_ROOT\prochost
Operation:writeName:Content-Type
Value:
application/x-msdownload
(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CLASSES_ROOT\prochost\shell\open\command
Operation:writeName:IsolatedCommand
Value:
"%1" %*
(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CLASSES_ROOT\prochost\shell\runas\command
Operation:writeName:IsolatedCommand
Value:
"%1" %*
(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CLASSES_ROOT\.exe
Operation:writeName:Content-Type
Value:
application/x-msdownload
(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CLASSES_ROOT\.exe\shell\open\command
Operation:writeName:IsolatedCommand
Value:
"%1" %*
(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CLASSES_ROOT\.exe\shell\runas\command
Operation:writeName:IsolatedCommand
Value:
"%1" %*
(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7484) 2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Users\admin\AppData\Roaming\Microsoft\SView\sidebar2.exe.FriendlyAppName
Value:
sidebar2.exe
Executable files
1
Suspicious files
9
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\cygwin32\winnt32.exebinary
MD5:356663BEAE385E5D8029E0A92E37A837
SHA256:37931E0EE8A724EFDD7D5A5A132FD76CB93FCE31D93272348A4DDBAB2D4B6AFF
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\nt32.exebinary
MD5:954628AF81263A82FC4AC260E1BB3FC4
SHA256:FAA6ADC9EB3F003D31DAB07F72579C3970D9756590F7C0C16D97002D56AE2A02
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\cygwin32\cygwin32.ocxbinary
MD5:96450F88D92C9E89EF049E79284877AF
SHA256:033547A508E46C972E3FA6D5508DD1BC0938147EE39D1976856C31D0DF3F62F8
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\msys\socket_x86.imgbinary
MD5:B491550D25D5D794BD952DF131072A24
SHA256:D3A2AEFCCA1C45C3565B23A4E3F7A1F192C5DFB3023EF7E8583BE9BA1A439234
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\msys\icxml.dmpbinary
MD5:0D9250CC5E48B09D71ACE37FC145B345
SHA256:73ABD82F8EBF006CAF7F5506E681B5FCB5131E95FD33B54BE6A1788300120ED6
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\teln32.exebinary
MD5:2A72DC1160F1CE3093D6C3AD116909D8
SHA256:4C0FBFD74F29DC0AB0B169CFF9518AE07667CA935540A8F13A2805258C534822
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\ntw32\lust.exebinary
MD5:D761B89D28A6FEC7E00C27CFA098309D
SHA256:E4E4E1046545ED8D187C40CFA40B49C10BD0466213AA060E6738F5314642C929
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\msys\apds.datbinary
MD5:195BD72A73E736050AA2565CB371DFF6
SHA256:39D398F2A5677AD41258B2BA507E40E14C1ADD990139CE67CFF26FDB8CB0E769
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\sidebar2.exeexecutable
MD5:A19F6EB8D10946D565F55648AD26A673
SHA256:BC90D241998834E2088348F85D8DF80DAD9CE3E7D8D273BE6C6C0B479C8A49D3
74842025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy.exeC:\Users\admin\AppData\Roaming\Microsoft\SView\ntw32\srv_x86.imgbinary
MD5:138B20FEAD3828B50AF19FC90F444ED8
SHA256:24FC5FA98AD5CCFB4436777A73FCC64D2D82024754D14F66EB1917471441D116
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
15
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7552
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7552
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7552
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7552
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7552
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6368
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
nwoccs.zapto.org
unknown
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-02_9345bf0b132c02745d3915bcae079c07_elex_mafia_nionspy