File name:

2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys

Full analysis: https://app.any.run/tasks/2a2956ec-ac28-4288-b913-3fc7aba4d6b0
Verdict: Malicious activity
Analysis date: June 21, 2025, 12:30:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
arch-scr
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

8B93A5C994C7A4703BE5EEA6D62438D7

SHA1:

44FB1E01757A7555D4E68D79027D40180847BB28

SHA256:

5974DBC08324CAB2444CAFE3E42864FBF710D47E2D5B512F0158E7F63CBC9A1F

SSDEEP:

49152:zsEGTM9E0NVxY8JqOLkl17fCKfKf7rmFIxhCC5E9kM0TdeRavRNqZ1tP2wTmprs8:zrYM9E0NwlOkl17f3fiQmw+BMTRoOJmj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Executable content was dropped or overwritten

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Reads security settings of Internet Explorer

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Application launched itself

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)

    • Searches for installed software

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Reads Internet Explorer settings

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Reads Microsoft Outlook installation path

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

  • INFO

    • Checks supported languages

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • tmppack.exe (PID: 6640)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)
      • tmppack.exe (PID: 6868)

    • The sample compiled with english language support

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Create files in a temporary directory

      • tmppack.exe (PID: 6640)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • tmppack.exe (PID: 6868)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Reads the computer name

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)
      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Process checks computer location settings

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 1068)

    • Reads the machine GUID from the registry

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)

    • Manual execution by a user

      • wscript.exe (PID: 768)
      • wscript.exe (PID: 6652)
      • wscript.exe (PID: 2620)
      • wscript.exe (PID: 1816)
      • wscript.exe (PID: 6940)

    • Checks proxy server information

      • 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe (PID: 3048)
      • slui.exe (PID: 1100)

    • JScript runtime error (SCRIPT)

      • wscript.exe (PID: 768)
      • wscript.exe (PID: 6940)

    • Reads the software policy settings

      • slui.exe (PID: 1100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(1068) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
Decrypted-URLs (2)http://api.ibario.com/events
http://www.appdint.com/installer/603/start.cf]]
(PID) Process(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
Decrypted-URLs (2)http://api.ibario.com/events
http://www.appdint.com/installer/603/start.cf]]
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:08:20 08:24:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 104960
InitializedDataSize: 52224
UninitializedDataSize: -
EntryPoint: 0x1a81f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 14.9.13.20
ProductVersionNumber: 14.9.13.20
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: -
FileVersion: 14.9.13.20
InternalName: -
LegalCopyright: Copyright 2014
OriginalFileName: -
ProductName: -
ProductVersion: 14.9.13.20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe tmppack.exe no specs conhost.exe no specs #XOR-URL 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe tmppack.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs slui.exe wscript.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
768"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\jquery.noselect.min.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068"C:\Users\admin\Desktop\2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe" C:\Users\admin\Desktop\2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
14.9.13.20
Modules
Images
c:\users\admin\desktop\2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(1068) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
Decrypted-URLs (2)http://api.ibario.com/events
http://www.appdint.com/installer/603/start.cf]]
1100C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1816"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\events.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2620"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\conditions.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetmppack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3048"C:\Users\admin\Desktop\2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe" C:\Users\admin\Desktop\2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
User:
admin
Integrity Level:
HIGH
Version:
14.9.13.20
Modules
Images
c:\users\admin\desktop\2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
Decrypted-URLs (2)http://api.ibario.com/events
http://www.appdint.com/installer/603/start.cf]]
4544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetmppack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6640-yC:\Users\admin\AppData\Local\Temp\CRQCBXSFPOOPBD\tmppack.exe2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7z Console SFX
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\crqcbxsfpoopbd\tmppack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6652"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\config.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 689
Read events
6 681
Write events
8
Delete events
0

Modification events

(PID) Process:(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(3048) 2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
4272170000000000
(PID) Process:(2620) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
511E180000000000
Executable files
2
Suspicious files
19
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
10682025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\~17A.tmpbinary
MD5:0D1A78EFFF090C6CC066C0D55533BDBF
SHA256:69A5460BC57288187D45CCD453D2AAFEDDD2A2B06EF1FCB2AFFE73053C4A7739
6868tmppack.exeC:\Users\admin\AppData\Local\Temp\ENEAJFOQTEFPW\installer.pakbinary
MD5:A4A7F8CB2DBEFE97901CF657F6ED5CA4
SHA256:BABACF1CA8865E86EA715364C43B24C1E450A094CAB0852DEC1B3E26A42978A2
30482025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\51v01265\mtoctmioldcompressed
MD5:F9EB2295EE0B6B30C4BF39C78519689B
SHA256:F3756AD1D2BC8EA057811BE3F4F8DC7E6027CC2150FDD77441C6803FF4E07489
30482025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\ENEAJFOQTEFPW\tmppack.exeexecutable
MD5:D2F31D4BCB2F93E137EED54A8F4C8874
SHA256:473AB84307C6D9CC7907598705DD2704360557C0BA0BECF5A090B269A81D087C
30482025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\51v01265\gui\img\ajax-loader.gifimage
MD5:A51C5608D01ACF32DF728F299767F82B
SHA256:AEBC793D0064383EE6B1625BF3BB32532EC30A5C12BF9117066107D412119123
10682025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\CRQCBXSFPOOPBD\tmppack.exeexecutable
MD5:D2F31D4BCB2F93E137EED54A8F4C8874
SHA256:473AB84307C6D9CC7907598705DD2704360557C0BA0BECF5A090B269A81D087C
6640tmppack.exeC:\Users\admin\AppData\Local\Temp\CRQCBXSFPOOPBD\installer.pakbinary
MD5:A4A7F8CB2DBEFE97901CF657F6ED5CA4
SHA256:BABACF1CA8865E86EA715364C43B24C1E450A094CAB0852DEC1B3E26A42978A2
30482025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\51v01265\gui\ib\b-bg.gifimage
MD5:1FD20D77482FA7374D96FAE16C05AF33
SHA256:1BCF2E083FE791E678322C66EE9D695575E58D4C3781167AF1C68724F669D3A5
30482025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\51v01265\gui\img\check.jpgimage
MD5:45BE5E2EF98FA9AA42529DA98CF9D62B
SHA256:0BFC12DF1DC136BCE9AD514344AD1561B7C53305FD216FF882BEB6757A538D1B
30482025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\51v01265\gui\ib\center2.jpgimage
MD5:390596B126EDFB80E3EE615D7567689E
SHA256:BCEB27F17A9C33F48817287A4BFCE098613A5AC3C4A6E7D967DEE4C29BB9DB8D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
22
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
472
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
472
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3048
2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
POST
174.36.241.171:80
http://api.ibario.com/events
unknown
malicious
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
3048
2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys.exe
POST
174.36.241.171:80
http://api.ibario.com/events
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
472
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
472
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
api.ibario.com
  • 174.36.241.171
unknown
www.namnamtech.com
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.23
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_8b93a5c994c7a4703be5eea6d62438d7_elex_mafia_rhadamanthys