File name:

2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys

Full analysis: https://app.any.run/tasks/82a712c4-d151-4aa4-b405-b753228c9cf2
Verdict: Malicious activity
Analysis date: July 04, 2025, 17:43:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

A1ABF560F59533C62CA03AE69D77BBC9

SHA1:

A788ECA75ACF0A633AB51DB2D2AE00B5EE175D90

SHA256:

5E43D254611933170AEBF6D8F7E9779F57C3AC5ACE1F39FCBE16B717574C1B4F

SSDEEP:

3072:sEeHMiMmMfM9OcgD7eHFzpEbC7etIOxzd9UIxeF7zbH8JKBO:BDyOcgDMFzwCCXnFeF/Dkz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)
      • CTS.exe (PID: 6768)
      • CTS.exe (PID: 5560)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)
      • CTS.exe (PID: 6768)

    • Starts itself from another location

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)

  • INFO

    • Checks supported languages

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)
      • CTS.exe (PID: 6768)
      • CTS.exe (PID: 5560)

    • Reads the computer name

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)

    • Reads the machine GUID from the registry

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)
      • CTS.exe (PID: 6768)
      • CTS.exe (PID: 5560)

    • Create files in a temporary directory

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)

    • Launching a file from a Registry key

      • 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe (PID: 5768)
      • CTS.exe (PID: 6768)
      • CTS.exe (PID: 5560)

    • Manual execution by a user

      • CTS.exe (PID: 5560)

    • Reads the software policy settings

      • slui.exe (PID: 3620)

    • Checks proxy server information

      • slui.exe (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:12 09:13:02+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 60928
InitializedDataSize: 18944
UninitializedDataSize: -
EntryPoint: 0x5cde
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe cts.exe cts.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3620C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5560C:\Users\admin\AppData\Local\Temp\CTS.exeC:\Users\admin\AppData\Local\Temp\CTS.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\cts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5768"C:\Users\admin\Desktop\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe" C:\Users\admin\Desktop\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6768"C:\Users\admin\AppData\Local\Temp\CTS.exe"C:\Users\admin\AppData\Local\Temp\CTS.exe
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\cts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 586
Read events
3 583
Write events
3
Delete events
0

Modification events

(PID) Process:(5768) 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CTS
Value:
C:\Users\admin\AppData\Local\Temp\CTS.exe
(PID) Process:(6768) CTS.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CTS
Value:
C:\Users\admin\AppData\Local\Temp\CTS.exe
(PID) Process:(5560) CTS.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CTS
Value:
C:\Users\admin\AppData\Local\Temp\CTS.exe
Executable files
50
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6768CTS.exeC:\Users\admin\AppData\Local\dummy\officeclicktorun.exe_c2ruidll(201903231148171364).logexecutable
MD5:97041E14038521235796D40073510FFD
SHA256:7FD7387CD7576FB652210D0FE000E1FB2FCC0573E472EC444F3A345A913BE74E
6768CTS.exeC:\Users\admin\AppData\Local\dummy\officebackgroundtaskhandler.exe_c2rdll(2019032311484051C).logexecutable
MD5:C1BC1CFD1E741AA9F52A4918029DD80F
SHA256:591F78FC068EE4B4E232D35F216B39747E9A5AF3199E2C3699E6DE25A408BE6C
6768CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules.xmlexecutable
MD5:AC23831A20F6B1CDBF4EE43E002D957F
SHA256:FB106EB2F74D6422034E29EBECACC724307C6608B5AEB0ADE6D62D0F885EBBB6
6768CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlexecutable
MD5:E5E0CDAF9AA459151DEE7B7152B3ABF0
SHA256:8A0272EDDB711774837E3BB7DC8E6D559E84E052518D98DAF0084D70703B6E5A
57682025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\CTS.exeexecutable
MD5:F9D4AB0A726ADC9B5E4B7D7B724912F1
SHA256:B43BE87E8586CA5E995979883468F3B3D9DC5212FBFD0B5F3341A5B7C56E0FBC
6768CTS.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.logexecutable
MD5:CD03C9C3EC8A1909992C58C5B5072861
SHA256:BAE6295D9EFCFBE417E3E5ACA94CC63D4FF9F2D232F548326ACBE5A00C04723F
6768CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\outlook.exe_Rules.xmlexecutable
MD5:069416C4E687C4BEFD542FA47CCFBCD7
SHA256:D07C5C2AA069300E6FA331B28E904D39E48A197EBF03CD2EFF246E739355195D
6768CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xmlexecutable
MD5:5624C280B2120FB154B1DF93C08650CE
SHA256:721A37D536C20B1412FC0ADFBD085E38A97D50D8B4845CB7237CEB90AD8390D7
6768CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xmlexecutable
MD5:B30AD1F26917866E57D54A23F30C1C07
SHA256:6B7E6B59E0B5198209B5F3E0505435163BC497FC28A8E959501A3B9CCC208833
6768CTS.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules.xmlexecutable
MD5:6EFDB8999C215925F821F99A8967C9CD
SHA256:08CCEAD8015F1E06B3DA677DF14A6D41C2D15A8D444592A9C984A2E83B384BBB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4100
RUXIMICS.exe
GET
200
23.48.23.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4100
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4100
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4100
RUXIMICS.exe
23.48.23.190:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.190:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4100
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.190
  • 23.48.23.180
  • 23.48.23.162
  • 23.48.23.143
  • 23.48.23.169
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.159
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys