File name:

2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop

Full analysis: https://app.any.run/tasks/979117b1-bcae-4f69-bdd5-5682c93f706e
Verdict: Malicious activity
Analysis date: June 14, 2025, 18:16:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

5D4DD57415F813B718463C9BE5323C96

SHA1:

89A18E52902E594A5FB605372CCA3379C5DA47DA

SHA256:

662C4A3D84088ACB3404BFECEF6FEACE9CF0CB59E881F8E9547C99C0F077E5E5

SSDEEP:

98304:sPgPlRXI8njk7xweIL+PpRGDIj2WFdKtnkvvJ4ftPhJraFDhQmTVB7puHGsiNJg3:3agMrXrS+HlyThY6VEgSRm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 1944)
      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)
      • FighterSuiteService.exe (PID: 7140)
      • FighterSuiteService.exe (PID: 4816)
      • MachineId.exe (PID: 1052)
      • FighterSuiteService.exe (PID: 4884)
      • DRIVERfighter.exe (PID: 6672)
      • DRIVERfighter.exe (PID: 4760)
      • FightersTray.exe (PID: 2648)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)

    • Executable content was dropped or overwritten

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 4800)

    • There is functionality for taking screenshot (YARA)

      • DRPROSetup.exe (PID: 1964)
      • FighterSuiteService.exe (PID: 4816)
      • FightersTray.exe (PID: 2648)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5848)
      • FighterSuiteService.exe (PID: 4816)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4684)

  • INFO

    • Reads the computer name

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)
      • msiexec.exe (PID: 4684)
      • msiexec.exe (PID: 1204)

    • Checks supported languages

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)
      • msiexec.exe (PID: 4684)
      • msiexec.exe (PID: 1204)

    • Create files in a temporary directory

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)
      • msiexec.exe (PID: 4800)
      • DRPROSetup.exe (PID: 1964)
      • msiexec.exe (PID: 1204)

    • Process checks computer location settings

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)

    • Creates files in the program directory

      • DRPROSetup.exe (PID: 1964)

    • The sample compiled with english language support

      • 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe (PID: 6268)
      • msiexec.exe (PID: 4800)
      • msiexec.exe (PID: 4684)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4800)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4800)

    • Checks proxy server information

      • msiexec.exe (PID: 4800)

    • Reads the software policy settings

      • msiexec.exe (PID: 4800)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4800)
      • msiexec.exe (PID: 4684)
      • msiexec.exe (PID: 1204)

    • The sample compiled with arabic language support

      • msiexec.exe (PID: 4684)

    • Manages system restore points

      • SrTasks.exe (PID: 1352)

    • Manual execution by a user

      • msedge.exe (PID: 2552)
      • FightersTray.exe (PID: 2648)

    • Application launched itself

      • msedge.exe (PID: 2552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (35.6)
.exe | Win32 EXE PECompact compressed (generic) (34.4)
.exe | Win64 Executable (generic) (22.8)
.exe | Win32 Executable (generic) (3.7)
.exe | Generic Win/DOS Executable (1.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:15 11:53:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 188928
InitializedDataSize: 595968
UninitializedDataSize: -
EntryPoint: 0x12dfa
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.1.36.0
ProductVersionNumber: 1.1.36.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: SPAMfighter ApS
LegalCopyright: Copyright (C) 2012 SPAMfighter ApS
FileVersion: 1.1.36
ProductVersion: 1.1.36
ProductName: DRIVERfighter
InternalName: DRIVERfighter Setup
OriginalFileName: DRIVERfighterSetup.exe
FileDescription: DRIVERfighter Installation Package
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
193
Monitored processes
50
Malicious processes
4
Suspicious processes
8

Behavior graph

Click at the process to see the details
start 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe drprosetup.exe no specs msiexec.exe msiexec.exe msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe fightersuiteservice.exe no specs conhost.exe no specs machineid.exe no specs fightersuiteservice.exe no specs fightersuiteservice.exe driverfighter.exe no specs fighterstray.exe no specs slui.exe driverfighter.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
416C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
592C:\Windows\syswow64\MsiExec.exe -Embedding 28334B1DEC0AAD1C0E9A212AB23DC7ADC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
592"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2788,i,15463381422112115473,4927771000280983440,262144 --variations-seed-version --mojo-platform-channel-handle=2908 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1052machineid.exe {A5E8FD40-3838-423D-8CFA-D60CE97A564E}C:\Program Files (x86)\Fighters\MachineId.exemsiexec.exe
User:
admin
Company:
SPAMfighter ApS
Integrity Level:
HIGH
Description:
Machine ID Generation Tool
Exit code:
0
Version:
1.0.13.0
Modules
Images
c:\program files (x86)\fighters\machineid.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1204C:\Windows\syswow64\MsiExec.exe -Embedding 6641FA29B1D6F9496E34932DB14207ED CC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1352C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1520"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7632,i,15463381422112115473,4927771000280983440,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1740"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=7608,i,15463381422112115473,4927771000280983440,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"C:\Users\admin\Desktop\2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe" C:\Users\admin\Desktop\2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exeexplorer.exe
User:
admin
Company:
SPAMfighter ApS
Integrity Level:
MEDIUM
Description:
DRIVERfighter Installation Package
Exit code:
3221226540
Version:
1.1.36
Modules
Images
c:\users\admin\desktop\2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1964"C:\Users\admin\AppData\Local\Temp\DRF1749925009\DRPROSetup.exe" /V"/l*v "C:\Users\admin\AppData\Local\Temp\DRPRO_msi.log.txt" PARTNERID=68 USER_BRAND_NAME=\"Fighters\""C:\Users\admin\AppData\Local\Temp\DRF1749925009\DRPROSetup.exe2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exe
User:
admin
Company:
SPAMfighter ApS
Integrity Level:
HIGH
Description:
DRIVERfighter installation package
Exit code:
0
Version:
1.1.36
Modules
Images
c:\windows\syswow64\shfolder.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\wldp.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\coml2.dll
Total events
24 441
Read events
23 942
Write events
482
Delete events
17

Modification events

(PID) Process:(4800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:91C6D6EE3E8AC86384E548C299295C756C817B81
Value:
(PID) Process:(4800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
0400000001000000100000008CCADC0B22CEF5BE72AC411A11A8D8120B000000010000000E00000074006800610077007400650000001400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C07F000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B060105050703010F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B81190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D09000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B060105050703016200000001000000200000008D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F1D00000001000000100000005B3B67000EEB80022E42605B6B3B72407E000000010000000800000000C0032F2DF8D6012000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(4800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
5C0000000100000004000000000800007E000000010000000800000000C0032F2DF8D6011D00000001000000100000005B3B67000EEB80022E42605B6B3B72406200000001000000200000008D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F09000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE7F000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030153000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748500B000000010000000E00000074006800610077007400650000000400000001000000100000008CCADC0B22CEF5BE72AC411A11A8D8122000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(4800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(4800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(4800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(4800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(4684) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000EEFABA8F58DDDB014C120000000E0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4684) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000EEFABA8F58DDDB014C120000000E0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4684) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000001495D78F58DDDB014C120000000E0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
67
Suspicious files
410
Text files
458
Unknown types
0

Dropped files

PID
Process
Filename
Type
62682025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop.exeC:\Users\admin\AppData\Local\Temp\DRF1749925009\DRPROSetup.exeexecutable
MD5:E2ABE580562E0C618C8ED6AD888A1F5C
SHA256:3DC040354FE9021C97C455A405A52C59B465686A80782C16CE1A0EDED73E2F7B
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\0x040c.initext
MD5:9DC5FFB29142A4BDFBFDC74AB8B69F6E
SHA256:1CE20B3BECABC21BC2978E247861B000AA240A9AE00902329B9C7F68C245F83C
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\_ISMSIDEL.INItext
MD5:0110835E9B20DA9C3284A2EE5051690F
SHA256:67AF2792D61C6997B9C1721F7CF6D467F6EA6BCB2C1964C53511D1B6511E1384
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\0x0411.initext
MD5:59698ECAEFEE93E0C95A615BA5825CEC
SHA256:234167953B3DF09DA730B017CE4FA348E6C01F99EDB7B855188D94EBD59DFF36
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\Setup.INItext
MD5:B3C7CE44D4A1EAC4C249F0BC8A461E7A
SHA256:28F85982F2F04A8C94D503215B95C958B7DFA556851DB584314DB7A65B28B2EC
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\0x0405.initext
MD5:9EE91D981664BB8EF4EE6A8C7F57C1B2
SHA256:88129633CC9DC80BF7CB89D9F4889B720FF1696E808D976F5E2B645CABB12014
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\0x040a.initext
MD5:478B4AE0FC673733755B1234004BEF58
SHA256:53915EA5E9E8D4298C5937E1BADE160524F396DB885D13A113C0E50910F4F388
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\DRIVERfighter.msi
MD5:
SHA256:
1964DRPROSetup.exeC:\ProgramData\Fighters\DRIVERfighter\InstallCache\{527B516D-A396-42CE-86F8-D4AD5CCBBDF6}\DRIVERfighter.msi
MD5:
SHA256:
1964DRPROSetup.exeC:\Users\admin\AppData\Local\Temp\{05264CBF-4827-4AFE-95C0-3BDD2473F732}\0x0406.initext
MD5:51AE82500B3BB91F88455C42D1CD4280
SHA256:4DC28E64B453E01AEE1AD39C8663120F6E9C8C3A38AF12EB23C49B831860798B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
361
TCP/UDP connections
202
DNS requests
159
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2368
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2368
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.4:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.4:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
4800
msiexec.exe
GET
200
2.17.189.192:80
http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2368
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2368
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5944
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.4
  • 40.126.31.130
  • 20.190.159.131
  • 20.190.159.64
  • 40.126.31.1
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.130
  • 20.190.159.2
  • 40.126.31.128
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.2
  • 40.126.31.69
whitelisted
ocsp.thawte.com
  • 2.17.189.192
whitelisted
crl.thawte.com
  • 2.17.189.192
whitelisted
cs-g2-crl.thawte.com
  • 2.23.79.3
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

PID
Process
Class
Message
5560
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5560
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5560
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5560
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5560
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5560
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
DRIVERfighter.exe
Begin logger initialization...
DRIVERfighter.exe
Initializing thread ID = 0xB3C - Context: DriverHiveEngine - entry point
DRIVERfighter.exe
Executable: C:\Program Files (x86)\Fighters\DRIVERfighter\DRIVERfighter.exe
DRIVERfighter.exe
Version: 1.1.36.0
DRIVERfighter.exe
Maximum filesize set to 4194304 bytes
DRIVERfighter.exe
ME not enabled
DRIVERfighter.exe
EL not enabled
DRIVERfighter.exe
End logger initialization
DRIVERfighter.exe
[2025-06-14 18:17:41:038] [0x1BE4] [TScanThread.Execute] Entering
DRIVERfighter.exe
[2025-06-14 18:17:41:040] [0x1BE4] [TScanThread.UpdateProgress] SCAN PROGRESS: 0% done, Gathering installed devices...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-14_5d4dd57415f813b718463c9be5323c96_elex_rhadamanthys_stop