File name:

8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin

Full analysis: https://app.any.run/tasks/bb0f8379-6945-436e-89e1-eb0c2d185467
Verdict: Malicious activity
Threats:

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Malware Trends Tracker     >>>
Analysis date: April 02, 2025, 15:49:11
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
auto
stealer
rhadamanthys
delphi
inno
installer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

F23E6E3F6C6F23D50F7B917E80F0E109

SHA1:

A311F76FF18DB8EA2412FA6A1E5BF1D043C38E91

SHA256:

8651F126047222CA0273F9D0000681538A5847F7E4A45F62AF497F934DF014E1

SSDEEP:

98304:0txCe9/r2z0YDB66OMekRaQGvrGvvU3jTEw+jp7MRytt1s4a0Yw5:Q/o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RHADAMANTHYS has been found (auto)

      • 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe (PID: 4568)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • The sample compiled with english language support

      • 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe (PID: 4568)

    • Checks supported languages

      • 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe (PID: 4568)
      • 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe (PID: 856)

    • Detects InnoSetup installer (YARA)

      • 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe (PID: 4568)

    • Manual execution by a user

      • 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe (PID: 856)

    • Compiled with Borland Delphi (YARA)

      • 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe (PID: 4568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (92.8)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 2900480
InitializedDataSize: 240640
UninitializedDataSize: -
EntryPoint: 0x2c5660
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.22.2.0
ProductVersionNumber: 0.22.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Mystix LLC
FileDescription: Mystix, the innovative blockchain game
FileVersion: 0.22.2
LegalCopyright: Copyright (C) 2014-2025 Mystix Team
Info: https://mystix-verse.com
ProductVersion: 0.22.2
ProductName: Mystix
InternalName: Mystix
OriginalFileName: mystix.exe
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe no specs 8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Users\admin\Desktop\8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe" C:\Users\admin\Desktop\8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exeexplorer.exe
User:
admin
Company:
Mystix LLC
Integrity Level:
MEDIUM
Description:
Mystix, the innovative blockchain game
Version:
0.22.2
Modules
Images
c:\users\admin\desktop\8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4568"C:\Users\admin\Desktop\8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe" C:\Users\admin\Desktop\8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exeexplorer.exe
User:
admin
Company:
Mystix LLC
Integrity Level:
MEDIUM
Description:
Mystix, the innovative blockchain game
Exit code:
0
Version:
0.22.2
Modules
Images
c:\users\admin\desktop\8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
21
Read events
21
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
11
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2860
smartscreen.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fe9e5e0a08b0a028
unknown
whitelisted
HEAD
200
23.199.214.10:443
https://fs.microsoft.com/fs/windows/config.json
unknown
1352
svchost.exe
GET
200
23.32.239.82:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2768
svchost.exe
GET
200
95.101.74.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b5c209eb39f9a373
unknown
whitelisted
2768
svchost.exe
GET
200
95.101.74.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ae0cec35f73e7201
unknown
whitelisted
2768
svchost.exe
GET
200
95.101.74.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3e0b4dd42efe063e
unknown
whitelisted
2768
svchost.exe
GET
200
95.101.74.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c10bf6f6673bef07
unknown
whitelisted
GET
200
23.199.214.10:443
https://fs.microsoft.com/fs/windows/config.json
unknown
binary
55 b
whitelisted
POST
200
172.211.159.152:443
https://checkappexec.microsoft.com/windows/shell/actions
unknown
binary
182 b
whitelisted
POST
200
40.79.197.34:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
23.32.239.16:80
Akamai International B.V.
DE
unknown
2860
smartscreen.exe
20.191.45.158:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2860
smartscreen.exe
208.89.74.19:80
ctldl.windowsupdate.com
US
whitelisted
1352
svchost.exe
23.32.239.82:80
Akamai International B.V.
DE
unknown
2412
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4252
svchost.exe
23.199.214.10:443
fs.microsoft.com
AKAMAI-AS
DE
whitelisted
2988
OfficeClickToRun.exe
13.89.179.9:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2768
svchost.exe
95.101.74.219:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.102.102
  • 142.250.102.139
  • 142.250.102.113
  • 142.250.102.100
  • 142.250.102.101
  • 142.250.102.138
whitelisted
checkappexec.microsoft.com
  • 20.191.45.158
whitelisted
ctldl.windowsupdate.com
  • 208.89.74.19
  • 208.89.74.17
  • 208.89.74.31
  • 208.89.74.23
  • 208.89.74.21
  • 208.89.74.27
  • 208.89.74.29
  • 95.101.74.219
  • 95.101.74.222
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
fs.microsoft.com
  • 23.199.214.10
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1.bin