File name:

Mansion_setup.exe

Full analysis: https://app.any.run/tasks/ec9283cb-3fa4-4174-b3f4-bd287694dc2c
Verdict: Malicious activity
Threats:

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Malware Trends Tracker     >>>
Analysis date: February 15, 2025, 14:23:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rhadamanthys
stealer
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

E357551A61A4BFE8DBC3B0FAA6141B01

SHA1:

E6EDC13918784D36A9A6563299F877C332328BE9

SHA256:

C11C021B23416D2996D3BF8139F232EAC138AF08533D98E29E538A74A9FC9C3D

SSDEEP:

786432:l/t93a1o8QqiYy33hKQvdYs+IPjXcywPFyIid:l193au8QtYynhKsecrcy6Pid

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Mansion_setup.exe (PID: 6736)
      • Photoroom.exe (PID: 5256)
      • Photoroom.exe (PID: 4640)
      • SPNativeMessage.exe (PID: 848)
      • Photoroom.exe (PID: 4400)
      • Photoroom.exe (PID: 6968)
      • SPNativeMessage.exe (PID: 5604)

    • RHADAMANTHYS mutex has been found

      • svchost.exe (PID: 1512)
      • SPNativeMessage.exe (PID: 848)
      • SPNativeMessage.exe (PID: 5604)
      • svchost.exe (PID: 1856)

    • Actions looks like stealing of personal data

      • chrome.exe (PID: 2728)
      • msedge.exe (PID: 6156)

    • Steals credentials from Web Browsers

      • msedge.exe (PID: 6156)

    • Scans artifacts that could help determine the target

      • msedge.exe (PID: 6156)

    • RHADAMANTHYS has been detected (SURICATA)

      • svchost.exe (PID: 6516)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Mansion_setup.exe (PID: 6736)

    • The process creates files with name similar to system file names

      • Mansion_setup.exe (PID: 6736)

    • Executable content was dropped or overwritten

      • Mansion_setup.exe (PID: 6736)
      • Mansion.exe (PID: 1580)
      • Photoroom.exe (PID: 5256)
      • Photoroom.tmp (PID: 5244)
      • Photoroom.exe (PID: 4640)
      • Photoroom.tmp (PID: 2756)
      • Photoroom.exe (PID: 4400)
      • Photoroom.tmp (PID: 6828)
      • Photoroom.exe (PID: 6968)
      • Photoroom.tmp (PID: 6972)

    • Get information on the list of running processes

      • Mansion_setup.exe (PID: 6736)
      • cmd.exe (PID: 6800)

    • Starts CMD.EXE for commands execution

      • Mansion_setup.exe (PID: 6736)

    • Drops 7-zip archiver for unpacking

      • Mansion_setup.exe (PID: 6736)

    • Application launched itself

      • Mansion.exe (PID: 1580)
      • chrome.exe (PID: 2728)
      • msedge.exe (PID: 6156)

    • Reads the Windows owner or organization settings

      • Photoroom.tmp (PID: 5244)
      • Photoroom.tmp (PID: 2756)
      • Photoroom.tmp (PID: 6828)
      • Photoroom.tmp (PID: 6972)

    • Process drops legitimate windows executable

      • Photoroom.tmp (PID: 5244)
      • Photoroom.tmp (PID: 2756)
      • Photoroom.tmp (PID: 6828)
      • Photoroom.tmp (PID: 6972)
      • Mansion_setup.exe (PID: 6736)

    • Reads security settings of Internet Explorer

      • Photoroom.tmp (PID: 5244)
      • Photoroom.tmp (PID: 6828)
      • Mansion_setup.exe (PID: 6736)
      • msedge.exe (PID: 6156)

    • Connects to unusual port

      • svchost.exe (PID: 1512)
      • svchost.exe (PID: 6516)
      • svchost.exe (PID: 1856)

    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 1512)
      • svchost.exe (PID: 1856)

    • There is functionality for taking screenshot (YARA)

      • Mansion_setup.exe (PID: 6736)

    • Creates a software uninstall entry

      • Mansion_setup.exe (PID: 6736)

    • Reads Mozilla Firefox installation path

      • msedge.exe (PID: 6156)

    • Loads DLL from Mozilla Firefox

      • svchost.exe (PID: 6516)

    • Searches for installed software

      • svchost.exe (PID: 6516)

  • INFO

    • Reads the computer name

      • Mansion_setup.exe (PID: 6736)
      • Mansion.exe (PID: 1580)
      • Mansion.exe (PID: 2612)
      • Mansion.exe (PID: 1740)
      • Photoroom.tmp (PID: 5244)
      • Photoroom.tmp (PID: 2756)
      • Photoroom.tmp (PID: 6828)
      • Photoroom.tmp (PID: 6972)
      • chrome.exe (PID: 2728)
      • msedge.exe (PID: 6156)

    • The sample compiled with english language support

      • Mansion_setup.exe (PID: 6736)
      • Photoroom.tmp (PID: 5244)
      • Photoroom.tmp (PID: 2756)
      • Photoroom.tmp (PID: 6828)
      • Photoroom.tmp (PID: 6972)

    • Reads Environment values

      • Mansion.exe (PID: 1580)
      • chrome.exe (PID: 2728)
      • msedge.exe (PID: 6156)

    • Reads product name

      • Mansion.exe (PID: 1580)

    • Manual execution by a user

      • Mansion.exe (PID: 1580)
      • svchost.exe (PID: 1512)
      • svchost.exe (PID: 6516)
      • Photoroom.exe (PID: 4400)
      • svchost.exe (PID: 1856)
      • svchost.exe (PID: 5256)

    • Checks supported languages

      • Mansion_setup.exe (PID: 6736)
      • Mansion.exe (PID: 2612)
      • Mansion.exe (PID: 1740)
      • Mansion.exe (PID: 1580)
      • Mansion.exe (PID: 6288)
      • Photoroom.exe (PID: 5256)
      • Photoroom.tmp (PID: 5244)
      • Photoroom.tmp (PID: 2756)
      • Photoroom.exe (PID: 4640)
      • SPNativeMessage.exe (PID: 848)
      • Photoroom.exe (PID: 4400)
      • Photoroom.exe (PID: 6968)
      • Photoroom.tmp (PID: 6828)
      • chrome.exe (PID: 2728)
      • Photoroom.tmp (PID: 6972)
      • msedge.exe (PID: 6156)
      • wmpshare.exe (PID: 6636)
      • SPNativeMessage.exe (PID: 5604)

    • Checks proxy server information

      • Mansion.exe (PID: 1580)
      • chrome.exe (PID: 2728)
      • msedge.exe (PID: 6156)

    • Creates files or folders in the user directory

      • Mansion.exe (PID: 1580)
      • Mansion.exe (PID: 1740)
      • Photoroom.tmp (PID: 2756)
      • Mansion_setup.exe (PID: 6736)
      • Photoroom.tmp (PID: 6972)

    • Process checks computer location settings

      • Mansion.exe (PID: 1580)
      • Mansion.exe (PID: 6288)
      • Photoroom.tmp (PID: 5244)
      • Photoroom.tmp (PID: 6828)
      • chrome.exe (PID: 2728)
      • msedge.exe (PID: 6156)

    • Reads the machine GUID from the registry

      • Mansion.exe (PID: 1580)
      • chrome.exe (PID: 2728)
      • msedge.exe (PID: 6156)
      • wmpshare.exe (PID: 6636)

    • Create files in a temporary directory

      • Mansion.exe (PID: 1580)
      • Photoroom.tmp (PID: 5244)
      • Photoroom.exe (PID: 5256)
      • Photoroom.exe (PID: 4640)
      • Photoroom.tmp (PID: 2756)
      • Photoroom.exe (PID: 4400)
      • Photoroom.exe (PID: 6968)
      • Mansion_setup.exe (PID: 6736)
      • Photoroom.tmp (PID: 6828)
      • Photoroom.tmp (PID: 6972)
      • chrome.exe (PID: 2728)
      • svchost.exe (PID: 6516)
      • msedge.exe (PID: 6156)

    • The sample compiled with russian language support

      • Photoroom.tmp (PID: 2756)
      • Photoroom.tmp (PID: 6972)

    • Process checks whether UAC notifications are on

      • msedge.exe (PID: 6156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: Electron
FileVersion: 1.0.0
LegalCopyright: Copyright © 2025 Mansion
ProductName: Mansion
ProductVersion: 1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
49
Malicious processes
17
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mansion_setup.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs mansion.exe mansion.exe no specs mansion.exe no specs mansion.exe no specs photoroom.exe photoroom.tmp photoroom.exe photoroom.tmp #RHADAMANTHYS spnativemessage.exe no specs #RHADAMANTHYS svchost.exe #RHADAMANTHYS svchost.exe photoroom.exe photoroom.tmp photoroom.exe photoroom.tmp chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpshare.exe no specs dllhost.exe #RHADAMANTHYS spnativemessage.exe no specs #RHADAMANTHYS svchost.exe svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5144 --field-trial-handle=2212,i,3491095193907150187,5557761107868007727,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1960,i,12835126330640688856,9738725576646222727,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
848"C:\Users\admin\AppData\Roaming\{AB4B5A63-4A3E-4281-9A3A-C5287BA0AB20}\SPNativeMessage.exe"C:\Users\admin\AppData\Roaming\{AB4B5A63-4A3E-4281-9A3A-C5287BA0AB20}\SPNativeMessage.exe
Photoroom.tmp
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\roaming\{ab4b5a63-4a3e-4281-9a3a-c5287ba0ab20}\spnativemessage.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3276 --field-trial-handle=2212,i,3491095193907150187,5557761107868007727,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2204 --field-trial-handle=2212,i,3491095193907150187,5557761107868007727,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1468"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Temp\chrF701.tmp /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Temp\chrF701.tmp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff821f3dc40,0x7ff821f3dc4c,0x7ff821f3dc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1512"C:\Windows\System32\svchost.exe"C:\Windows\SysWOW64\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
1580"C:\Users\admin\AppData\Local\Programs\my-electron-app\Mansion.exe" C:\Users\admin\AppData\Local\Programs\my-electron-app\Mansion.exe
explorer.exe
User:
admin
Company:
GitHub, Inc.
Integrity Level:
MEDIUM
Description:
Electron
Exit code:
0
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\local\programs\my-electron-app\mansion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1740"C:\Users\admin\AppData\Local\Programs\my-electron-app\Mansion.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\my-electron-app" --mojo-platform-channel-handle=2072 --field-trial-handle=1748,i,11490210072865862077,7907216280774614313,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Programs\my-electron-app\Mansion.exeMansion.exe
User:
admin
Company:
GitHub, Inc.
Integrity Level:
MEDIUM
Description:
Electron
Exit code:
0
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\local\programs\my-electron-app\mansion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1856"C:\Windows\System32\svchost.exe"C:\Windows\SysWOW64\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
Total events
8 795
Read events
8 748
Write events
28
Delete events
19

Modification events

(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\my-electron-app
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:ShortcutName
Value:
Mansion
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:DisplayName
Value:
Mansion 1.0.0
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\my-electron-app\Uninstall Mansion.exe" /currentuser
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\my-electron-app\Uninstall Mansion.exe" /currentuser /S
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:DisplayVersion
Value:
1.0.0
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\my-electron-app\Mansion.exe,0
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:NoModify
Value:
1
(PID) Process:(6736) Mansion_setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\8b706e1d-460f-5bbb-9923-41e4b14b8e9e
Operation:writeName:NoRepair
Value:
1
Executable files
126
Suspicious files
319
Text files
76
Unknown types
1

Dropped files

PID
Process
Filename
Type
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\app-64.7z
MD5:
SHA256:
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\7z-out\icudtl.dat
MD5:
SHA256:
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\nsExec.dllexecutable
MD5:EC0504E6B8A11D5AAD43B296BEEB84B2
SHA256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\7z-out\chrome_100_percent.pakbinary
MD5:443C58245EEB233D319ABF7150B99C31
SHA256:99CA6947D97DF212E45782BBD5D97BFB42112872E1C42BAB4209CEEDF66DC760
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\SpiderBanner.dllexecutable
MD5:17309E33B596BA3A5693B4D3E85CF8D7
SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\7z-out\chrome_200_percent.pakbinary
MD5:81B5B74FE16C7C81870F539D5C263397
SHA256:CB4FD141A5C4D188A3ECB203E9D41A3AFCA648724160E212289ADCAC666FBFF4
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\nsis7z.dllexecutable
MD5:80E44CE4895304C6A3A831310FBF8CD0
SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
6736Mansion_setup.exeC:\Users\admin\AppData\Local\Temp\nsyABC5.tmp\7z-out\locales\bg.pakbinary
MD5:080CFFA1D4032B7D4BFA217AA00C4F47
SHA256:3FD27D562E32F1A052E924B6C468486ACF0B2AF42DD1AD2270E83D115D4B3F65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
63
DNS requests
48
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.146:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1488
svchost.exe
GET
200
23.48.23.146:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1488
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1580
Mansion.exe
GET
200
5.78.127.239:80
http://5.78.127.239:80/ud83c7gi0/8pe93ha5y.php?get=c3RhcnQ%3D&name=TWFuc2lvbiBHYW1l&info=V2luZG93cyAxMCwgREVTS1RPUC1KR0xMSkxELCAxMjgweDcyMA%3D%3D
unknown
malicious
1176
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1580
Mansion.exe
GET
200
5.78.127.239:80
http://5.78.127.239:80/ud83c7gi0/8pe93ha5y.php?get=bGV0c2dv&name=TWFuc2lvbiBHYW1l&info=V2luZG93cyAxMCwgREVTS1RPUC1KR0xMSkxELCAxMjgweDcyMA%3D%3D
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.129:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.146:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
svchost.exe
23.48.23.146:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1488
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 104.126.37.129
  • 104.126.37.161
  • 104.126.37.178
  • 104.126.37.128
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.137
  • 104.126.37.163
  • 104.126.37.154
whitelisted
crl.microsoft.com
  • 23.48.23.146
  • 23.48.23.143
  • 23.48.23.191
  • 23.48.23.141
  • 23.48.23.178
  • 23.48.23.158
  • 23.48.23.184
  • 23.48.23.140
  • 23.48.23.153
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.20
  • 20.190.160.65
  • 40.126.32.72
  • 20.190.160.66
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.67
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s
A Network Trojan was detected
STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s
A Network Trojan was detected
STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrF701.tmp directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chr78C.tmp directory exists )
dllhost.exe
ba 61 fe af b5 22 de 41
dllhost.exe
[service_reconnect_interval] set timer
dllhost.exe
[backend_tunnel_on_connect] set timer
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Mansion_setup.exe