File name:

2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys

Full analysis: https://app.any.run/tasks/dbcc62d9-4020-4833-850c-2a5cc2364c96
Verdict: Malicious activity
Analysis date: March 24, 2025, 23:40:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
jeefo
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

0D5F6BE3C55567393E5FDCD554623AD8

SHA1:

2B3A952C9C1ED3657B4F581E84D1E07935B9DBB3

SHA256:

031C54E7C3F3F70558A8961AAFA82225D6D2AE860D574D4E344C51A2D4ED9BA5

SSDEEP:

6144:ClOiXKgN72fkEnLn2OBkV0woiVLReYqGwcR6wWc0hodBpE1U:TguLn72Sw8YqbcR6wxZry+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • tmp142.exe (PID: 5116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)

    • Starts itself from another location

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)

    • Reads security settings of Internet Explorer

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)

    • Starts CMD.EXE for commands execution

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)

    • Hides command output

      • cmd.exe (PID: 3888)

    • Application launched itself

      • tmp142.exe (PID: 5720)

  • INFO

    • Checks supported languages

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)
      • tmp142.exe (PID: 5720)
      • tmp142.exe (PID: 5116)

    • Create files in a temporary directory

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)
      • tmp142.exe (PID: 5116)

    • Reads the computer name

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)
      • tmp142.exe (PID: 5720)

    • Process checks computer location settings

      • 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe (PID: 5064)

    • Failed to create an executable file in Windows directory

      • tmp142.exe (PID: 5116)

    • Checks proxy server information

      • slui.exe (PID: 680)

    • Reads the software policy settings

      • slui.exe (PID: 680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:03:25 19:26:58+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 98304
InitializedDataSize: 307200
UninitializedDataSize: -
EntryPoint: 0x7e91
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe tmp142.exe no specs cmd.exe no specs conhost.exe no specs #JEEFO tmp142.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
680C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3888"C:\WINDOWS\system32\cmd.exe" /c del C:\Users\admin\Desktop\2025-0~1.EXE >> NULC:\Windows\SysWOW64\cmd.exe2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5064"C:\Users\admin\Desktop\2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe" C:\Users\admin\Desktop\2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5116C:\Users\admin\AppData\Local\Temp\tmp142.exeC:\Users\admin\AppData\Local\Temp\tmp142.exe
tmp142.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tmp142.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5720"C:\Users\admin\AppData\Local\Temp\tmp142.exe" C:\Users\admin\AppData\Local\Temp\tmp142.exe2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\tmp142.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 728
Read events
3 726
Write events
2
Delete events
0

Modification events

(PID) Process:(5116) tmp142.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5116tmp142.exeC:\Users\admin\AppData\Local\Temp\~DFD494CE8CF592A236.TMPbinary
MD5:5316E4C0FA3B29F86B453F07524AAFF6
SHA256:F14A347C17E72DDA06650B801958E6EB4643911DAB6FFD455D8FA8A349079154
50642025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys.exeC:\Users\admin\AppData\Local\Temp\tmp142.exeexecutable
MD5:0D5F6BE3C55567393E5FDCD554623AD8
SHA256:031C54E7C3F3F70558A8961AAFA82225D6D2AE860D574D4E344C51A2D4ED9BA5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6708
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
680
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_0d5f6be3c55567393e5fdcd554623ad8_hiddentear_rhadamanthys