Malware analysis 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0 Malicious activity

Add for printing

File name:	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0
Full analysis:	https://app.any.run/tasks/d27175ba-4caa-42e0-b26f-ed3f3de0c105
Verdict:	Malicious activity
Threats:	Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 19, 2025, 15:43:44
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit rhadamanthys stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	A412943D7658CB194744FFA4008F6944
SHA1:	48C5A3B7315C869C93723AE041E38610A32E9555
SHA256:	2540722D53870E6DBE6FD73D56B3E12C20D9F4C29FC6D325D6CFD471D8E44EA0
SSDEEP:	49152:PnHNXOxO9VPaNPEdDGsjpiW0TirIHxNcZAVCG35d/OkYtLch73Qnq2nIzZ0Kr3jO:PnU0sNcksFiW+0UxNcZbG379ic53GnnD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 7492)
  - findstr.exe (PID: 7632)
- RHADAMANTHYS mutex has been found
  - Acids.pif (PID: 7864)
  - dialer.exe (PID: 960)
SUSPICIOUS
- Executing commands from ".cmd" file
  - 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe (PID: 7352)
- Starts CMD.EXE for commands execution
  - 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe (PID: 7352)
  - cmd.exe (PID: 7400)
- Reads security settings of Internet Explorer
  - 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe (PID: 7352)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 7400)
- Get information on the list of running processes
  - cmd.exe (PID: 7400)
- Application launched itself
  - cmd.exe (PID: 7400)
- Suspicious file concatenation
  - cmd.exe (PID: 7836)
- Starts application with an unusual extension
  - cmd.exe (PID: 7400)
- The executable file from the user directory is run by the CMD process
  - Acids.pif (PID: 7864)
- Executes application which crashes
  - Acids.pif (PID: 7864)
- The process checks if it is being run in the virtual environment
  - dialer.exe (PID: 960)
- Connects to unusual port
  - dialer.exe (PID: 960)
- Starts the AutoIt3 executable file
  - cmd.exe (PID: 7400)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 7400)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 7400)
INFO
- Reads the computer name
  - 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe (PID: 7352)
  - Acids.pif (PID: 7864)
- Creates files or folders in the user directory
  - 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe (PID: 7352)
- Checks supported languages
  - 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe (PID: 7352)
  - Acids.pif (PID: 7864)
- Process checks computer location settings
  - 2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe (PID: 7352)
- Creates a new folder
  - cmd.exe (PID: 7760)
- Reads mouse settings
  - Acids.pif (PID: 7864)
- Manual execution by a user
  - dialer.exe (PID: 960)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:07:24 22:17:55+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x348f
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

960

"C:\WINDOWS\system32\dialer.exe"

C:\Windows\SysWOW64\dialer.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Windows Phone Dialer

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\dialer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6972

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7864 -s 956

C:\Windows\SysWOW64\WerFault.exe

—

Acids.pif

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

7352

"C:\Users\admin\AppData\Local\Temp\2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe"

C:\Users\admin\AppData\Local\Temp\2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

7400

"C:\Windows\System32\cmd.exe" /k move Less Less.cmd & Less.cmd & exit

C:\Windows\SysWOW64\cmd.exe

2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

9009

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7408

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7484

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

7492

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7624

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

7632

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7676

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

2 356

Read events

2 355

Write events

Delete events

Modification events


(PID) Process:	(7864) Acids.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Bio		binary
		MD5:6AD761198331E44400A57E38EE54534D	SHA256:6D7AACB79D194A91B05A4362BE8C9AAE80C484F3768A27D00CE298FCEE9AA6E6
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Procedure		binary
		MD5:1011E7358B38486F66E531BE8F9C4985	SHA256:04D545B5004B2F701944662AB5F52F71C172EDBFC22ECAF8C7E2636F8845D4C8
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Define		binary
		MD5:202A35EF8DCD178FB841D6E99E0B7C1A	SHA256:283F5B09AE4DB48C339B623AF6026B2874CDD8CCA35EF701D76086965DEBF9B5
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Nipple		binary
		MD5:7A6E9B290268D536B95627FF1EF64E8C	SHA256:2CFCE2FBEE76207C56F04869128198106DEC4877148C79F172FEA20BF7423208
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Definitions		binary
		MD5:D3D3097005A2FD1C63157A190918B91B	SHA256:9C51EA9774E1E05F91AB9C0B037909C5213650D35ADB4E56C34F9F2B93DCD1A8
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Suggestion		binary
		MD5:67E121CBC751C47CFF1E39491794D1EF	SHA256:C16FA37A9216BF5F79A499495F37A5B4A1164BDD0C12CC79036D959D4A902784
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Pays		binary
		MD5:034BE95C63282436D0C8AB363B8C51BC	SHA256:62E2A8C8ACB1D64895CDB5ED42951543B154F16885C44F646DA53FDAE3139057
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Meal		binary
		MD5:CE22AF53698BDAC9A842C8CAE4D342EF	SHA256:3760BD821A7A7D4E7F324CEE627855593921580EAEE160A44F21E7EFFA6CA687
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Do		binary
		MD5:986D99E60ED150B640B6A1A6943AB57C	SHA256:EF1D662E8A466CC30719C6DFE25742A359D108BFDA918193A6AE453A512018A2
7352	2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Recordings		binary
		MD5:BECCCFDE8A23373FF4548FE478ABC88D	SHA256:A38D175800730F66A61199AA659F03DDB27D4FF5D8895123C112908C84BEF36B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.16:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6728	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6728	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	23.216.77.16:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6728	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	23.216.77.16 23.216.77.18 23.216.77.13 23.216.77.7 23.216.77.6 23.216.77.20 23.216.77.5 23.216.77.8 23.216.77.11	whitelisted
www.microsoft.com	184.30.21.171 23.219.150.101	whitelisted
RCzHoFfoHp.RCzHoFfoHp	—	unknown
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.31.71 20.190.159.131 20.190.159.130 40.126.31.69 40.126.31.73 20.190.159.2 20.190.159.128 40.126.31.0	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

Threats

PID	Process	Class	Message
960	dialer.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 34

Add for printing

No debug info

General Info

2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0

A412943D7658CB194744FFA4008F6944

48C5A3B7315C869C93723AE041E38610A32E9555

2540722D53870E6DBE6FD73D56B3E12C20D9F4C29FC6D325D6CFD471D8E44EA0

49152:PnHNXOxO9VPaNPEdDGsjpiW0TirIHxNcZAVCG35d/OkYtLch73Qnq2nIzZ0Kr3jO:PnU0sNcksFiW+0UxNcZbG379ic53GnnD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Antivirus name has been found in the command line (generic signature)

RHADAMANTHYS mutex has been found

SUSPICIOUS

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Using 'findstr.exe' to search for text patterns in files and output

Get information on the list of running processes

Application launched itself

Suspicious file concatenation

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

Executes application which crashes

The process checks if it is being run in the virtual environment

Connects to unusual port

Starts the AutoIt3 executable file

Executable content was dropped or overwritten

Runs PING.EXE to delay simulation

INFO

Reads the computer name

Creates files or folders in the user directory

Checks supported languages

Process checks computer location settings

Creates a new folder

Reads mouse settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings