File name:

2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee

Full analysis: https://app.any.run/tasks/286e8b4d-b2db-439f-897b-550b3f6225fa
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 22:31:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
auto-sch
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

7300A08B0CEC951F01416CE4D2A6750D

SHA1:

614CBCFE9BF6BAB5D6ABE72C3B851580E1EED813

SHA256:

529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78

SSDEEP:

98304:JAfVO5iGuEfKpLDNX5LcBNO/M2AEqm6CnKdVdQbzQg+CrsqGXHDaNQcEBakTt5JD:l/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • UAC/LUA settings modification

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Changes the autorun value in the registry

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Changes Windows Defender settings

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Adds path to the Windows Defender exclusion list

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)

    • Reads security settings of Internet Explorer

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • ShellExperienceHost.exe (PID: 4836)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)

    • Modifies hosts file to alter network resolution

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • The process creates files with name similar to system file names

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Executable content was dropped or overwritten

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Executed via WMI

      • schtasks.exe (PID: 1328)
      • schtasks.exe (PID: 3976)
      • schtasks.exe (PID: 1688)
      • schtasks.exe (PID: 6172)
      • schtasks.exe (PID: 2804)
      • schtasks.exe (PID: 5552)
      • schtasks.exe (PID: 2532)
      • schtasks.exe (PID: 2632)
      • schtasks.exe (PID: 1720)
      • schtasks.exe (PID: 6360)
      • schtasks.exe (PID: 760)
      • schtasks.exe (PID: 4312)
      • schtasks.exe (PID: 6876)
      • schtasks.exe (PID: 5764)
      • schtasks.exe (PID: 6216)
      • schtasks.exe (PID: 1080)
      • schtasks.exe (PID: 5552)
      • schtasks.exe (PID: 6268)
      • schtasks.exe (PID: 3572)
      • schtasks.exe (PID: 4700)
      • schtasks.exe (PID: 5724)
      • schtasks.exe (PID: 2368)
      • schtasks.exe (PID: 5284)
      • schtasks.exe (PID: 6492)
      • schtasks.exe (PID: 760)
      • schtasks.exe (PID: 4680)
      • schtasks.exe (PID: 4800)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 6216)
      • schtasks.exe (PID: 2532)
      • schtasks.exe (PID: 1080)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • wininit.exe (PID: 7488)
      • powershell.exe (PID: 7772)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Script adds exclusion path to Windows Defender

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

  • INFO

    • Checks supported languages

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)
      • ShellExperienceHost.exe (PID: 4836)
      • lsass.exe (PID: 1496)
      • SystemSettings.exe (PID: 2148)
      • lsass.exe (PID: 5432)
      • SearchApp.exe (PID: 2276)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • dllhost.exe (PID: 4984)
      • explorer.exe (PID: 5904)
      • fontdrvhost.exe (PID: 1720)
      • SystemSettings.exe (PID: 7220)
      • fontdrvhost.exe (PID: 7324)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • wininit.exe (PID: 7488)
      • explorer.exe (PID: 7604)
      • ApplicationFrameHost.exe (PID: 7272)

    • The sample compiled with english language support

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Reads Environment values

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)

    • Process checks whether UAC notifications are on

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Reads the computer name

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)
      • ShellExperienceHost.exe (PID: 4836)
      • SystemSettings.exe (PID: 2148)
      • lsass.exe (PID: 1496)
      • lsass.exe (PID: 5432)
      • SearchApp.exe (PID: 2276)
      • wininit.exe (PID: 4680)
      • dllhost.exe (PID: 4984)
      • explorer.exe (PID: 5904)
      • fontdrvhost.exe (PID: 1720)
      • wininit.exe (PID: 7048)
      • SystemSettings.exe (PID: 7220)
      • fontdrvhost.exe (PID: 7324)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • wininit.exe (PID: 7488)
      • explorer.exe (PID: 7604)
      • ApplicationFrameHost.exe (PID: 7272)

    • Reads the machine GUID from the registry

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)
      • lsass.exe (PID: 1496)
      • SystemSettings.exe (PID: 2148)
      • lsass.exe (PID: 5432)
      • SearchApp.exe (PID: 2276)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • explorer.exe (PID: 5904)
      • dllhost.exe (PID: 4984)
      • fontdrvhost.exe (PID: 1720)
      • SystemSettings.exe (PID: 7220)
      • fontdrvhost.exe (PID: 7324)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • wininit.exe (PID: 7488)
      • explorer.exe (PID: 7604)
      • ApplicationFrameHost.exe (PID: 7272)

    • Process checks computer location settings

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Creates files in the program directory

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Launching a file from a Registry key

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Manual execution by a user

      • SystemSettings.exe (PID: 2148)
      • lsass.exe (PID: 1496)
      • SearchApp.exe (PID: 2276)
      • lsass.exe (PID: 5432)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • explorer.exe (PID: 5904)
      • fontdrvhost.exe (PID: 1720)
      • dllhost.exe (PID: 4984)
      • fontdrvhost.exe (PID: 7324)
      • SystemSettings.exe (PID: 7220)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • wininit.exe (PID: 7488)
      • explorer.exe (PID: 7604)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7788)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 7808)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 7744)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 7716)
      • powershell.exe (PID: 7696)
      • powershell.exe (PID: 7772)
      • powershell.exe (PID: 7680)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7772)
      • powershell.exe (PID: 7716)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 7808)
      • powershell.exe (PID: 7788)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 7744)
      • powershell.exe (PID: 7680)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 7696)

    • Checks proxy server information

      • slui.exe (PID: 4832)

    • Reads the software policy settings

      • slui.exe (PID: 4832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 1973248
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.15.2.0
ProductVersionNumber: 5.15.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 5.15.2.0
OriginalFileName: libGLESv2.dll
ProductName: libGLESv2
ProductVersion: 5.15.2.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
69
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DCRAT 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe no specs cmd.exe conhost.exe no specs #DCRAT 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs lsass.exe no specs systemsettings.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs lsass.exe no specs searchapp.exe no specs wininit.exe no specs wininit.exe no specs explorer.exe no specs dllhost.exe no specs fontdrvhost.exe no specs systemsettings.exe no specs fontdrvhost.exe no specs searchapp.exe no specs dllhost.exe no specs wininit.exe no specs explorer.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs applicationframehost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
760schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\found.000\dir_00000002.chk\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
760schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\msadc\en-US\fontdrvhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1496"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\program files (x86)\reference assemblies\microsoft\framework\v3.5\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1688schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1720schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\found.000\dir_00000002.chk\wininit.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1720"C:\Program Files (x86)\Common Files\System\msadc\en-US\fontdrvhost.exe"C:\Program Files (x86)\Common Files\System\msadc\en-US\fontdrvhost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\program files (x86)\common files\system\msadc\en-us\fontdrvhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
2148"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\program files (x86)\windows photo viewer\en-us\systemsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
2276C:\Recovery\OEM\SearchApp.exeC:\Recovery\OEM\SearchApp.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\recovery\oem\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
61 946
Read events
61 907
Write events
39
Delete events
0

Modification events

(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:lsass
Value:
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:lsass
Value:
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SystemSettings
Value:
"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SystemSettings
Value:
"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
Executable files
31
Suspicious files
1
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exeexecutable
MD5:7300A08B0CEC951F01416CE4D2A6750D
SHA256:529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe
MD5:
SHA256:
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\Public\Music\56085415360792text
MD5:B56ACB8C7C35A6AB06F5E7009209AB65
SHA256:58D7121ACFECCE8DE1320112AFC22B576D4BD11B9FF8B9A516ABB6CB62E229C1
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Recovery\OEM\38384e6a620884text
MD5:762D4C0A0663D057E80914C9D5F55E33
SHA256:6CCCEDF8EA815743109D8BB8A925ACA327655BF7A373C1F5BCDF15D6B8DEDC38
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\admin\Documents\dllhost.exeexecutable
MD5:7300A08B0CEC951F01416CE4D2A6750D
SHA256:529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Program Files (x86)\Common Files\System\msadc\en-US\5b884080fd4f94text
MD5:88CEF3661C2FDD27DD0AD07CC338A218
SHA256:699EADC5768DD04E7927C3AEBB8F22FBC2F9633C59156DAAD113FBD0B1CFBD9F
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\admin\Documents\5940a34987c991text
MD5:E8078ACBD07C47FDB395F5F25B49A80A
SHA256:43749ADDE09526B7872EF78B120EFC8DF39B03872F45B25524BDC153F8A055CE
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\Administrator\Videos\6dd19aba3e2428text
MD5:4B472D20D3CC774046439057F6995E48
SHA256:ECE206AF30C22D72D1FCDE8476B5A55A2C1A80F579E22461F6D2E7F731692747
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\Administrator\Videos\ApplicationFrameHost.exeexecutable
MD5:7300A08B0CEC951F01416CE4D2A6750D
SHA256:529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Program Files (x86)\Common Files\System\msadc\en-US\fontdrvhost.exeexecutable
MD5:7300A08B0CEC951F01416CE4D2A6750D
SHA256:529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
41
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4156
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
9208
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4156
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4156
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 2.18.121.139
  • 2.18.121.147
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.129
  • 20.190.159.2
  • 40.126.31.1
  • 20.190.159.75
  • 20.190.159.130
  • 40.126.31.73
  • 20.190.159.0
  • 40.126.31.130
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee