File name:

2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee

Full analysis: https://app.any.run/tasks/286e8b4d-b2db-439f-897b-550b3f6225fa
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 22:31:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
auto-sch
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

7300A08B0CEC951F01416CE4D2A6750D

SHA1:

614CBCFE9BF6BAB5D6ABE72C3B851580E1EED813

SHA256:

529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78

SSDEEP:

98304:JAfVO5iGuEfKpLDNX5LcBNO/M2AEqm6CnKdVdQbzQg+CrsqGXHDaNQcEBakTt5JD:l/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • UAC/LUA settings modification

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Changes the autorun value in the registry

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Changes Windows Defender settings

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Adds path to the Windows Defender exclusion list

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)

    • Reads security settings of Internet Explorer

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • ShellExperienceHost.exe (PID: 4836)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)

    • Executable content was dropped or overwritten

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Executed via WMI

      • schtasks.exe (PID: 3976)
      • schtasks.exe (PID: 2804)
      • schtasks.exe (PID: 1328)
      • schtasks.exe (PID: 6172)
      • schtasks.exe (PID: 1688)
      • schtasks.exe (PID: 5552)
      • schtasks.exe (PID: 2632)
      • schtasks.exe (PID: 1720)
      • schtasks.exe (PID: 760)
      • schtasks.exe (PID: 4312)
      • schtasks.exe (PID: 5764)
      • schtasks.exe (PID: 6360)
      • schtasks.exe (PID: 6216)
      • schtasks.exe (PID: 2532)
      • schtasks.exe (PID: 1080)
      • schtasks.exe (PID: 3572)
      • schtasks.exe (PID: 6268)
      • schtasks.exe (PID: 5552)
      • schtasks.exe (PID: 4700)
      • schtasks.exe (PID: 6876)
      • schtasks.exe (PID: 4680)
      • schtasks.exe (PID: 5284)
      • schtasks.exe (PID: 2368)
      • schtasks.exe (PID: 5724)
      • schtasks.exe (PID: 6492)
      • schtasks.exe (PID: 760)
      • schtasks.exe (PID: 4800)

    • The process creates files with name similar to system file names

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 6216)
      • schtasks.exe (PID: 1080)
      • schtasks.exe (PID: 2532)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • wininit.exe (PID: 7488)
      • powershell.exe (PID: 7772)

    • Modifies hosts file to alter network resolution

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Script adds exclusion path to Windows Defender

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

  • INFO

    • Reads the computer name

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)
      • ShellExperienceHost.exe (PID: 4836)
      • lsass.exe (PID: 1496)
      • SystemSettings.exe (PID: 2148)
      • SearchApp.exe (PID: 2276)
      • lsass.exe (PID: 5432)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • explorer.exe (PID: 5904)
      • dllhost.exe (PID: 4984)
      • fontdrvhost.exe (PID: 1720)
      • SystemSettings.exe (PID: 7220)
      • fontdrvhost.exe (PID: 7324)
      • wininit.exe (PID: 7488)
      • explorer.exe (PID: 7604)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • ApplicationFrameHost.exe (PID: 7272)

    • Checks supported languages

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)
      • ShellExperienceHost.exe (PID: 4836)
      • SystemSettings.exe (PID: 2148)
      • lsass.exe (PID: 1496)
      • lsass.exe (PID: 5432)
      • SearchApp.exe (PID: 2276)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • dllhost.exe (PID: 4984)
      • explorer.exe (PID: 5904)
      • fontdrvhost.exe (PID: 1720)
      • SystemSettings.exe (PID: 7220)
      • explorer.exe (PID: 7604)
      • fontdrvhost.exe (PID: 7324)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • wininit.exe (PID: 7488)
      • ApplicationFrameHost.exe (PID: 7272)

    • The sample compiled with english language support

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Reads the machine GUID from the registry

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)
      • SystemSettings.exe (PID: 2148)
      • lsass.exe (PID: 1496)
      • lsass.exe (PID: 5432)
      • SearchApp.exe (PID: 2276)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • dllhost.exe (PID: 4984)
      • explorer.exe (PID: 5904)
      • fontdrvhost.exe (PID: 1720)
      • SystemSettings.exe (PID: 7220)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • wininit.exe (PID: 7488)
      • fontdrvhost.exe (PID: 7324)
      • ApplicationFrameHost.exe (PID: 7272)
      • explorer.exe (PID: 7604)

    • Reads Environment values

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)

    • Process checks whether UAC notifications are on

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Process checks computer location settings

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6548)
      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Launching a file from a Registry key

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Manual execution by a user

      • lsass.exe (PID: 1496)
      • SystemSettings.exe (PID: 2148)
      • lsass.exe (PID: 5432)
      • SearchApp.exe (PID: 2276)
      • wininit.exe (PID: 7048)
      • wininit.exe (PID: 4680)
      • dllhost.exe (PID: 4984)
      • fontdrvhost.exe (PID: 1720)
      • SystemSettings.exe (PID: 7220)
      • explorer.exe (PID: 5904)
      • fontdrvhost.exe (PID: 7324)
      • explorer.exe (PID: 7604)
      • SearchApp.exe (PID: 7356)
      • dllhost.exe (PID: 7428)
      • wininit.exe (PID: 7488)

    • Creates files in the program directory

      • 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe (PID: 6584)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 7696)
      • powershell.exe (PID: 7808)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 7788)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 7744)
      • powershell.exe (PID: 7716)
      • powershell.exe (PID: 7680)
      • powershell.exe (PID: 7772)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7696)
      • powershell.exe (PID: 7772)
      • powershell.exe (PID: 7716)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 7808)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 7788)
      • powershell.exe (PID: 7744)
      • powershell.exe (PID: 7680)
      • powershell.exe (PID: 7848)

    • Reads the software policy settings

      • slui.exe (PID: 4832)

    • Checks proxy server information

      • slui.exe (PID: 4832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 1973248
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.15.2.0
ProductVersionNumber: 5.15.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 5.15.2.0
OriginalFileName: libGLESv2.dll
ProductName: libGLESv2
ProductVersion: 5.15.2.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
69
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DCRAT 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe no specs cmd.exe conhost.exe no specs #DCRAT 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs lsass.exe no specs systemsettings.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs lsass.exe no specs searchapp.exe no specs wininit.exe no specs wininit.exe no specs explorer.exe no specs dllhost.exe no specs fontdrvhost.exe no specs systemsettings.exe no specs fontdrvhost.exe no specs searchapp.exe no specs dllhost.exe no specs wininit.exe no specs explorer.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs applicationframehost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
760schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\found.000\dir_00000002.chk\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
760schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\msadc\en-US\fontdrvhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1496"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\program files (x86)\reference assemblies\microsoft\framework\v3.5\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1688schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1720schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\found.000\dir_00000002.chk\wininit.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1720"C:\Program Files (x86)\Common Files\System\msadc\en-US\fontdrvhost.exe"C:\Program Files (x86)\Common Files\System\msadc\en-US\fontdrvhost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\program files (x86)\common files\system\msadc\en-us\fontdrvhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
2148"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\program files (x86)\windows photo viewer\en-us\systemsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
2276C:\Recovery\OEM\SearchApp.exeC:\Recovery\OEM\SearchApp.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\recovery\oem\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
61 946
Read events
61 907
Write events
39
Delete events
0

Modification events

(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6548) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:lsass
Value:
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:lsass
Value:
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SystemSettings
Value:
"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SystemSettings
Value:
"C:\Program Files (x86)\Windows Photo Viewer\en-US\SystemSettings.exe"
(PID) Process:(6584) 2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
Executable files
31
Suspicious files
1
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6203df4a6bafc7text
MD5:6D2308ECA118642FFC78AAB765988600
SHA256:D83E54DCD305BD4EB7111B9BAFE3A332801A36DCB99D5A45F5B361A3CDEC085D
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exe
MD5:
SHA256:
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088text
MD5:93364E661490D6C4B4F73B446B661711
SHA256:7A75CAE72C676E7DAEA1E2589D2D8E9D067D005A21369C048A44645D0066DB07
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Recovery\OEM\38384e6a620884text
MD5:762D4C0A0663D057E80914C9D5F55E33
SHA256:6CCCEDF8EA815743109D8BB8A925ACA327655BF7A373C1F5BCDF15D6B8DEDC38
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\admin\Documents\dllhost.exeexecutable
MD5:7300A08B0CEC951F01416CE4D2A6750D
SHA256:529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Program Files (x86)\Windows Photo Viewer\en-US\9e60a5f7a3bd80text
MD5:D10F78F13E402ADC9C90452D66A7EF1C
SHA256:8053C40587A6C17A72A0DB3F04160279B1AFF0290089FF4CD223AFB38CCF9612
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\Administrator\Videos\ApplicationFrameHost.exeexecutable
MD5:7300A08B0CEC951F01416CE4D2A6750D
SHA256:529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\Public\Music\wininit.exeexecutable
MD5:7300A08B0CEC951F01416CE4D2A6750D
SHA256:529030E1654C45EC237B8C58EC80DC4033A3DA5207F4AE6B3ADF07E2B3151F78
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\found.000\dir_00000002.chk\56085415360792text
MD5:E398189B1D7C7D1500C5E9BD9083462E
SHA256:F2BE225E625422CA51F150BE52E0969ECC157ADB2344296104BCEED2D9BE546F
65842025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee.exeC:\Users\admin\Documents\5940a34987c991text
MD5:E8078ACBD07C47FDB395F5F25B49A80A
SHA256:43749ADDE09526B7872EF78B120EFC8DF39B03872F45B25524BDC153F8A055CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
41
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4156
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4156
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4156
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4156
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 2.18.121.139
  • 2.18.121.147
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.129
  • 20.190.159.2
  • 40.126.31.1
  • 20.190.159.75
  • 20.190.159.130
  • 40.126.31.73
  • 20.190.159.0
  • 40.126.31.130
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_7300a08b0cec951f01416ce4d2a6750d_drokbk_elex_rhadamanthys_stealc_stop_tofsee