File name:	roblox.exe
Full analysis:	https://app.any.run/tasks/e5a93920-24c2-47c1-88a1-be30afa4b1ff
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 30, 2025, 16:10:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rhadamanthys stealer anti-evasion websocket loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:	B410D35B6684719645D6281794F18866
SHA1:	7914872CE1313EC89BB11B8AE3908B3EEE8A00EF
SHA256:	881D59D5224C0A81056993EB2F385452B5ECC3F75E92E1DAB7BF1EB7972942E6
SSDEEP:	98304:b+fU5y8qYfIG2yXMpIQhO1RH2QhO35o35pZ5tX+l98oA+NM4L3XyIe8cBqtamhXj:Oo1sfDAmRyttLm

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:05:13 11:58:22+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	172032
InitializedDataSize:	638976
UninitializedDataSize:	-
EntryPoint:	0x5ed7b2
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.2.6.33
ProductVersionNumber:	1.2.6.33
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	NovaPeak Systems
FileDescription:	Vanguard Management Toolkit
FileVersion:	1.2.6
ProductVersion:	1.2.6
InternalName:	zenithstudio
LegalCopyright:	© 2001 NovaPeak Systems.
OriginalFileName:	summitengine.exe
ProductName:	Summit Engine

PID	Process	Filename		Type
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_6751148a.txt		text
		MD5:3155E43C4BB37D348F22565E9D953DBE	SHA256:F80697DE0FC1719C5BECBFDFA2E98B5CC5A046D4AF1479558138B02BD4AB8DF4
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\svchost.exe		executable
		MD5:A789DFACC2BCBAC506962A1557C6F01B	SHA256:E3D1EFFD349370F7B388E15973B20C5F1ED911274BA2655A2134515D46462C2A
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\data_eb7bab06\file_45963339.txt		text
		MD5:F8E2EA13F2FA2A92CD17C2FC1E35984B	SHA256:48F91B634E864B390DA155140B06110D02D8894E5F532661ACF6761C14E127E4
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\data_9c8a3288\file_4afbf126.txt		text
		MD5:6A8F1AC94D51F2B7A026A425AF42FFD1	SHA256:013A3FEF9B9F9B1F8E5E145D7D7D839D0D3717DA41987A180215F0839442CCC4
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_f83fafd5.txt		text
		MD5:E12E478C07967A5B1E6997EB736F8EB0	SHA256:1BA47F7F8CEFAA01ED2A7C194FB2A662BFAAB64CB3AD5E19F2DFC0FE0EA57EA1
7724	OpenWith.exe	C:\Users\admin\AppData\Local\Microsoft\X)7Jxp-`.exe		executable
		MD5:902ABC7A3A0F872F3EEB8348C20F67B0	SHA256:AD969DA7F4F4DC0E2CE78DB14B8489D21C1D6A078D14230E771F2C22275C2381
7724	OpenWith.exe	C:\Users\admin\AppData\Local\Microsoft\mVR1hbX_.exe		executable
		MD5:A789DFACC2BCBAC506962A1557C6F01B	SHA256:E3D1EFFD349370F7B388E15973B20C5F1ED911274BA2655A2134515D46462C2A
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_e9d58ec6.txt		text
		MD5:9774C07EAFE9F3D6ADC8165780B3C1D0	SHA256:0EDDAC3FE58504D8C380EB2850F5AA6DC5172192A5587B3DB1886F6F1120E8C8
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\data_5ad5b31a\file_9e5e3353.txt		text
		MD5:E92BB8D9FA5CDEB6C6CAC3FF9E2C61DD	SHA256:0A28FA1713CCD6D62CD9741F829A657EA0454109EB742A72CFD94DD082F5DA27
412	mVR1hbX_.exe	C:\Users\admin\AppData\Roaming\WindowsSystemDiagnostics.{D20EA4E1-3957-11D2-A40B-0C5020524153}\log_9e99a464.txt		text
		MD5:1ACCFC036C28FA1A3E006549F424DD20	SHA256:A1A0A1AC189D48A4621A7226F1DE66CE8D1492458AD05939E67A0BE6EB358589

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1144	svchost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
5812	svchost.exe	GET	200	95.101.35.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5596	MoUsoCoreWorker.exe	GET	200	95.101.35.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	GET	—	188.114.96.3:443	https://globalinnovativesolutionsnetwork.com/yF4Ipr4mShEoCvtdnYR4L6LHRMEO7kVJ/lhj1q8kw.4zu6i	US	—	—	unknown
—	—	POST	400	158.94.208.98:443	https://158.94.208.98/yF4Ipr4mShEoCvtdnYR4L6LHRMEO7kVJ/lhj1q8kw.4zu6i	GB	text	48 b	malicious
7724	OpenWith.exe	GET	200	178.16.52.82:80	http://178.16.52.82/GaAgU0eHWeSJ9Ia5lhlz4PuhckC2bNOv/1BOi0tXTJJWgZS1BzlecvJPgUWQPYe3K.exe	DE	executable	7.59 Mb	unknown
—	—	GET	101	158.94.208.98:443	https://158.94.208.98/yF4Ipr4mShEoCvtdnYR4L6LHRMEO7kVJ/lhj1q8kw.4zu6i	GB	—	—	unknown
7724	OpenWith.exe	GET	200	178.16.52.82:80	http://178.16.52.82/GaAgU0eHWeSJ9Ia5lhlz4PuhckC2bNOv/8GVk01wwWXHHto7BJ1pwBajM8YOnUuQf.exe	DE	executable	3.41 Mb	unknown
—	—	GET	200	158.94.208.98:443	https://158.94.208.98/yF4Ipr4mShEoCvtdnYR4L6LHRMEO7kVJ/lhj1q8kw.4zu6i	GB	image	1.92 Mb	unknown
6980	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	DE	binary	813 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1144	svchost.exe	40.126.31.3:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
5812	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5596	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1144	svchost.exe	23.54.109.203:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
5812	svchost.exe	95.101.35.8:80	crl.microsoft.com	Orange	NL	whitelisted
5596	MoUsoCoreWorker.exe	95.101.35.8:80	crl.microsoft.com	Orange	NL	whitelisted
3440	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5492	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
login.live.com	40.126.31.3 40.126.31.73 40.126.31.128 20.190.159.2 40.126.31.131 20.190.159.131 20.190.159.75 20.190.159.71 40.126.31.129 40.126.31.69 40.126.31.1	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
ocsp.digicert.com	23.54.109.203	whitelisted
crl.microsoft.com	95.101.35.8 95.101.35.35	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
cloudflare-dns.com	104.16.248.249 104.16.249.249	whitelisted
globalinnovativesolutionsnetwork.com	188.114.96.3 188.114.97.3	unknown
time.windows.com	104.40.149.189	whitelisted
time.facebook.com	129.134.29.123	whitelisted

PID	Process	Class	Message
—	—	Generic Protocol Command Decode	SURICATA HTTP Host header invalid
7724	OpenWith.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 27
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
7724	OpenWith.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
7724	OpenWith.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7724	OpenWith.exe	Misc activity	ET INFO Packed Executable Download
7724	OpenWith.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

General Info

roblox.exe

B410D35B6684719645D6281794F18866

7914872CE1313EC89BB11B8AE3908B3EEE8A00EF

881D59D5224C0A81056993EB2F385452B5ECC3F75E92E1DAB7BF1EB7972942E6

98304:b+fU5y8qYfIG2yXMpIQhO1RH2QhO35o35pZ5tX+l98oA+NM4L3XyIe8cBqtamhXj:Oo1sfDAmRyttLm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

RHADAMANTHYS mutex has been found

RHADAMANTHYS has been detected (YARA)

Reads a specific registry key of the VM

Actions looks like stealing of personal data

Uses Task Scheduler to run other applications

SUSPICIOUS

The process checks if it is being run in the virtual environment

Searches for installed software

Loads DLL from Mozilla Firefox

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Reads the BIOS version

Starts CMD.EXE for commands execution

The process creates files with name similar to system file names

Lists all scheduled tasks

Executing commands from a ".bat" file

Runs PING.EXE to delay simulation

The process executes via Task Scheduler

Connects to unusual port

INFO

Checks supported languages

The sample compiled with english language support

Manual execution by a user

Creates files or folders in the user directory

Reads the computer name

Drops encrypted JS script (Microsoft Script Encoder)

Reads the machine GUID from the registry

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Rhadamanthys

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests