File name:

surdm-win.exe

Full analysis: https://app.any.run/tasks/57f3497c-0c72-445e-826e-966069139475
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 10, 2025, 03:46:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
tightvnc
rmm-tool
teamviewer
arch-exec
arch-doc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 11 sections
MD5:

26A03E83841C5CADED553E1C451ED641

SHA1:

1924C22F1309E690B30B4E6E8E33909D647C2C9F

SHA256:

A5F04E866D07A4CF3B15028B2FBE609B1CAA18705C43C5D47FE54703E0236EA0

SSDEEP:

98304:8Q/9MzxIN2KWXWkWmOWlVavtJ2XKtoj3uepSpC+g2+HcJWWp662cViY+aFvsrMTQ:Ivl5G7Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • surdm-win.exe (PID: 7396)

    • Opens a text file (SCRIPT)

      • cscript.exe (PID: 7724)

    • Actions looks like stealing of personal data

      • surdm-win.exe (PID: 7396)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • surdm-win.exe (PID: 7396)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 7724)

    • The process verifies whether the antivirus software is installed

      • surdm-win.exe (PID: 7396)

    • Executable content was dropped or overwritten

      • surdm-win.exe (PID: 7396)

    • The process executes VB scripts

      • surdm-win.exe (PID: 7396)

    • Searches for installed software

      • surdm-win.exe (PID: 7396)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 7724)

    • Reads browser cookies

      • surdm-win.exe (PID: 7396)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 7724)

    • There is functionality for taking screenshot (YARA)

      • surdm-win.exe (PID: 7396)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 7724)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 7724)

    • Process drops legitimate windows executable

      • surdm-win.exe (PID: 7396)

    • Connects to unusual port

      • surdm-win.exe (PID: 7396)

    • Reads the date of Windows installation

      • surdm-win.exe (PID: 7396)

  • INFO

    • Reads product name

      • surdm-win.exe (PID: 7396)

    • Reads the computer name

      • surdm-win.exe (PID: 7396)

    • Creates files or folders in the user directory

      • surdm-win.exe (PID: 7396)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 7724)
      • notepad.exe (PID: 7204)
      • notepad.exe (PID: 2620)
      • notepad.exe (PID: 6476)
      • notepad.exe (PID: 6952)
      • notepad.exe (PID: 5704)
      • notepad.exe (PID: 2564)
      • notepad.exe (PID: 1708)
      • notepad.exe (PID: 7308)
      • notepad.exe (PID: 4604)
      • notepad.exe (PID: 3388)
      • notepad.exe (PID: 7572)
      • notepad.exe (PID: 6892)
      • notepad.exe (PID: 7596)
      • notepad.exe (PID: 3464)
      • notepad.exe (PID: 7632)

    • Checks supported languages

      • surdm-win.exe (PID: 7396)

    • Create files in a temporary directory

      • surdm-win.exe (PID: 7396)

    • The sample compiled with english language support

      • surdm-win.exe (PID: 7396)

    • Manual execution by a user

      • notepad.exe (PID: 2620)
      • notepad.exe (PID: 7204)
      • notepad.exe (PID: 6476)
      • notepad.exe (PID: 6952)
      • notepad.exe (PID: 2564)
      • notepad.exe (PID: 5704)
      • notepad.exe (PID: 1708)
      • notepad.exe (PID: 7308)
      • notepad.exe (PID: 4604)
      • notepad.exe (PID: 3388)
      • notepad.exe (PID: 6892)
      • notepad.exe (PID: 7572)
      • notepad.exe (PID: 7596)
      • notepad.exe (PID: 3464)
      • notepad.exe (PID: 7632)

    • Checks proxy server information

      • slui.exe (PID: 3988)

    • Reads the software policy settings

      • slui.exe (PID: 3988)

    • Reads Environment values

      • surdm-win.exe (PID: 7396)

    • Process checks computer location settings

      • surdm-win.exe (PID: 7396)

    • TIGHTVNC has been detected

      • surdm-win.exe (PID: 7396)

    • TEAMVIEWER has been detected

      • surdm-win.exe (PID: 7396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:11:10 01:20:10+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.45
CodeSize: 1592832
InitializedDataSize: 4635136
UninitializedDataSize: 8644608
EntryPoint: 0x13e0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
20
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start surdm-win.exe chromelevator.exe no specs cscript.exe no specs conhost.exe no specs slui.exe notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1708"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Chrome\Default\Summary.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2564"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Firefox\9kie7cg6.default-release\Summary.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2620"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\Software - 58.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3388"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\License.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3464"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Extensions\Extensions.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3988C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4604"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Documents\Information.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5704"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Opera\Default\Summary.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6476"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\Crypto Files\Information.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6892"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\BrowserSummary.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
9 802
Read events
9 794
Write events
8
Delete events
0

Modification events

(PID) Process:(7396) surdm-win.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7396) surdm-win.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7396) surdm-win.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7396) surdm-win.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
19
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his41A7.tmp
MD5:
SHA256:
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his41D7.tmp
MD5:
SHA256:
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his4208.tmp
MD5:
SHA256:
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his4228.tmp
MD5:
SHA256:
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his4186.tmpbinary
MD5:EBBC802F3BC61B4350134E595337F997
SHA256:845DE58DF0FF490E3F313972A4A033E37EEE98FD4E4372A83DCFAB3946ACE16C
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\Log.txttext
MD5:B2ED85F8B4E64F873DA0C903B7BA5B17
SHA256:8785405381186A14E7A2F676B71F9BF14634CB805E71AA452B8288E38A107820
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his4115.tmpbinary
MD5:15689BCA2327BD6439BB5A321BFF1115
SHA256:1513329660C876E166FDE7919D705ECFA5339732849159685C59847BE92B7478
7396surdm-win.exeC:\Users\admin\AppData\Local\chromelevator.exeexecutable
MD5:F056D1FB10370025CCD9686EC11BCB7B
SHA256:5260AC59E4A4F002F53FF73F37DBFD157D887743E69C6CA7C94275F26A34EA6B
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his4208.tmp-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7396surdm-win.exeC:\Users\admin\AppData\Local\Temp\his4174.tmpbinary
MD5:983A5B37990067066CF80EDDF2426994
SHA256:E499265D1817B9CD52AC502B7BE6DEF5174478CAAAB7DADE263A7754E4E838D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
45
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4824
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
unknown
5596
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
2716
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
US
xml
11.0 Kb
unknown
7216
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
DE
binary
401 b
whitelisted
7216
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
7216
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
DE
binary
402 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4824
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2716
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5596
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.86.251.22:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4824
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5596
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2716
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5304
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 184.86.251.22
  • 184.86.251.27
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.138
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.128
  • 20.190.160.17
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.136
  • 20.190.160.65
  • 40.126.32.68
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
www.microsoft.com
  • 23.3.109.244
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 4.154.209.85
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
surdm-win.exe