| File name: | Setup.exe |
| Full analysis: | https://app.any.run/tasks/229c797c-68b1-480b-ae05-807179508f70 |
| Verdict: | Malicious activity |
| Threats: | Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. |
| Analysis date: | June 02, 2025, 17:22:49 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 66E55F659A9082440606AE2AB1213729 |
| SHA1: | 5DB19743493AB996FFE9B1F30A8716474CA6F8A4 |
| SHA256: | A94CADD3A3D5F33B79F17D56656A0477C266FBAFB338D6B2E40CF944187E24CC |
| SSDEEP: | 49152:K/4BVjJ04Tr0nL4jBefX4scWhCtx2Ittb+QoV/2ZZRrGW6q1qoWzOW/2PwmTG5Z+:hjJ/M1aJtx3twl2Z3r/6q1qRzO+2BcZ+ |
MALICIOUS
AutoIt loader has been detected (YARA)
- Integrate.com (PID: 7368)
RHADAMANTHYS has been detected (YARA)
- OOBE-Maintenance.exe (PID: 668)
SUSPICIOUS
Starts CMD.EXE for commands execution
- Setup.exe (PID: 6040)
Executing commands from a ".bat" file
- Setup.exe (PID: 6040)
Reads security settings of Internet Explorer
- Setup.exe (PID: 6040)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 7336)
Get information on the list of running processes
- cmd.exe (PID: 7336)
Starts the AutoIt3 executable file
- cmd.exe (PID: 7336)
The executable file from the user directory is run by the CMD process
- Integrate.com (PID: 7368)
Starts application with an unusual extension
- cmd.exe (PID: 7336)
There is functionality for taking screenshot (YARA)
- Setup.exe (PID: 6040)
- Integrate.com (PID: 7368)
Executes application which crashes
- Integrate.com (PID: 7368)
- OOBE-Maintenance.exe (PID: 668)
INFO
Create files in a temporary directory
- Setup.exe (PID: 6040)
- extrac32.exe (PID: 4212)
Reads the computer name
- Setup.exe (PID: 6040)
- extrac32.exe (PID: 4212)
- Integrate.com (PID: 7368)
Checks supported languages
- Setup.exe (PID: 6040)
- extrac32.exe (PID: 4212)
- Integrate.com (PID: 7368)
Process checks computer location settings
- Setup.exe (PID: 6040)
Reads mouse settings
- Integrate.com (PID: 7368)
Manual execution by a user
- OOBE-Maintenance.exe (PID: 668)
Application launched itself
- chrome.exe (PID: 4616)
- msedge.exe (PID: 7244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:04:10 12:19:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 25600 |
| InitializedDataSize: | 431104 |
| UninitializedDataSize: | 16896 |
| EntryPoint: | 0x33e9 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
172
Monitored processes
43
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 540 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3624 --field-trial-handle=2476,i,1987896886631049466,3879174613198813808,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 668 | "C:\WINDOWS\system32\OOBE-Maintenance.exe" | C:\Windows\System32\OOBE-Maintenance.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: OOBE-Maintenance Exit code: 3221226356 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 872 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4480 --field-trial-handle=2476,i,1987896886631049466,3879174613198813808,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1128 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2472 --field-trial-handle=2476,i,1987896886631049466,3879174613198813808,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1196 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1812 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2728 --field-trial-handle=2476,i,1987896886631049466,3879174613198813808,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1852 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Temp\chr4DA7.tmp /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Temp\chr4DA7.tmp\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffc89ba5fd8,0x7ffc89ba5fe4,0x7ffc89ba5ff0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2092 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3652 --field-trial-handle=1932,i,15859685733399871008,2940453248044404715,262144 --variations-seed-version /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 122.0.6261.70 Modules
| |||||||||||||||
| 2240 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=1932,i,15859685733399871008,2940453248044404715,262144 --variations-seed-version /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 122.0.6261.70 Modules
| |||||||||||||||
| 2980 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4824 --field-trial-handle=1932,i,15859685733399871008,2940453248044404715,262144 --variations-seed-version /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 122.0.6261.70 Modules
| |||||||||||||||
Total events
10 234
Read events
10 218
Write events
15
Delete events
1
Modification events
| (PID) Process: | (4616) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (4616) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (4616) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (4616) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4616) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (4616) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
| (PID) Process: | (7244) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (7244) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (7244) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (7244) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 067D5F5130952F00 | |||
Executable files
0
Suspicious files
132
Text files
74
Unknown types
96
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6040 | Setup.exe | C:\Users\admin\AppData\Local\Temp\Argentina.avi | text | |
MD5:253391104ECFEDD5A94071EC997EDDC2 | SHA256:18CB5F9DF850673212EFF1CF33C9C5F577BBE54371A7E233FDC5FCAFD1D2C72A | |||
| 6040 | Setup.exe | C:\Users\admin\AppData\Local\Temp\Boring.avi | binary | |
MD5:4FE224ED37A05AAB68E8C771EF812925 | SHA256:79F9D6484887E7E9134BA9D3F154DEF0377B24C4E61D310A3F7DC9EC380EFF8B | |||
| 6040 | Setup.exe | C:\Users\admin\AppData\Local\Temp\Variance.avi | compressed | |
MD5:1F1372DEE04DE310675E25DDA10E4EC3 | SHA256:D8FDE234696A1E90CB589B6227E944601A7FAE208FD35E8F9D095616C9793F06 | |||
| 6040 | Setup.exe | C:\Users\admin\AppData\Local\Temp\Portable.avi | binary | |
MD5:E8C9B1BDA34B20E100017DB5C2E9ECB6 | SHA256:50C3E53E8A66EE9ED8285222FEB9EBC53D0305F6F211FC8FA2AEF3BD935A2D10 | |||
| 6040 | Setup.exe | C:\Users\admin\AppData\Local\Temp\Boost.avi | binary | |
MD5:78DE249AD41F682B6B38998F0AF7187E | SHA256:66BDCFC7A66D2D32920C90E618397B2BE977F98A15C1EDD6DD34BA68620CDCBA | |||
| 4212 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\Geography | binary | |
MD5:2C97B838A95D3026F1A2A0D25336F6AD | SHA256:006D09F41F4D15A75C59347F32CC7BB6F799F280E8BA873B54948356AFE57D49 | |||
| 6040 | Setup.exe | C:\Users\admin\AppData\Local\Temp\Findlaw.avi | binary | |
MD5:4FDF152D6B333F7B1AA98E12E591436D | SHA256:8ED73C24366D9E42D9A9BB34498E9A72E07D346EBBB462A134252789F2D7E5E8 | |||
| 4212 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\Agency | binary | |
MD5:DB4D3AC9B8CC280F671A06C958C06E27 | SHA256:052D30DE78B86EAA2BB53011F135549FA77976049150A36D3EB44D5DD2F18663 | |||
| 6040 | Setup.exe | C:\Users\admin\AppData\Local\Temp\Forbes.avi | binary | |
MD5:7F19190C9120E6D63FCB2ADE3D5D58EA | SHA256:5F0C94C56CFCA4975502EDCE77B2FFE077AA3E47683EA8904C3E0E5B13CAE548 | |||
| 7336 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Argentina.avi.bat | text | |
MD5:253391104ECFEDD5A94071EC997EDDC2 | SHA256:18CB5F9DF850673212EFF1CF33C9C5F577BBE54371A7E233FDC5FCAFD1D2C72A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
48
DNS requests
41
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5408 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 142.250.186.129:443 | https://clients2.googleusercontent.com/crx/blobs/AcpJF5jcHVRgbVEms6vmE6qdKx_UoPPrgHXLFLqJ60_g48hIoz8HdxmRghg9YmmktQ_wvReJ4Zmls0_lEjFZTPWqynE9hnK76r9FpfYlK4ZsmLmNnA06hxTuvSMctgcxNzkAxlKa5cKF0Myihfg8d9NTQvFXhnGfxXDF/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_92_1_0.crx | unknown | binary | 153 Kb | whitelisted |
— | — | GET | 200 | 13.107.253.45:443 | https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable | unknown | binary | 16.0 Kb | whitelisted |
— | — | GET | 200 | 150.171.27.11:443 | https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1748885061&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0 | unknown | binary | 295 b | whitelisted |
— | — | POST | 200 | 64.233.167.84:443 | https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard | unknown | text | 17 b | whitelisted |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=-1782104078919884918&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=0&mngd=0&installdate=1748885061&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | binary | 839 b | whitelisted |
— | — | GET | 503 | 13.107.6.158:443 | https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox | unknown | html | 13.7 Kb | whitelisted |
— | — | GET | 200 | 142.250.186.46:443 | https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=122.0.2365.59&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D0.0.0.0%26installedby%3Dexternal%26uc | unknown | xml | 793 b | whitelisted |
— | — | GET | — | 150.171.27.11:443 | https://edge.microsoft.com/extensionwebstorebase/v1/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=122.0.2365.59&lang=en-US&acceptformat=crx3,puff&x=id%3Djmjflgjpcpepeafmmgdpfkogkghcpiha%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 | unknown | — | — | — |
5408 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1660 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5408 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5408 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5408 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1660 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5408 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6940 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
JNmhVvWnozrOggw.JNmhVvWnozrOggw |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
time-a-g.nist.gov |
| whitelisted |
ntp.time.in.ua |
| unknown |
gbg1.ntp.se |
| unknown |
ts1.aco.net |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7368 | Integrate.com | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 6 |
— | — | Potentially Bad Traffic | ET INFO Possible Chrome Plugin install |
— | — | Potentially Bad Traffic | ET INFO Possible Chrome Plugin install |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Websocket Upgrade Request |