| File name: | _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe |
| Full analysis: | https://app.any.run/tasks/fce881d7-8601-4d52-be43-50d677392c32 |
| Verdict: | Malicious activity |
| Threats: | Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. |
| Analysis date: | October 22, 2025, 12:26:48 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | DEB15A2DB9BA01A54B0E91B36D89028C |
| SHA1: | C95C41BD489D7BC52CDEA791A58F7951F447F956 |
| SHA256: | B829B8857EDA796413908642BDA6186D9CB7DF4E5E70AFB1B68E71D0E660BBDD |
| SSDEEP: | 49152:+2+7lbVP6KHSrXCcQiLcBQle5MH0paQcFHv844JdxynZm+zoD3eL5E0H4GmjqYjm:+2+xxP6KHS7CcQ7f5MH0paQEvj4NynrD |
MALICIOUS
RHADAMANTHYS has been detected (YARA)
- OpenWith.exe (PID: 2880)
SUSPICIOUS
Get information on the list of running processes
- cmd.exe (PID: 7748)
Starts CMD.EXE for commands execution
- _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)
Executing commands from a ".bat" file
- _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 7748)
Starts the AutoIt3 executable file
- cmd.exe (PID: 7748)
Starts application with an unusual extension
- cmd.exe (PID: 7748)
The executable file from the user directory is run by the CMD process
- Carnival.scr (PID: 6188)
There is functionality for taking screenshot (YARA)
- Carnival.scr (PID: 6188)
Executes application which crashes
- Carnival.scr (PID: 2320)
- OpenWith.exe (PID: 2880)
The process checks if it is being run in the virtual environment
- OpenWith.exe (PID: 2880)
Connects to unusual port
- OpenWith.exe (PID: 2880)
INFO
Checks supported languages
- _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)
- extrac32.exe (PID: 1416)
- Carnival.scr (PID: 6188)
- Carnival.scr (PID: 2320)
Create files in a temporary directory
- _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)
- extrac32.exe (PID: 1416)
Reads the computer name
- extrac32.exe (PID: 1416)
- Carnival.scr (PID: 6188)
Reads mouse settings
- Carnival.scr (PID: 6188)
Manual execution by a user
- Carnival.scr (PID: 2320)
- OpenWith.exe (PID: 2880)
Checks proxy server information
- slui.exe (PID: 8124)
Reads the software policy settings
- slui.exe (PID: 8124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Rhadamanthys
(PID) Process(2880) OpenWith.exe
C2 (2)https://178.16.53.236:6343/gateway/pe2wcfae.isvx8
https://the-encyclopedia-of-digital-entrepreneurship-and-innovation.com/gateway/pe2wcfae.isvx8
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2059:08:08 23:27:35+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.3 |
| CodeSize: | 26624 |
| InitializedDataSize: | 1609216 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x6d50 |
| OSVersion: | 10 |
| ImageVersion: | 10 |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
157
Monitored processes
16
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1416 | extrac32 /Y Christ.vsd *.* | C:\Windows\SysWOW64\extrac32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® CAB File Extract Utility Exit code: 0 Version: 5.00 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2276 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2320 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\319282\Carnival.scr | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\319282\Carnival.scr | explorer.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script (Beta) Exit code: 3221225477 Version: 3, 3, 17, 0 Modules
| |||||||||||||||
| 2384 | findstr /V "STRANGER" Threesome | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2880 | "C:\WINDOWS\system32\openwith.exe" | C:\Windows\System32\OpenWith.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 3221225512 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
Rhadamanthys(PID) Process(2880) OpenWith.exe C2 (2)https://178.16.53.236:6343/gateway/pe2wcfae.isvx8 https://the-encyclopedia-of-digital-entrepreneurship-and-innovation.com/gateway/pe2wcfae.isvx8 | |||||||||||||||
| 4412 | C:\WINDOWS\system32\WerFault.exe -u -p 2880 -s 956 | C:\Windows\System32\WerFault.exe | — | OpenWith.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5228 | C:\WINDOWS\system32\WerFault.exe -u -p 2320 -s 524 | C:\Windows\System32\WerFault.exe | — | Carnival.scr | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6188 | Carnival.scr g | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\319282\Carnival.scr | — | cmd.exe | |||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script (Beta) Exit code: 0 Version: 3, 3, 17, 0 Modules
| |||||||||||||||
| 6980 | waitfor /T 5 IPYfOIyEwakNlXuJAtZ | C:\Windows\SysWOW64\waitfor.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: waitfor - wait/send a signal over a network Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7704 | "C:\Users\admin\Desktop\_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe" | C:\Users\admin\Desktop\_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
5 123
Read events
5 123
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
19
Text files
3
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7704 | _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Specific.vsd | binary | |
MD5:8D87F83925EE040205F2A8FA8A3BDB52 | SHA256:3F4383C1B51A054340D86BAEB5BA9D82EE0E46CC4DD8A32C00E7E91CFCF8DFE0 | |||
| 7704 | _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Terminology.vsd | binary | |
MD5:E8CE0E40B4439F85BCCE6EEA6F14F468 | SHA256:1E3C51565FB171B9C020264C56275B0AD1D08A94509B228EE908C78364ACA210 | |||
| 7704 | _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Thumb.vsd | binary | |
MD5:120F55FAF6943128B2B8DD793509AE0F | SHA256:FA2BDAB6DFDEBA6FEA9F6D79B043DBD0A6C9DB9DF636DC1ACD5356776C55F333 | |||
| 7704 | _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Flavor.vsd | binary | |
MD5:82115269BA776F3AEE99B644D7F5382E | SHA256:01A51BD315AEDAC1F363ABF5E6CD91477F515D0FC3E3A06C4C5E8DB6D7D94C06 | |||
| 7704 | _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Christ.vsd | binary | |
MD5:9FCFFFF0B1472F5AE2899D65CCEFF946 | SHA256:C0B8B4D50FD07EA09841D250B61E9F8B8812F8868B40A01B3FAFECFAB5984BB8 | |||
| 1416 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Today | binary | |
MD5:09B02A032518932E22E7EA98DA78FC88 | SHA256:D2DAA58A7C4085302EE8CC83F85C0ABBEFA0AE615E7726C0AAC971DC4E816C42 | |||
| 1416 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Threesome | binary | |
MD5:89D99DF9959ADE7C6C3379748D432B54 | SHA256:2ED9809B899E39E3B27F3806B674B784EA1771D1CE2A783F9F07530BEB6C5DAF | |||
| 1416 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Composer | binary | |
MD5:F3A04F017437E5555101CD3E3EEB160D | SHA256:9CDCC27C658B6599EBC8B790AD8E58D3B24A02B007904EFECFC8415436977E7C | |||
| 1416 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Credits | binary | |
MD5:A1299E7DF3A1E7DDD3A23D8D09EBC738 | SHA256:816968D6817BD9FD9274DBC9765CB181F4AA807760804CB666BFE18139AC8B19 | |||
| 1416 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Specification | binary | |
MD5:39536B89B944E25725403A4A0CB1FEC8 | SHA256:07F928B88A43CF73CD1B69F54018F84357A9414E79596D3F3B9BF54B3FC28143 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
60
DNS requests
21
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.204.135:443 | https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=&setlang=en-US&cc=US&nohs=1&qfm=1&cp=0&cvid=d78f227ba78a4992a181fb0a7816f5a0&ig=d37d7a3c7abe4cd3b93686808713ccb0 | unknown | binary | 489 b | unknown |
— | — | GET | 200 | 2.16.204.135:443 | https://www.bing.com/dsb/scenario?name=TrendingSearchWithCache&cc=us&setlang=en-us | unknown | binary | 609 b | unknown |
5280 | svchost.exe | GET | 200 | 162.159.142.9:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.32.68:443 | https://login.live.com/RST2.srf | unknown | xml | 11.2 Kb | unknown |
5280 | svchost.exe | GET | 200 | 162.159.142.9:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.32.68:443 | https://login.live.com/RST2.srf | unknown | xml | 11.3 Kb | unknown |
— | — | POST | 200 | 40.126.32.68:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | unknown |
— | — | POST | 200 | 20.190.160.67:443 | https://login.live.com/RST2.srf | unknown | xml | 11.3 Kb | unknown |
— | — | POST | 200 | 40.126.32.74:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | unknown |
— | — | POST | 200 | 40.126.32.72:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
7012 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
5596 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2564 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.16.241.206:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5280 | svchost.exe | 20.190.159.130:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7088 | SearchApp.exe | 2.16.241.206:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5596 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5280 | svchost.exe | 162.159.142.9:80 | ocsp.digicert.com | CLOUDFLARENET | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
login.live.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
arc.msn.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
BKgEvwNbDm.BKgEvwNbDm |
| unknown |
fd.api.iris.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Generic Protocol Command Decode | SURICATA HTTP Host header invalid |
— | — | A Network Trojan was detected | MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound |
— | — | A Network Trojan was detected | MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound |
— | — | A Network Trojan was detected | MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound |
— | — | A Network Trojan was detected | MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound |