File name:

_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe

Full analysis: https://app.any.run/tasks/fce881d7-8601-4d52-be43-50d677392c32
Verdict: Malicious activity
Threats:

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Malware Trends Tracker     >>>
Analysis date: October 22, 2025, 12:26:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
anti-evasion
rhadamanthys
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DEB15A2DB9BA01A54B0E91B36D89028C

SHA1:

C95C41BD489D7BC52CDEA791A58F7951F447F956

SHA256:

B829B8857EDA796413908642BDA6186D9CB7DF4E5E70AFB1B68E71D0E660BBDD

SSDEEP:

49152:+2+7lbVP6KHSrXCcQiLcBQle5MH0paQcFHv844JdxynZm+zoD3eL5E0H4GmjqYjm:+2+xxP6KHS7CcQ7f5MH0paQEvj4NynrD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RHADAMANTHYS has been detected (YARA)

      • OpenWith.exe (PID: 2880)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)

    • Executing commands from a ".bat" file

      • _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)

    • Get information on the list of running processes

      • cmd.exe (PID: 7748)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7748)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7748)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7748)

    • The executable file from the user directory is run by the CMD process

      • Carnival.scr (PID: 6188)

    • There is functionality for taking screenshot (YARA)

      • Carnival.scr (PID: 6188)

    • Executes application which crashes

      • Carnival.scr (PID: 2320)
      • OpenWith.exe (PID: 2880)

    • The process checks if it is being run in the virtual environment

      • OpenWith.exe (PID: 2880)

    • Connects to unusual port

      • OpenWith.exe (PID: 2880)

  • INFO

    • Checks supported languages

      • _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)
      • extrac32.exe (PID: 1416)
      • Carnival.scr (PID: 6188)
      • Carnival.scr (PID: 2320)

    • Create files in a temporary directory

      • _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe (PID: 7704)
      • extrac32.exe (PID: 1416)

    • Reads the computer name

      • extrac32.exe (PID: 1416)
      • Carnival.scr (PID: 6188)

    • Reads mouse settings

      • Carnival.scr (PID: 6188)

    • Manual execution by a user

      • Carnival.scr (PID: 2320)
      • OpenWith.exe (PID: 2880)

    • Checks proxy server information

      • slui.exe (PID: 8124)

    • Reads the software policy settings

      • slui.exe (PID: 8124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Rhadamanthys

(PID) Process(2880) OpenWith.exe
C2 (2)https://178.16.53.236:6343/gateway/pe2wcfae.isvx8
https://the-encyclopedia-of-digital-entrepreneurship-and-innovation.com/gateway/pe2wcfae.isvx8
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2059:08:08 23:27:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 26624
InitializedDataSize: 1609216
UninitializedDataSize: -
EntryPoint: 0x6d50
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
16
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start _b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe no specs tapiunattend.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs extrac32.exe no specs findstr.exe no specs carnival.scr no specs carnival.scr waitfor.exe no specs #RHADAMANTHYS openwith.exe werfault.exe no specs slui.exe werfault.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1416extrac32 /Y Christ.vsd *.*C:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2320C:\Users\admin\AppData\Local\Temp\IXP000.TMP\319282\Carnival.scr C:\Users\admin\AppData\Local\Temp\IXP000.TMP\319282\Carnival.scr
explorer.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
3221225477
Version:
3, 3, 17, 0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\319282\carnival.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2384findstr /V "STRANGER" Threesome C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2880"C:\WINDOWS\system32\openwith.exe"C:\Windows\System32\OpenWith.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
3221225512
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Rhadamanthys
(PID) Process(2880) OpenWith.exe
C2 (2)https://178.16.53.236:6343/gateway/pe2wcfae.isvx8
https://the-encyclopedia-of-digital-entrepreneurship-and-innovation.com/gateway/pe2wcfae.isvx8
4412C:\WINDOWS\system32\WerFault.exe -u -p 2880 -s 956C:\Windows\System32\WerFault.exeOpenWith.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
5228C:\WINDOWS\system32\WerFault.exe -u -p 2320 -s 524C:\Windows\System32\WerFault.exeCarnival.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
6188Carnival.scr g C:\Users\admin\AppData\Local\Temp\IXP000.TMP\319282\Carnival.scrcmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 17, 0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\319282\carnival.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
6980waitfor /T 5 IPYfOIyEwakNlXuJAtZC:\Windows\SysWOW64\waitfor.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
waitfor - wait/send a signal over a network
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\waitfor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7704"C:\Users\admin\Desktop\_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe" C:\Users\admin\Desktop\_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
339
Read events
339
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
7704_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Brochures.vsdtext
MD5:E773556274FE78627B4ABB3FD048FAA1
SHA256:AE35003FE4164B1C65D7505D8B4A4D465894DFE47EDCB599186833ACC1A68226
7704_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Induced.vsdbinary
MD5:5AA018EEDA47EEB067FFCBC94968E4A2
SHA256:4DA3358F08863CC84FB9D73D79064310E69C7F53A56A3A80EEED60A3FBAD3F77
7704_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Terminology.vsdbinary
MD5:E8CE0E40B4439F85BCCE6EEA6F14F468
SHA256:1E3C51565FB171B9C020264C56275B0AD1D08A94509B228EE908C78364ACA210
7748cmd.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Brochures.vsd.battext
MD5:E773556274FE78627B4ABB3FD048FAA1
SHA256:AE35003FE4164B1C65D7505D8B4A4D465894DFE47EDCB599186833ACC1A68226
7704_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Specific.vsdbinary
MD5:8D87F83925EE040205F2A8FA8A3BDB52
SHA256:3F4383C1B51A054340D86BAEB5BA9D82EE0E46CC4DD8A32C00E7E91CFCF8DFE0
7704_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Christ.vsdbinary
MD5:9FCFFFF0B1472F5AE2899D65CCEFF946
SHA256:C0B8B4D50FD07EA09841D250B61E9F8B8812F8868B40A01B3FAFECFAB5984BB8
1416extrac32.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Creditsbinary
MD5:A1299E7DF3A1E7DDD3A23D8D09EBC738
SHA256:816968D6817BD9FD9274DBC9765CB181F4AA807760804CB666BFE18139AC8B19
7704_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Thumb.vsdbinary
MD5:120F55FAF6943128B2B8DD793509AE0F
SHA256:FA2BDAB6DFDEBA6FEA9F6D79B043DBD0A6C9DB9DF636DC1ACD5356776C55F333
1416extrac32.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Besidesbinary
MD5:A5AC15CDE68D60CA86FAA610C53BD690
SHA256:636B27B5391FA73F5200D9F37BE8C17C2F4050C1A6F63D4555149FB5B84B1C09
1416extrac32.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Forkbinary
MD5:1EE6DC3F9231919F1E4F353E2C17ED00
SHA256:73DCC5A513FE4B166B2BC777616DC91727DE6CCD016C52D488C84A9732FA64FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
60
DNS requests
21
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
unknown
xml
11.2 Kb
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
GET
200
20.31.169.57:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251022T122658Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=7ab2b08d02524490ac7066adad17e873&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4272746&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1663275&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.34 Kb
GET
200
20.31.169.57:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251022T122651Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=400adb108b404512ae996428800e21e7&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4272746&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1663275&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
3.20 Kb
5280
svchost.exe
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
29.1 Kb
7636
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7012
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
5596
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2564
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.206:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5280
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7088
SearchApp.exe
2.16.241.206:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5280
svchost.exe
162.159.142.9:80
ocsp.digicert.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.16.241.206
  • 2.16.241.208
  • 2.16.241.203
  • 2.16.241.211
  • 2.16.241.207
  • 2.16.241.204
  • 2.16.241.214
  • 2.16.241.210
  • 2.16.241.205
  • 95.100.158.112
  • 23.3.89.97
  • 95.100.158.122
  • 23.3.89.90
  • 95.100.158.106
  • 95.100.158.121
  • 95.100.158.107
  • 95.100.158.115
  • 95.100.158.123
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.67
  • 40.126.31.2
  • 40.126.31.1
  • 20.190.159.75
  • 20.190.159.128
  • 20.190.159.71
  • 20.190.159.68
whitelisted
google.com
  • 216.58.212.142
whitelisted
ocsp.digicert.com
  • 162.159.142.9
  • 172.66.2.5
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
BKgEvwNbDm.BKgEvwNbDm
unknown
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Host header invalid
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Rhadamanthys Stage Payload HTTP Request outbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
_b829b8857eda796413908642bda6186d9cb7df4e5e70afb1b68e71d0e660bbdd.exe