File name:

400000.exe.mal

Full analysis: https://app.any.run/tasks/70aeb39f-927c-4719-9e26-d15b4ece6304
Verdict: Malicious activity
Threats:

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Malware Trends Tracker     >>>
Analysis date: November 20, 2023, 17:25:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rhadamanthys
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E599617FDF20B9D45A3E5253BFA5EE23

SHA1:

FA1D2003547BBE4FE6ED0BC7A7498E7C731F70CA

SHA256:

F772AE542090ADE1D628A6FD61702292F73B9FE3F47B04955ECD3C4BC28920E8

SSDEEP:

6144:b4RK+At1ZnBrLpGS6xAFM6d8g7OQ7WvElxpGZYw4Vv3pB/m+BgXo3PMu:b4g/tjBr1N6xm7a76xcQvjmEvfMu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RHADAMANTHYS has been detected (SURICATA)

      • dialer.exe (PID: 3052)

    • Actions looks like stealing of personal data

      • OpenWith.exe (PID: 5048)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • dialer.exe (PID: 3052)

    • Searches for installed software

      • OpenWith.exe (PID: 5048)

    • Loads DLL from Mozilla Firefox

      • OpenWith.exe (PID: 5048)

    • Connects to unusual port

      • OpenWith.exe (PID: 5048)
      • dialer.exe (PID: 3052)

  • INFO

    • Checks supported languages

      • 400000.exe.mal.exe (PID: 2344)

    • Manual execution by a user

      • OpenWith.exe (PID: 5048)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 6116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:12 13:54:33+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 5.1
CodeSize: 153088
InitializedDataSize: 336384
UninitializedDataSize: 65536
EntryPoint: 0x262a2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.9.2.0
ProductVersionNumber: 1.9.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Bloodshed Software
FileDescription: Bloodshed Pascal IDE
FileVersion: 1.9.2.0
InternalName: devpas.exe
LegalCopyright: Bloodshed Software
LegalTrademarks: Bloodshed Dev Pascal
OriginalFileName: devpas.exe
ProductName: Bloodshed Dev Pascal
ProductVersion: 1.9.1
Comments: Under the GNU General Public License
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 400000.exe.mal.exe no specs #RHADAMANTHYS dialer.exe openwith.exe cmd.exe no specs conhost.exe no specs systeminfo.exe no specs tiworker.exe no specs cmd.exe conhost.exe no specs taskmgr.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2164C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.1220 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2180"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
2344"C:\Users\admin\Desktop\400000.exe.mal.exe" C:\Users\admin\Desktop\400000.exe.mal.exeexplorer.exe
User:
admin
Company:
Bloodshed Software
Integrity Level:
MEDIUM
Description:
Bloodshed Pascal IDE
Exit code:
0
Version:
1.9.2.0
Modules
Images
c:\users\admin\desktop\400000.exe.mal.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3052"C:\WINDOWS\system32\dialer.exe"C:\Windows\SysWOW64\dialer.exe
400000.exe.mal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Phone Dialer
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dialer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3172systeminfoC:\Windows\System32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3808C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4732taskmgrC:\Windows\System32\Taskmgr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.1202 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
5048"C:\WINDOWS\system32\openwith.exe"C:\Windows\System32\OpenWith.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 428
Read events
8 418
Write events
9
Delete events
1

Modification events

(PID) Process:(2164) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
Operation:writeName:LastScavengingStarvationReport
Value:
B1CA3FA5ECE2D801
(PID) Process:(2164) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
30980031
(PID) Process:(4732) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000068AAE005F67F0000000000000000000000000000EA0000001E0000008990000000000000FF00000001015002000000000D00000000000000A8AAE005F67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000C0AAE005F67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000D8AAE005F67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000F8AAE005F67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000010ABE005F67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000038ABE005F67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000060ABE005F67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000090AAE005F67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000080ABE005F67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000098ABE005F67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000B8ABE005F67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000D8ABE005F67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D0000000000000000ACE005F67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000020ACE005F67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000068AAE005F67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000D8AAE005F67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000C0AAE005F67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000050ACE005F67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000078ACE005F67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E00000000000000A0ACE005F67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000C8ACE005F67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000E8ACE005F67F0000000000000000000007000000460000001E0000009890000007000000000000000101100100000000110000000000000008ADE005F67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000038ABE005F67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000068AAE005F67F0000000000000000000000000000D7000000000000009E90000000000000FF0000000101500200000000120000000000000030ADE005F67F00000000000000000000FFFFFFFF2D000000000000009B90000001000000000000000004200100000000140000000000000050ADE005F67F00000000000000000000FFFFFFFF64000000000000009D90000002000000000000000001100100000000130000000000000078ADE005F67F00000000000000000000FFFFFFFF64000000000000009C900000030000000000000000011001000000000300000000000000C0AAE005F67F00000000000000000000FFFFFFFF64000000000000008C90000004000000000000000102100000000000070000000000000060ABE005F67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000090AAE005F67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000080ABE005F67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000098ABE005F67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000B8ABE005F67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000D8ABE005F67F000000000000000000000A00000064000000000000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000068AAE005F67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000098ADE005F67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000C8ADE005F67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000F0ADE005F67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000018AEE005F67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000050AEE005F67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000080AEE005F67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000B0AEE005F67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:(4732) Taskmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32
Operation:writeName:SunJavaUpdateSched
Value:
020000000000000000000000
(PID) Process:(4732) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
030000002B498EF9C8B7D801
(PID) Process:(4732) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:OneDrive
Value:
03000000A31484EEAAD7D301
(PID) Process:(4732) Taskmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:SoundMan
Value:
030000009F7A12EAC6B7D801
(PID) Process:(4732) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
Operation:writeName:Send to OneNote.lnk
Value:
030000004443A9558E3CD901
(PID) Process:(4732) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:Skype for Desktop
Value:
03000000FD1CB01610C7D901
(PID) Process:(4732) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000068AAE005F67F0000000000000000000000000000EA0000001E0000008990000000000000FF00000001015002000000000D00000000000000A8AAE005F67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000C0AAE005F67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000D8AAE005F67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000F8AAE005F67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000010ABE005F67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000038ABE005F67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000060ABE005F67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000090AAE005F67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000080ABE005F67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000098ABE005F67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000B8ABE005F67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000D8ABE005F67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D0000000000000000ACE005F67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000020ACE005F67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000068AAE005F67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000D8AAE005F67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000C0AAE005F67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000050ACE005F67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000078ACE005F67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E00000000000000A0ACE005F67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000C8ACE005F67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000E8ACE005F67F0000000000000000000007000000460000001E0000009890000007000000000000000101100100000000110000000000000008ADE005F67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000038ABE005F67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000068AAE005F67F0000000000000000000000000000D7000000000000009E90000000000000FF0000000101500200000000120000000000000030ADE005F67F00000000000000000000FFFFFFFF2D000000000000009B90000001000000000000000004200100000000140000000000000050ADE005F67F00000000000000000000FFFFFFFF64000000000000009D90000002000000000000000001100100000000130000000000000078ADE005F67F00000000000000000000FFFFFFFF64000000000000009C900000030000000000000000011001000000000300000000000000C0AAE005F67F00000000000000000000FFFFFFFF64000000000000008C90000004000000000000000102100000000000070000000000000060ABE005F67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000090AAE005F67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000080ABE005F67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000098ABE005F67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000B8ABE005F67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000D8ABE005F67F000000000000000000000A00000064000000000000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000068AAE005F67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000098ADE005F67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000C8ADE005F67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000F0ADE005F67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000018AEE005F67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000050AEE005F67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000080AEE005F67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000B0AEE005F67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2164TiWorker.exeC:\WINDOWS\Logs\CBS\CBS.logtext
MD5:68E81D0C6102F9165283FC3BB718294A
SHA256:11570714C739FFF30E282541EC60949742CBB84927F7ED81A447A34362BC5E95
3808FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-20.1734.3808.1.odlbinary
MD5:74F372F3C97E3E56A92643D879FFEAD7
SHA256:CAF6E1F7DE81082B584885A5F2F09067BB2B89C050CD7B4598B79430871C5955
4732Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.locktext
MD5:F49655F856ACB8884CC0ACE29216F511
SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
3808FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-20.1734.3808.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
59
DNS requests
33
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3856
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
binary
471 b
unknown
3856
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
binary
471 b
unknown
3856
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
2868
svchost.exe
GET
200
23.209.125.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
3856
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
724
SIHClient.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
724
SIHClient.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
3856
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
unknown
binary
471 b
unknown
2980
svchost.exe
GET
200
23.2.228.139:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
2868
svchost.exe
GET
200
92.123.37.9:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
binary
814 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3792
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3052
dialer.exe
23.152.0.240:3957
ASN-QUADRANET-GLOBAL
US
unknown
5048
OpenWith.exe
23.152.0.240:3957
ASN-QUADRANET-GLOBAL
US
unknown
2984
OfficeClickToRun.exe
104.208.16.90:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2984
OfficeClickToRun.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3856
SearchApp.exe
88.221.24.114:443
www.bing.com
Akamai International B.V.
NL
unknown
3856
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3856
SearchApp.exe
88.221.24.51:443
r.bing.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 104.208.16.90
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 88.221.24.114
whitelisted
r.bing.com
  • 88.221.24.51
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
b-ring.msedge.net
  • 13.107.6.254
whitelisted
t-ring.msedge.net
  • 13.107.246.254
unknown
dual-s-ring.msedge.net
  • 52.123.128.254
unknown
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.67
unknown
roxy.azurefd.net
  • 104.212.67.120
unknown

Threats

PID
Process
Class
Message
3052
dialer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s
3856
SearchApp.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
3856
SearchApp.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
400000.exe.mal