File name:

EmbrChts.exe

Full analysis: https://app.any.run/tasks/eafc76db-200e-4dc5-8b51-7a7fd84804e3
Verdict: Malicious activity
Threats:

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Malware Trends Tracker     >>>
Analysis date: October 01, 2025, 19:34:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anti-evasion
rhadamanthys
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

B117B9540B2814D7B57CA5616A6A9A28

SHA1:

2F255F1BB24FF9EAF7FC5164EA981DC938755235

SHA256:

FE738970BE1450AD93E0D30310A81A58E553D80277D1F9B29F827F20899D5ADC

SSDEEP:

98304:uMiH3QFjcCpvn03TwkVYfwYVH1LR47rApqj8O7n1d/xqVNHjms7LQYA5Gw3tQYEo:x9vkfly2oScaKE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • EmbrChts.exe (PID: 1156)

    • RHADAMANTHYS has been detected (YARA)

      • OpenWith.exe (PID: 6200)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • OpenWith.exe (PID: 6200)

    • Connects to unusual port

      • OpenWith.exe (PID: 6200)

  • INFO

    • The sample compiled with english language support

      • EmbrChts.exe (PID: 1156)

    • Manual execution by a user

      • OpenWith.exe (PID: 6200)

    • Checks supported languages

      • EmbrChts.exe (PID: 1156)

    • Checks proxy server information

      • slui.exe (PID: 6760)

    • Reads the software policy settings

      • slui.exe (PID: 6760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Rhadamanthys

(PID) Process(6200) OpenWith.exe
C2 (2)https://178.16.53.236:6343/gateway/f7o3u7w7.867b7
https://openai-pidor-with-ai.com:6343/gateway/f7o3u7w7.867b7
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:05:13 11:58:22+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 185344
InitializedDataSize: 663552
UninitializedDataSize: -
EntryPoint: 0xa5f79c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 14.2.2.0
ProductVersionNumber: 14.2.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: OGRE Team
ProductName: OGRE3D
FileDescription: Object-Oriented Graphics Rendering Engine
FileVersion: 14.2.2
ProductVersion: 14.2.2
OriginalFileName: ogre3d.exe
InternalName: ogre3d
LegalCopyright: © 2000-2025 The OGRE Team
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start embrchts.exe no specs #RHADAMANTHYS openwith.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Users\admin\Desktop\EmbrChts.exe" C:\Users\admin\Desktop\EmbrChts.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\embrchts.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6200"C:\WINDOWS\system32\openwith.exe"C:\Windows\System32\OpenWith.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Rhadamanthys
(PID) Process(6200) OpenWith.exe
C2 (2)https://178.16.53.236:6343/gateway/f7o3u7w7.867b7
https://openai-pidor-with-ai.com:6343/gateway/f7o3u7w7.867b7
6760C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 929
Read events
3 929
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
66
DNS requests
19
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.110.182:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.110.182:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5824
RUXIMICS.exe
GET
200
23.55.110.182:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5824
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
POST
400
20.190.159.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
POST
400
40.126.31.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
POST
400
20.190.159.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5824
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.110.182:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.55.110.182:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5824
RUXIMICS.exe
23.55.110.182:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 23.55.110.182
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.14
  • 20.190.160.66
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.140
  • 20.190.160.4
whitelisted
cloudflare-dns.com
  • 104.16.249.249
  • 104.16.248.249
whitelisted
openai-pidor-with-ai.com
  • 2.58.56.225
  • 178.16.53.243
malicious
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Generic Protocol Command Decode
SURICATA HTTP Host header invalid
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
EmbrChts.exe