File name:

2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn

Full analysis: https://app.any.run/tasks/0604fd58-e87a-455a-a4cc-db10733abd07
Verdict: Malicious activity
Analysis date: May 18, 2025, 20:37:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
auto-download
delphi
lua
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

29359270B1D0A5A70A6B1B3B7B04986A

SHA1:

E0557593B8C3254EE62A63BB8724DAF2E87B02D5

SHA256:

01BF247D4A50B7B30560FF0F03F64FD86C2135920193EBF1E8D53EF236E1442B

SSDEEP:

98304:5cCi2xzZ4DWWxEX+lz3MrxuKaKgfy+CYQBZA67IfY/MWUAn07Niq4/rW6VBLDrJp:wbLBTwogHme

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • icsys.icn.exe (PID: 7916)
      • explorer.exe (PID: 7976)
      • explorer.exe (PID: 5492)
      • svchost.exe (PID: 8020)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 7976)
      • svchost.exe (PID: 8020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6800)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 1244)
      • icsys.icn.exe (PID: 7916)
      • explorer.exe (PID: 7976)
      • spoolsv.exe (PID: 7996)

    • Starts application with an unusual extension

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 1244)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6800)

    • Process drops legitimate windows executable

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6800)

    • Starts CMD.EXE for commands execution

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 2692)

    • Starts itself from another location

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • icsys.icn.exe (PID: 7916)
      • explorer.exe (PID: 7976)
      • spoolsv.exe (PID: 7996)
      • svchost.exe (PID: 8020)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7916)
      • spoolsv.exe (PID: 7996)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 2692)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 2692)

    • Creates or modifies Windows services

      • svchost.exe (PID: 8020)

  • INFO

    • The sample compiled with english language support

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6800)

    • Checks supported languages

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 1244)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6800)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 2692)
      • icsys.icn.exe (PID: 7916)
      • explorer.exe (PID: 7976)
      • spoolsv.exe (PID: 7996)
      • svchost.exe (PID: 8020)
      • spoolsv.exe (PID: 8040)
      • identity_helper.exe (PID: 7520)

    • Reads the computer name

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 1244)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 2692)
      • svchost.exe (PID: 8020)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • identity_helper.exe (PID: 7520)

    • Create files in a temporary directory

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 3332)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 1244)
      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6800)
      • icsys.icn.exe (PID: 7916)
      • spoolsv.exe (PID: 7996)
      • explorer.exe (PID: 7976)
      • spoolsv.exe (PID: 8040)
      • svchost.exe (PID: 8020)

    • Application launched itself

      • msedge.exe (PID: 4224)
      • msedge.exe (PID: 1184)

    • Manual execution by a user

      • msedge.exe (PID: 1184)
      • svchost.exe (PID: 7304)
      • explorer.exe (PID: 7424)
      • msedge.exe (PID: 8112)
      • OpenWith.exe (PID: 7900)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 7976)
      • svchost.exe (PID: 8020)

    • Reads Environment values

      • identity_helper.exe (PID: 7520)

    • The process uses Lua

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 2692)

    • Compiled with Borland Delphi (YARA)

      • 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 2692)

    • Auto-launch of the file from Downloads directory

      • msedge.exe (PID: 1184)
      • msedge.exe (PID: 8036)
      • msedge.exe (PID: 6516)

    • Reads the software policy settings

      • explorer.exe (PID: 5492)

    • Checks proxy server information

      • explorer.exe (PID: 5492)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 5492)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 1184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
208
Monitored processes
83
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #JEEFO icsys.icn.exe msedge.exe no specs #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs svchost.exe no specs explorer.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs openwith.exe no specs #JEEFO explorer.exe openwith.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6004 --field-trial-handle=2520,i,18399795517655541554,11203690928112556378,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2604 --field-trial-handle=2520,i,18399795517655541554,11203690928112556378,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1052"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2512 --field-trial-handle=2392,i,13815227219425111088,7279620696449805789,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7488 --field-trial-handle=2520,i,18399795517655541554,11203690928112556378,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument http://mrantifun.net/C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5932 --field-trial-handle=2520,i,18399795517655541554,11203690928112556378,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5516 --field-trial-handle=2520,i,18399795517655541554,11203690928112556378,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244c:\users\admin\desktop\2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  C:\Users\admin\Desktop\2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe 
2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1388"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5692 --field-trial-handle=2520,i,18399795517655541554,11203690928112556378,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1748"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=7368 --field-trial-handle=2520,i,18399795517655541554,11203690928112556378,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 210
Read events
17 084
Write events
121
Delete events
5

Modification events

(PID) Process:(3332) 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(4988) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000004025A
Operation:delete keyName:(default)
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000040250
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(2692) 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Cheat Engine\Window Positions
Operation:writeName:AdvancedOptions Position
Value:
7E010000FF0100007402000029010000
(PID) Process:(2692) 2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\Cheat Engine\Window Positions
Operation:writeName:frmAutoInject Position
Value:
8701000000050000AF0100004B010000
(PID) Process:(4224) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4224) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B10FEE4405942F00
(PID) Process:(1184) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1184) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
Executable files
44
Suspicious files
290
Text files
70
Unknown types
1

Dropped files

PID
Process
Filename
Type
12442025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe C:\Users\admin\AppData\Local\Temp\cetrainers\CETD2B3.tmp\CET_Archive.dat
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10e215.TMP
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10e234.TMP
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local Statebinary
MD5:A790CAC21B9DAFD97AFB2A868A33EBB0
SHA256:FB22D4DCE36D7C226C0FB7A3EC10B755B810EB89019BD4959DD4BAB1457DDF7E
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10e244.TMP
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10e1f5.TMP
MD5:
SHA256:
1184msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10e244.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
204
DNS requests
154
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5492
explorer.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5492
explorer.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5492
explorer.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA2LpfdFcSPbdVFa0X9jdfU%3D
unknown
whitelisted
7508
svchost.exe
HEAD
200
2.16.168.202:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1748130507&P2=404&P3=2&P4=Blr82VxyS81NtthcUvRJfwijjV2%2f8yysx4WEmhFU5%2fvD47ltxGaUcBYW0JeNKuf5ShlxcNjz1eUtApCHY48yhA%3d%3d
unknown
whitelisted
7508
svchost.exe
GET
206
2.16.168.202:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1748130507&P2=404&P3=2&P4=Blr82VxyS81NtthcUvRJfwijjV2%2f8yysx4WEmhFU5%2fvD47ltxGaUcBYW0JeNKuf5ShlxcNjz1eUtApCHY48yhA%3d%3d
unknown
whitelisted
7508
svchost.exe
GET
206
2.16.168.202:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1748130507&P2=404&P3=2&P4=Blr82VxyS81NtthcUvRJfwijjV2%2f8yysx4WEmhFU5%2fvD47ltxGaUcBYW0JeNKuf5ShlxcNjz1eUtApCHY48yhA%3d%3d
unknown
whitelisted
7508
svchost.exe
GET
206
2.16.168.202:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1748130507&P2=404&P3=2&P4=Blr82VxyS81NtthcUvRJfwijjV2%2f8yysx4WEmhFU5%2fvD47ltxGaUcBYW0JeNKuf5ShlxcNjz1eUtApCHY48yhA%3d%3d
unknown
whitelisted
7508
svchost.exe
GET
206
2.16.168.202:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1748130507&P2=404&P3=2&P4=Blr82VxyS81NtthcUvRJfwijjV2%2f8yysx4WEmhFU5%2fvD47ltxGaUcBYW0JeNKuf5ShlxcNjz1eUtApCHY48yhA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1184
msedge.exe
239.255.255.250:1900
whitelisted
1020
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1020
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1020
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.216.77.30
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.13
  • 23.216.77.25
  • 23.216.77.5
  • 23.216.77.20
  • 23.216.77.18
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
mrantifun.net
  • 104.21.96.100
  • 172.67.176.147
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
www.bing.com
  • 104.126.37.184
  • 104.126.37.171
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.176
  • 104.126.37.136
  • 104.126.37.130
  • 104.126.37.144
  • 104.126.37.131
  • 2.16.241.201
  • 2.16.241.218
  • 2.16.241.206
  • 2.16.241.204
whitelisted

Threats

PID
Process
Class
Message
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1020
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_29359270b1d0a5a70a6b1b3b7b04986a_amadey_elex_rhadamanthys_smoke-loader_swisyn