File name:

2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/653d0022-9058-4c68-adb7-fec8e2a08877
Verdict: Malicious activity
Analysis date: April 20, 2025, 19:47:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

C09C9920D32E9FFFB71B5CBF3F7621FB

SHA1:

ECCE1D1189D022DC6305BF7FD9FB77DA4F9CC2E0

SHA256:

33CB3EA4BA95392F0CE7340825BD351E651973F45B84967E707C721B681E2DDB

SSDEEP:

98304:hcsY/srGGGGGGSnNfYU7zhiKC5U8kk/kdHPflEtLMH46qmHBHiBb+n5/Gg4BGrfZ:W3x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • launch.exe (PID: 8104)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)

    • Loads dropped or rewritten executable

      • WdExt.exe (PID: 7984)
      • FileCoAuth.exe (PID: 3268)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)

    • Executable content was dropped or overwritten

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • @AEC390.tmp.exe (PID: 7732)
      • explorer.exe (PID: 7684)
      • WdExt.exe (PID: 7984)
      • wtmps.exe (PID: 7232)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)

    • Reads security settings of Internet Explorer

      • @AEC390.tmp.exe (PID: 7732)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Starts CMD.EXE for commands execution

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Executing commands from a ".bat" file

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • The executable file from the user directory is run by the CMD process

      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)
      • wtmps.exe (PID: 7232)

    • Detected use of alternative data streams (AltDS)

      • mscaps.exe (PID: 7280)

    • There is functionality for taking screenshot (YARA)

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)

  • INFO

    • Create files in a temporary directory

      • explorer.exe (PID: 7684)
      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)

    • Checks supported languages

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7664)
      • @AEC390.tmp.exe (PID: 7732)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)
      • wtmps.exe (PID: 7232)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)
      • launch.exe (PID: 5576)

    • Auto-launch of the file from Registry key

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • launch.exe (PID: 8104)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)

    • The sample compiled with english language support

      • explorer.exe (PID: 7684)
      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7684)

    • Reads the computer name

      • @AEC390.tmp.exe (PID: 7732)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Creates files or folders in the user directory

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)
      • wtmps.exe (PID: 7232)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)
      • @AEC390.tmp.exe (PID: 7732)

    • Checks proxy server information

      • @AEC390.tmp.exe (PID: 7732)
      • slui.exe (PID: 6036)

    • Process checks computer location settings

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Manual execution by a user

      • mscaps.exe (PID: 7280)
      • launch.exe (PID: 5576)

    • Reads the software policy settings

      • slui.exe (PID: 6036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:03:05 08:37:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 2560
InitializedDataSize: 29696
UninitializedDataSize: -
EntryPoint: 0x167f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
21
Malicious processes
5
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe no specs explorer.exe @aec390.tmp.exe 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wdext.exe cmd.exe no specs conhost.exe no specs launch.exe cmd.exe no specs conhost.exe no specs wtmps.exe rundll32.exe no specs mscaps.exe mscaps.exe launch.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2320C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3268C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5576"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Nt Module Starter
Exit code:
1
Version:
6.1.7600.16385
Modules
Images
c:\users\admin\appdata\roaming\microsoft\defender\launch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6036C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6988"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /C:\Users\admin\AppData\Local\Temp\wtmps.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe
wtmps.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\protect\setup\mscaps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7232"C:\Users\admin\AppData\Local\Temp\wtmps.exe" C:\Users\admin\AppData\Local\Temp\wtmps.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wtmps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7280"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dllC:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\protect\setup\mscaps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7664"C:\Users\admin\Desktop\2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7684explorer.exeC:\Windows\SysWOW64\explorer.exe
2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
7732"C:\Users\admin\AppData\Local\Temp\@AEC390.tmp.exe" C:\Users\admin\AppData\Local\Temp\@AEC390.tmp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\@aec390.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 205
Read events
7 191
Write events
14
Delete events
0

Modification events

(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
04000000030000000E00000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
010000000000000004000000050000000200000003000000FFFFFFFF
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\Start
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\Start
(PID) Process:(8104) launch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Defender Extension
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exe"
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CADB000000
(PID) Process:(6988) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
(PID) Process:(7280) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
Executable files
18
Suspicious files
13
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7684explorer.exeC:\Users\admin\AppData\Local\Temp\@AEC390.tmp.exeexecutable
MD5:F852B92D239CEB9CF58407D4C9C2BE67
SHA256:FA61AD7D4A56DF5ACBE00FBB41008988EB70834E1B4D79AA628260AD27EB68BC
7732@AEC390.tmp.exeC:\Users\admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exeexecutable
MD5:F852B92D239CEB9CF58407D4C9C2BE67
SHA256:FA61AD7D4A56DF5ACBE00FBB41008988EB70834E1B4D79AA628260AD27EB68BC
7732@AEC390.tmp.exeC:\Users\admin\AppData\Roaming\Temp\mydll.dllexecutable
MD5:FC4A6145DDD1B64983E8700601C71FC6
SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6
7732@AEC390.tmp.exeC:\Users\admin\AppData\Local\Temp\SeC7E8.tmpbinary
MD5:89CAEE39ED8414548EF2FEFEBF910D78
SHA256:8BBA704B4D71E7EBDB648D50ACA384862955AFB37929E9435093B86B65987DD4
7732@AEC390.tmp.exeC:\Users\admin\AppData\Local\Temp\SpC7E7.tmpbinary
MD5:9C01DE63009DC2E77F35628020430B90
SHA256:31BACED2DF09FCCEF5CB4FA18C130FB96543E61A9DCE025B9EBFD0BCBCAB0D96
7984WdExt.exeC:\Users\admin\AppData\Local\Temp\tmpCAC6.tmpexecutable
MD5:1FCC5B3ED6BC76D70CFA49D051E0DFF6
SHA256:B0C0C49EED934E6D2ED990913D4C71108F6104352D23F72D3EF0A3EF4074D92E
7984WdExt.exeC:\Users\admin\AppData\Roaming\Microsoft\Identities\admin\arc.dllbinary
MD5:8501E1FAEFA7B184FD627F822F53697C
SHA256:70E0437A0E6E9E00F1100EA438F95BA871EC51C55FBF2355B693F368596F605F
7732@AEC390.tmp.exeC:\Users\admin\AppData\Roaming\Temp\admin1.battext
MD5:0E287F5673F9EA057ACAFFF58FDAD2CA
SHA256:BF3118557A2B9D06F4C08A7D018939949B160E381F84810DF6C0862F16B76EAF
7984WdExt.exeC:\Users\admin\AppData\Local\Temp\tmpCA47.tmpexecutable
MD5:2D9DF706D1857434FCAA014DF70D1C66
SHA256:126593B3672E6985FE4E4903D656040E16A69264FAF91B1A416EF00565E17E7C
7732@AEC390.tmp.exeC:\Users\admin\AppData\Roaming\Temp\admin0.battext
MD5:F2D4F8A8491F3A5151B05D92F283EBEF
SHA256:CCC42E2A79C7DFE395EB6BD21CAD4D44D526C5A361953175573DB7B59BE57EBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
50
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
4988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4988
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 23.216.77.37
  • 23.216.77.35
  • 23.216.77.28
  • 23.216.77.20
  • 23.216.77.19
  • 23.216.77.41
  • 23.216.77.18
  • 23.216.77.38
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
windowsupdate.microsoft.com
  • 20.109.209.108
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.65
  • 20.190.160.130
  • 40.126.32.72
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.136
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader