File name:

2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/653d0022-9058-4c68-adb7-fec8e2a08877
Verdict: Malicious activity
Analysis date: April 20, 2025, 19:47:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

C09C9920D32E9FFFB71B5CBF3F7621FB

SHA1:

ECCE1D1189D022DC6305BF7FD9FB77DA4F9CC2E0

SHA256:

33CB3EA4BA95392F0CE7340825BD351E651973F45B84967E707C721B681E2DDB

SSDEEP:

98304:hcsY/srGGGGGGSnNfYU7zhiKC5U8kk/kdHPflEtLMH46qmHBHiBb+n5/Gg4BGrfZ:W3x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • launch.exe (PID: 8104)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)

    • Loads dropped or rewritten executable

      • WdExt.exe (PID: 7984)
      • FileCoAuth.exe (PID: 3268)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)

    • Reads security settings of Internet Explorer

      • @AEC390.tmp.exe (PID: 7732)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 7684)
      • WdExt.exe (PID: 7984)
      • wtmps.exe (PID: 7232)
      • mscaps.exe (PID: 6988)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • mscaps.exe (PID: 7280)
      • @AEC390.tmp.exe (PID: 7732)

    • Executing commands from a ".bat" file

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • The executable file from the user directory is run by the CMD process

      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)
      • wtmps.exe (PID: 7232)

    • Starts CMD.EXE for commands execution

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Detected use of alternative data streams (AltDS)

      • mscaps.exe (PID: 7280)

    • There is functionality for taking screenshot (YARA)

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)

  • INFO

    • The sample compiled with english language support

      • explorer.exe (PID: 7684)
      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)

    • Create files in a temporary directory

      • explorer.exe (PID: 7684)
      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)

    • Checks supported languages

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7664)
      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)
      • wtmps.exe (PID: 7232)
      • mscaps.exe (PID: 6988)
      • mscaps.exe (PID: 7280)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • launch.exe (PID: 5576)

    • Checks proxy server information

      • @AEC390.tmp.exe (PID: 7732)
      • slui.exe (PID: 6036)

    • Reads the computer name

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7684)

    • Creates files or folders in the user directory

      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)
      • wtmps.exe (PID: 7232)
      • mscaps.exe (PID: 6988)
      • @AEC390.tmp.exe (PID: 7732)
      • mscaps.exe (PID: 7280)

    • Process checks computer location settings

      • @AEC390.tmp.exe (PID: 7732)
      • WdExt.exe (PID: 7984)
      • launch.exe (PID: 8104)

    • Auto-launch of the file from Registry key

      • launch.exe (PID: 8104)
      • mscaps.exe (PID: 6988)
      • 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe (PID: 7752)
      • mscaps.exe (PID: 7280)

    • Manual execution by a user

      • mscaps.exe (PID: 7280)
      • launch.exe (PID: 5576)

    • Reads the software policy settings

      • slui.exe (PID: 6036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:03:05 08:37:55+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 2560
InitializedDataSize: 29696
UninitializedDataSize: -
EntryPoint: 0x167f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
21
Malicious processes
5
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe no specs explorer.exe @aec390.tmp.exe 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wdext.exe cmd.exe no specs conhost.exe no specs launch.exe cmd.exe no specs conhost.exe no specs wtmps.exe rundll32.exe no specs mscaps.exe mscaps.exe launch.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2320C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3268C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5576"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Nt Module Starter
Exit code:
1
Version:
6.1.7600.16385
Modules
Images
c:\users\admin\appdata\roaming\microsoft\defender\launch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6036C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6988"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /C:\Users\admin\AppData\Local\Temp\wtmps.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe
wtmps.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\protect\setup\mscaps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7232"C:\Users\admin\AppData\Local\Temp\wtmps.exe" C:\Users\admin\AppData\Local\Temp\wtmps.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wtmps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7280"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dllC:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\protect\setup\mscaps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7664"C:\Users\admin\Desktop\2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7684explorer.exeC:\Windows\SysWOW64\explorer.exe
2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
7732"C:\Users\admin\AppData\Local\Temp\@AEC390.tmp.exe" C:\Users\admin\AppData\Local\Temp\@AEC390.tmp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\@aec390.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 205
Read events
7 191
Write events
14
Delete events
0

Modification events

(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
04000000030000000E00000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
010000000000000004000000050000000200000003000000FFFFFFFF
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\Start
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\Start
(PID) Process:(8104) launch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Defender Extension
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Defender\launch.exe"
(PID) Process:(7752) 2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CADB000000
(PID) Process:(6988) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
(PID) Process:(7280) mscaps.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JREUpdate
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Protect\SETUP\mscaps.exe" /s /n /i:U shell32.dll
Executable files
18
Suspicious files
13
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7684explorer.exeC:\Users\admin\AppData\Local\Temp\@AEC390.tmp.exeexecutable
MD5:F852B92D239CEB9CF58407D4C9C2BE67
SHA256:FA61AD7D4A56DF5ACBE00FBB41008988EB70834E1B4D79AA628260AD27EB68BC
7684explorer.exeC:\Users\admin\Desktop\2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeexecutable
MD5:1135E138D6B61ECAAA7980B298F3E792
SHA256:6BB74AB853D1B1E14855467D5C1FE1C074C93B10D776EF91EF87C7DB0C378E40
77522025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Start\update.exeexecutable
MD5:1135E138D6B61ECAAA7980B298F3E792
SHA256:6BB74AB853D1B1E14855467D5C1FE1C074C93B10D776EF91EF87C7DB0C378E40
7732@AEC390.tmp.exeC:\Users\admin\AppData\Local\Temp\SpC7E7.tmpbinary
MD5:9C01DE63009DC2E77F35628020430B90
SHA256:31BACED2DF09FCCEF5CB4FA18C130FB96543E61A9DCE025B9EBFD0BCBCAB0D96
7732@AEC390.tmp.exeC:\Users\admin\AppData\Roaming\Temp\admin1.battext
MD5:0E287F5673F9EA057ACAFFF58FDAD2CA
SHA256:BF3118557A2B9D06F4C08A7D018939949B160E381F84810DF6C0862F16B76EAF
7732@AEC390.tmp.exeC:\Users\admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exeexecutable
MD5:F852B92D239CEB9CF58407D4C9C2BE67
SHA256:FA61AD7D4A56DF5ACBE00FBB41008988EB70834E1B4D79AA628260AD27EB68BC
7984WdExt.exeC:\Users\admin\AppData\Roaming\Temp\mydll.dllexecutable
MD5:FC4A6145DDD1B64983E8700601C71FC6
SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6
7732@AEC390.tmp.exeC:\Users\admin\AppData\Local\Temp\tmpC66F.tmpexecutable
MD5:AE8995C59339753FC85058293C6C010E
SHA256:BB1592D43557C6A305468C437878EBACA312257F064EC602E968E58A50B86AB9
7732@AEC390.tmp.exeC:\Users\admin\AppData\Local\Temp\SeC7E8.tmpbinary
MD5:89CAEE39ED8414548EF2FEFEBF910D78
SHA256:8BBA704B4D71E7EBDB648D50ACA384862955AFB37929E9435093B86B65987DD4
7732@AEC390.tmp.exeC:\Users\admin\AppData\Roaming\Temp\mydll.dllexecutable
MD5:FC4A6145DDD1B64983E8700601C71FC6
SHA256:5D920A7A5486E7C1693334D59271F2A59A64B59A8FA87FA4BA71AACCE4CDF8A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
50
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4988
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 23.216.77.37
  • 23.216.77.35
  • 23.216.77.28
  • 23.216.77.20
  • 23.216.77.19
  • 23.216.77.41
  • 23.216.77.18
  • 23.216.77.38
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
windowsupdate.microsoft.com
  • 20.109.209.108
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.65
  • 20.190.160.130
  • 40.126.32.72
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.136
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-20_c09c9920d32e9fffb71b5cbf3f7621fb_amadey_darpapox_elex_nymaim_rhadamanthys_smoke-loader