File name:

2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn

Full analysis: https://app.any.run/tasks/3e12abd8-accc-4664-95ed-1f293f985cd5
Verdict: Malicious activity
Analysis date: April 29, 2025, 16:02:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

A4365531DC5D487424DF1F321BA616F5

SHA1:

9C86E2485ED292BA904193B12976CA72A6FEC387

SHA256:

457C534E3E201208504A3CD00D3860E62EF77D7A82CF69CD5A6A0D63D473904D

SSDEEP:

49152:5cqCPjUa2DxVhJX8wZWpmDTpk2BHyU7gepwTsFIxg6f2nhzFX:5cqCjUjDnhaw+mDTpkGHXgepwYFDFX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 5008)
      • icsys.icn.exe (PID: 5596)
      • explorer.exe (PID: 6944)
      • svchost.exe (PID: 6620)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 6944)
      • svchost.exe (PID: 6620)

    • Changes appearance of the Explorer extensions

      • explorer.exe (PID: 6944)
      • svchost.exe (PID: 6620)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 5008)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 6944)
      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 5008)
      • spoolsv.exe (PID: 4448)
      • icsys.icn.exe (PID: 5596)
      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6560)

    • Starts itself from another location

      • explorer.exe (PID: 6944)
      • spoolsv.exe (PID: 4448)
      • svchost.exe (PID: 6620)
      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 5008)
      • icsys.icn.exe (PID: 5596)

    • The process creates files with name similar to system file names

      • spoolsv.exe (PID: 4448)
      • icsys.icn.exe (PID: 5596)

    • Creates a software uninstall entry

      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6560)

    • Creates or modifies Windows services

      • svchost.exe (PID: 6620)

  • INFO

    • The sample compiled with english language support

      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 5008)
      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6560)

    • Checks supported languages

      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 5008)
      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6560)
      • explorer.exe (PID: 6944)
      • svchost.exe (PID: 6620)
      • spoolsv.exe (PID: 4448)
      • spoolsv.exe (PID: 6640)
      • icsys.icn.exe (PID: 5596)

    • Reads the computer name

      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6560)
      • svchost.exe (PID: 6620)

    • Create files in a temporary directory

      • explorer.exe (PID: 6944)
      • spoolsv.exe (PID: 4448)
      • svchost.exe (PID: 6620)
      • spoolsv.exe (PID: 6640)
      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe (PID: 5008)
      • icsys.icn.exe (PID: 5596)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 6944)
      • svchost.exe (PID: 6620)

    • Manual execution by a user

      • explorer.exe (PID: 6344)
      • svchost.exe (PID: 1300)

    • Creates files in the program directory

      • 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  (PID: 6560)

    • Checks proxy server information

      • slui.exe (PID: 6752)

    • Reads the software policy settings

      • slui.exe (PID: 6752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #JEEFO 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs slui.exe explorer.exe no specs svchost.exe no specs 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1300c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2108"C:\Users\admin\Desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe" C:\Users\admin\Desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4448c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5008"C:\Users\admin\Desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe" C:\Users\admin\Desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5596C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6344c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6560c:\users\admin\desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe  C:\Users\admin\Desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe 
2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe
User:
admin
Company:
Creative Labs Inc.
Integrity Level:
HIGH
Description:
OpenAL Installer
Exit code:
0
Version:
2, 0, 7, 0
Modules
Images
c:\users\admin\desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6620c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6640c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6752C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 893
Read events
3 869
Write events
20
Delete events
4

Modification events

(PID) Process:(5008) 2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5596) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6944) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6944) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6944) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6944) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(6944) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
(PID) Process:(6620) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6620) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6620) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
Executable files
16
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4448spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:32490006246C9513FA20680BF5E33F0E
SHA256:403AE8C89A9DDB51062E341401C1A877B6C86158CEE34AFA9718AE1BD2A9A3B8
5596icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF84FF2D5491D36A8A.TMPbinary
MD5:7FA7C39A5A9A1CA8D870FC63772FF884
SHA256:FF0225E31EDAF6ABF553BB565046CD1091EA1E2C0E55E1AD9AA11A0BF206FB7C
6944explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:8DD115C57C76D03DB5E2131DEDE2FEC4
SHA256:82A720F964BA29C4DAD5CE362D9FD51F4A6487CD8C3FF5A3FC712B4C9356A14B
50082025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DFDEFF71C65415C06B.TMPbinary
MD5:1FFC95491B29F734C01DF1B1E48DBC30
SHA256:32B5B38DC05E36C514625F86F7CBFB60B5B0AE926A9EFF541996C889CE9F9420
65602025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe C:\Windows\SysWOW64\tmpE041.tmpexecutable
MD5:694F54BD227916B89FC3EB1DB53F0685
SHA256:B8F39714D41E009F75EFB183C37100F2CBABB71784BBD243BE881AC5B42D86FD
6640spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF02CCDA5962CED69A.TMPbinary
MD5:BE4D4AC09BD5D16485F41A48F05DABA1
SHA256:3749AF7BC39FDA96B5228852358CD428BE1FC55D3243C174E0158BB9CF6944DE
5596icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:609B1E9921FFC5651132ACD2651AA00A
SHA256:60F19555C533FD57F36808014A95315FA2C7ED591B8CA6CA5F41057F23BF44B2
50082025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exeC:\Users\admin\Desktop\2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe executable
MD5:694F54BD227916B89FC3EB1DB53F0685
SHA256:B8F39714D41E009F75EFB183C37100F2CBABB71784BBD243BE881AC5B42D86FD
50082025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:06F47272777277061C5C0802D51F1207
SHA256:F5C72C18A0B83814C02B843FD155513D6F188D8B5FF6F916EA57B6968FCB9A35
65602025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn.exe C:\Windows\SysWOW64\wrap_oal.newexecutable
MD5:D494267BC169604FAC5E3679B9A97FED
SHA256:A4E46E6D09C4B0966824A2F6628EBF738E813672692A52A0D63D982E1030EF4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
41
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4180
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4180
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
4180
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4180
SIHClient.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4180
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4180
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5556
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.136
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.65
  • 40.126.32.138
  • 20.190.160.66
  • 20.190.160.130
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_a4365531dc5d487424df1f321ba616f5_amadey_elex_rhadamanthys_smoke-loader_swisyn