File name:

2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/f93289de-e7e1-4d15-ba05-ae9497c6ca3d
Verdict: Malicious activity
Threats:

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 20:01:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
uac
auto-reg
trojan
glupteba
auto-sch
xmrig
antivm
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

7C9D7010C348E5B5F5979A301E83FECB

SHA1:

3BD28CF8498642AECA40B9D0474FA9BB9310E31B

SHA256:

977EE7D47FE2217F30AE2AFAF597830D3F7A7B11F8E153355FC232B1ED819299

SSDEEP:

98304:I+P9M/SetmMK3ogj/06iyTAtl9HmlhArbAVbchYRLA9jCqrZ/WV7BvW+GQQtL5vA:46iyCvxXp27Lp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (Modify registry)

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 6516)
      • csrss.exe (PID: 4724)
      • csrss.exe (PID: 920)

    • Executing a file with an untrusted certificate

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 6516)
      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5936)
      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)
      • csrss.exe (PID: 1532)
      • csrss.exe (PID: 4724)
      • csrss.exe (PID: 1096)
      • csrss.exe (PID: 5800)
      • csrss.exe (PID: 920)
      • csrss.exe (PID: 4188)
      • csrss.exe (PID: 736)

    • Bypass User Account Control (fodhelper)

      • fodhelper.exe (PID: 2564)
      • fodhelper.exe (PID: 5408)
      • fodhelper.exe (PID: 3156)

    • Modifies exclusions in Windows Defender

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)

    • Glupteba is detected

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)

    • Changes the autorun value in the registry

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)

    • Uses Task Scheduler to autorun other applications

      • csrss.exe (PID: 1532)

  • SUSPICIOUS

    • Changes default file association

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 6516)
      • csrss.exe (PID: 4724)
      • csrss.exe (PID: 920)

    • Starts CMD.EXE for commands execution

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 6516)
      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)
      • csrss.exe (PID: 4724)
      • csrss.exe (PID: 1532)
      • csrss.exe (PID: 920)

    • Application launched itself

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5936)
      • csrss.exe (PID: 1096)
      • csrss.exe (PID: 4188)

    • The process creates files with name similar to system file names

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)

    • Executable content was dropped or overwritten

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)
      • csrss.exe (PID: 1532)

    • Starts itself from another location

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 5640)

    • Searches for installed software

      • csrss.exe (PID: 1532)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1196)
      • sc.exe (PID: 4188)

    • Creates files in the driver directory

      • csrss.exe (PID: 1532)

    • Drops a system driver (possible attempt to evade defenses)

      • csrss.exe (PID: 1532)

    • There is functionality for VM detection VirtualBox (YARA)

      • csrss.exe (PID: 1532)

    • There is functionality for VM detection Parallels (YARA)

      • csrss.exe (PID: 1532)

    • There is functionality for VM detection VirtualPC (YARA)

      • csrss.exe (PID: 1532)

    • There is functionality for VM detection VMWare (YARA)

      • csrss.exe (PID: 1532)

    • Xmrig is detected

      • csrss.exe (PID: 1532)

  • INFO

    • Reads the computer name

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 6516)
      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5936)
      • csrss.exe (PID: 1532)
      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)
      • csrss.exe (PID: 4724)
      • csrss.exe (PID: 1096)
      • csrss.exe (PID: 5800)
      • csrss.exe (PID: 920)
      • csrss.exe (PID: 4188)
      • csrss.exe (PID: 736)

    • Checks supported languages

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 6516)
      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5936)
      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)
      • csrss.exe (PID: 1532)
      • csrss.exe (PID: 4724)
      • csrss.exe (PID: 1096)
      • csrss.exe (PID: 5800)
      • csrss.exe (PID: 920)
      • csrss.exe (PID: 4188)
      • csrss.exe (PID: 736)

    • Reads security settings of Internet Explorer

      • fodhelper.exe (PID: 2564)
      • cmd.exe (PID: 1764)
      • cmd.exe (PID: 5304)
      • fodhelper.exe (PID: 5408)
      • cmd.exe (PID: 5112)
      • fodhelper.exe (PID: 3156)

    • Auto-launch of the file from Registry key

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)

    • Manual execution by a user

      • csrss.exe (PID: 4724)
      • csrss.exe (PID: 920)

    • Reads the machine GUID from the registry

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)
      • csrss.exe (PID: 1532)

    • Reads the software policy settings

      • 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe (PID: 5776)
      • slui.exe (PID: 1164)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • csrss.exe (PID: 1532)

    • The sample compiled with english language support

      • csrss.exe (PID: 1532)

    • Detects GO elliptic curve encryption (YARA)

      • csrss.exe (PID: 1532)

    • Application based on Golang

      • csrss.exe (PID: 1532)

    • Checks proxy server information

      • slui.exe (PID: 1164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:27 16:48:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 100864
InitializedDataSize: 45733888
UninitializedDataSize: -
EntryPoint: 0x1960
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 69.0.0.0
ProductVersionNumber: 29.0.0.0
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
42
Malicious processes
11
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe no specs cmd.exe no specs conhost.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe no specs #GLUPTEBA 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs csrss.exe csrss.exe no specs cmd.exe no specs conhost.exe no specs fodhelper.exe no specs schtasks.exe no specs conhost.exe no specs fodhelper.exe no specs mountvol.exe no specs conhost.exe no specs fodhelper.exe mountvol.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs csrss.exe no specs sc.exe no specs csrss.exe csrss.exe no specs cmd.exe no specs conhost.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe csrss.exe no specs csrss.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
632schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\WINDOWS\rss\csrss.exe" /TN csrss /FC:\Windows\System32\schtasks.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\WINDOWS\rss\csrss.exe"C:\Windows\rss\csrss.exe
csrss.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
2
Modules
Images
c:\windows\rss\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\ucrtbase.dll
920"C:\WINDOWS\system32\fodhelper.exe" C:\Windows\System32\fodhelper.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Features On Demand Helper
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fodhelper.exe
c:\windows\system32\ntdll.dll
920C:\WINDOWS\rss\csrss.exeC:\Windows\rss\csrss.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\windows\rss\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\ucrtbase.dll
1096"C:\WINDOWS\rss\csrss.exe" C:\Windows\rss\csrss.exefodhelper.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\windows\rss\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\ucrtbase.dll
1164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1196sc sdset Winmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)C:\Windows\SysWOW64\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348mountvol B: /dC:\Windows\SysWOW64\mountvol.execsrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Mount Volume Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mountvol.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
1532C:\WINDOWS\rss\csrss.exe /51-51C:\Windows\rss\csrss.exe
2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\windows\rss\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winhttp.dll
Total events
18 001
Read events
17 934
Write events
63
Delete events
4

Modification events

(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:Name
Value:
FloralHill
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:Firewall
Value:
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:Defender
Value:
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:Servers
Value:
https://ninhaine.com
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:UUID
Value:
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:FirstInstallDate
Value:
2377336800000000
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:ServiceVersion
Value:
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:SC
Value:
0000000000000000
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:PGDSE
Value:
0000000000000000
(PID) Process:(6516) 2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:writeName:VC
Value:
0
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1532csrss.exeC:\Windows\System32\drivers\WinmonFS.sysexecutable
MD5:C6100C067D1E619B730BF23AB4045B17
SHA256:F632800DC961C46374DBA818B8AF17F1B770BFCB2D868E5CE10F2151B264EA26
1532csrss.exeC:\Windows\System32\drivers\Winmon.sysexecutable
MD5:69989105F151015C16A2F422F5722590
SHA256:B1C321B5E495473A401BD6E6ADFE1EC931F8247B1B2646B0E259BFF011A0958C
1532csrss.exeC:\Windows\System32\drivers\WinmonProcessMonitor.sysexecutable
MD5:29981EC427E564D715445C812FC73411
SHA256:EDFF4D28A92C7661E01CD1BCAFEC23170E8F152226B885FB8463A20D2FDC387E
57762025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exeC:\Windows\rss\csrss.exeexecutable
MD5:7C9D7010C348E5B5F5979A301E83FECB
SHA256:977EE7D47FE2217F30AE2AFAF597830D3F7A7B11F8E153355FC232B1ED819299
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
50
DNS requests
25
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
302
192.168.1.2:443
https://humisnee.com/sb.php
unknown
text
11 b
malicious
2656
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5776
2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
GET
200
199.59.243.228:80
http://survey-smiles.com/
unknown
whitelisted
5968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
5968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2656
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2656
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2656
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5776
2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
185.107.56.198:443
humisnee.com
NForce Entertainment B.V.
NL
malicious
5776
2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
199.59.243.228:80
survey-smiles.com
AMAZON-02
US
whitelisted
5968
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 95.100.181.32
  • 95.100.181.23
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 95.101.149.131
whitelisted
humisnee.com
  • 185.107.56.198
malicious
survey-smiles.com
  • 199.59.243.228
whitelisted
ninhaine.com
unknown
2makestorage.com
unknown
nisdably.com
malicious

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
5776
2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
5776
2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader.exe
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-25_7c9d7010c348e5b5f5979a301e83fecb_amadey_elex_karagany_rhadamanthys_smoke-loader