File name:

2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader

Full analysis: https://app.any.run/tasks/72af676d-7a03-4551-b9e0-0352784222c6
Verdict: Malicious activity
Threats:

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Malware Trends Tracker     >>>
Analysis date: April 25, 2025, 03:18:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
glupteba
loader
sinkhole
trojan
uac
auto-reg
antivm
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

2649779BBC9FE522BDCB478C3D10E869

SHA1:

63EC34CF748E18A68C3599F4B8903E0DDFF1A6E8

SHA256:

983AED9A3588545EF98AE76E4EFB75D5191C05CB7B46C1632C52141C454EE4FA

SSDEEP:

196608:j2BaQK2Pp0xGNF2xoKHy+nN91UFIxw+iv:j2RKEp0xGH2CKBnN5fw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Glupteba is detected

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • Bypass User Account Control (Modify registry)

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • csrss.exe (PID: 6044)

    • Bypass User Account Control (fodhelper)

      • fodhelper.exe (PID: 7840)
      • fodhelper.exe (PID: 6644)

    • GLUPTEBA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • csrss.exe (PID: 1812)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • csrss.exe (PID: 1812)

    • Modifies exclusions in Windows Defender

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • Changes the autorun value in the registry

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

  • SUSPICIOUS

    • Changes default file association

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • csrss.exe (PID: 6044)

    • Starts CMD.EXE for commands execution

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • csrss.exe (PID: 6044)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • csrss.exe (PID: 1812)

    • Application launched itself

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7884)
      • csrss.exe (PID: 2148)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 456)

    • Executes application which crashes

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7884)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)
      • csrss.exe (PID: 2148)
      • csrss.exe (PID: 5512)
      • csrss.exe (PID: 6044)

    • Starts itself from another location

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • The process creates files with name similar to system file names

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • Executable content was dropped or overwritten

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • Reads the date of Windows installation

      • csrss.exe (PID: 1812)

    • There is functionality for VM detection Parallels (YARA)

      • csrss.exe (PID: 1812)

    • There is functionality for taking screenshot (YARA)

      • csrss.exe (PID: 1812)

    • There is functionality for VM detection VirtualBox (YARA)

      • csrss.exe (PID: 1812)

  • INFO

    • Reads the software policy settings

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • csrss.exe (PID: 1812)
      • slui.exe (PID: 7456)

    • Checks supported languages

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7884)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)
      • csrss.exe (PID: 1812)
      • csrss.exe (PID: 6044)
      • csrss.exe (PID: 5512)
      • csrss.exe (PID: 2148)

    • The sample compiled with chinese language support

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • Reads the computer name

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7884)
      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)
      • csrss.exe (PID: 1812)
      • csrss.exe (PID: 6044)
      • csrss.exe (PID: 2148)
      • csrss.exe (PID: 5512)

    • Reads the machine GUID from the registry

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 7452)
      • csrss.exe (PID: 1812)

    • Reads security settings of Internet Explorer

      • cmd.exe (PID: 7620)
      • fodhelper.exe (PID: 7840)
      • cmd.exe (PID: 2392)
      • fodhelper.exe (PID: 6644)

    • Auto-launch of the file from Registry key

      • 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe (PID: 8044)

    • Manual execution by a user

      • csrss.exe (PID: 6044)

    • Detects GO elliptic curve encryption (YARA)

      • csrss.exe (PID: 1812)

    • Checks proxy server information

      • slui.exe (PID: 7456)

    • Application based on Golang

      • csrss.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:10:02 17:41:24+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 6360576
InitializedDataSize: 4900352
UninitializedDataSize: -
EntryPoint: 0x5f8e0d
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.5.1
ProductVersionNumber: 1.1.0.1
FileFlagsMask: 0x006f
FileFlags: Pre-release, Patched
FileOS: Unknown (0x40304)
ObjectFileType: Static library
FileSubtype: 81
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
30
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #GLUPTEBA 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe #GLUPTEBA svchost.exe cmd.exe no specs conhost.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe #GLUPTEBA 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs #GLUPTEBA csrss.exe werfault.exe no specs csrss.exe cmd.exe no specs conhost.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe csrss.exe werfault.exe no specs csrss.exe werfault.exe no specs werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
456C:\WINDOWS\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"C:\Windows\System32\cmd.exe2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
960"C:\WINDOWS\system32\fodhelper.exe" C:\Windows\System32\fodhelper.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Features On Demand Helper
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fodhelper.exe
c:\windows\system32\ntdll.dll
1812C:\WINDOWS\rss\csrss.exe /6-smoke-loaderC:\Windows\rss\csrss.exe
2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\windows\rss\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2096C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5512 -s 572C:\Windows\SysWOW64\WerFault.execsrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2148"C:\WINDOWS\rss\csrss.exe" C:\Windows\rss\csrss.exe
fodhelper.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225622
Modules
Images
c:\windows\rss\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284C:\WINDOWS\SysWOW64\WerFault.exe -u -p 8044 -s 744C:\Windows\SysWOW64\WerFault.exe2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2392C:\WINDOWS\Sysnative\cmd.exe /C fodhelperC:\Windows\System32\cmd.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3100C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6044 -s 628C:\Windows\SysWOW64\WerFault.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4896fodhelperC:\Windows\System32\fodhelper.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Features On Demand Helper
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fodhelper.exe
c:\windows\system32\ntdll.dll
Total events
21 382
Read events
21 332
Write events
48
Delete events
2

Modification events

(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:Name
Value:
CoolSilence
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:Firewall
Value:
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:Defender
Value:
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:Servers
Value:
https://weekdanys.com
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:UUID
Value:
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:Command
Value:
0000000000000000
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:FirstInstallDate
Value:
25FF0A6800000000
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:CloudnetFileURL
Value:
http://donaldcity.club/cl.exe
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:ServiceVersion
Value:
(PID) Process:(7452) 2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\TestApp
Operation:writeName:SC
Value:
0000000000000000
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
80442025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exeC:\Windows\rss\csrss.exeexecutable
MD5:2649779BBC9FE522BDCB478C3D10E869
SHA256:983AED9A3588545EF98AE76E4EFB75D5191C05CB7B46C1632C52141C454EE4FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
28
DNS requests
13
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
52.11.240.239:443
https://okonewacon.com/api/register
unknown
unknown
POST
200
3.229.117.57:443
https://weekdanys.com/api/register
unknown
unknown
POST
200
3.229.117.57:443
https://weekdanys.com/api/register
unknown
unknown
POST
200
52.11.240.239:443
https://okonewacon.com/api/register
unknown
unknown
POST
200
52.11.240.239:443
https://okonewacon.com/api/register
unknown
unknown
POST
200
3.229.117.57:443
https://weekdanys.com/api/register
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
7452
2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader.exe
3.229.117.57:443
weekdanys.com
AMAZON-AES
US
malicious
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1812
csrss.exe
3.229.117.57:443
weekdanys.com
AMAZON-AES
US
malicious
1812
csrss.exe
52.11.240.239:443
okonewacon.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
weekdanys.com
  • 3.229.117.57
malicious
okonewacon.com
  • 52.11.240.239
unknown
blackempirebuild.com
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Malware Command and Control Activity Detected
ET MALWARE Glupteba CnC Observed in DNS Query
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
1812
csrss.exe
Malware Command and Control Activity Detected
ET MALWARE Observed Glupteba CnC Domain (okonewacon .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-25_2649779bbc9fe522bdcb478c3d10e869_amadey_elex_mafia_smoke-loader