File name:

564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe

Full analysis: https://app.any.run/tasks/534025e0-5266-4a8b-acdb-db5133138e62
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 04, 2025, 10:30:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
neshta
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

3FB887B5886AAF9B3B5103D868C56C84

SHA1:

7385B57E89DA35B3AA2C3BBE26623C4179FC1ABC

SHA256:

564BCCC2CFBD6F6F0EC6951DFED4F68F8EAD7EA39B6777BBE512AFF6F50F28A0

SSDEEP:

49152:9Tn+S3vUaBClr1YvlQDPfQVGeSeKpHD6PBFFArtRP0hsUJbaHXmUaIw:xC/8vlGQNbKsPBQh0ZbaH23

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

    • Actions looks like stealing of personal data

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 7800)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

    • Mutex name with non-standard characters

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

    • Executable content was dropped or overwritten

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 7800)

    • There is functionality for taking screenshot (YARA)

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

  • INFO

    • The sample compiled with english language support

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

    • Checks supported languages

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)
      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7404)
      • FileCoAuth.exe (PID: 7800)

    • Process checks computer location settings

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)

    • Reads the computer name

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)
      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7404)
      • FileCoAuth.exe (PID: 7800)

    • Create files in a temporary directory

      • 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe (PID: 7360)
      • FileCoAuth.exe (PID: 7800)

    • Checks proxy server information

      • slui.exe (PID: 7912)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 7800)

    • Reads the software policy settings

      • slui.exe (PID: 7912)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 7800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (75)
.exe | InstallShield setup (12.2)
.exe | Win32 Executable Delphi generic (4)
.scr | Windows screen saver (3.7)
.dll | Win32 Dynamic Link Library (generic) (1.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe 564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7360"C:\Users\admin\Desktop\564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe" C:\Users\admin\Desktop\564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7404"C:\Users\admin\AppData\Local\Temp\3582-490\564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe" C:\Users\admin\AppData\Local\Temp\3582-490\564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet and Rlogin client
Version:
Release 0.74 (with embedded help)
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
7800"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7912C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 862
Read events
3 862
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\Users\admin\AppData\Local\Temp\3582-490\564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeexecutable
MD5:374FB48A959A96CE92AE0E4346763293
SHA256:F2D2638AFB528C7476C9EE8E83DDB20E686B0B05F53F2F966FD9EB962427F8AA
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
7800FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-03-04.1031.7800.1.odlbinary
MD5:4324FA4C2EBBC2B0FA1FB2E74D7F0D58
SHA256:9A0A63E5BBEAC2CB1121F7A90B5FABD352021D719EF18DE57C498819C6D75362
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:1C0BE16E6ED8F5B6F0910650A25F4FA7
SHA256:3028F6A6A7A10DC5D63F256FEEB8275F3818BF3371EAF8B20A2D0BF2FCD5F4A9
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:178B773B3FB050FCE26E40A9E8C2EE9A
SHA256:1E03573733F25B44004049A535E7E79366FD86FE953F6DFEDAAD05513B46A6C5
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:13C2D5BF03C4A2B28E930F990CCC32DB
SHA256:12D24D0BC0E7CDC902E3540A3C6F7B755094F011A8EAD49A47A00563710B8F80
7800FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-03-04.1031.7800.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
7360564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:A747FA4161FE3C00C3FBB4BF391D4D4E
SHA256:B7BA59428AF7AE08C5BF927B57E326D5259E6ED31BD4237AA6A44378177364C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
6184
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7912
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
564bccc2cfbd6f6f0ec6951dfed4f68f8ead7ea39b6777bbe512aff6f50f28a0.exe