File name:

2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/0e34dd9e-36e0-421a-9b5e-4814c9106772
Verdict: Malicious activity
Analysis date: May 18, 2025, 16:09:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

EF22AE35692CF31B946BADCE338BA910

SHA1:

422DAFF373FDE63D9113DEE0434EE1E142082163

SHA256:

6EC65FF05BB5E44C583D83EA38C4C3CE47092F11FC9F1B6A5854191F22FE2580

SSDEEP:

49152:9Tu1tqo/RC8oOOWZSE5GPxX+f9m3OclL/p7X83ISuhblZaYPTE5+SYsxSfJOt0o7:x0BRC8oOOWZDgJX7plFgISuhhZaYPTq9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)

    • Executing a file with an untrusted certificate

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • FileCoAuth.exe (PID: 7840)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)

    • Mutex name with non-standard characters

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)

    • Executable content was dropped or overwritten

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 7784)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 7840)

  • INFO

    • The sample compiled with english language support

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • FileCoAuth.exe (PID: 7784)

    • Create files in a temporary directory

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • FileCoAuth.exe (PID: 7840)

    • Process checks computer location settings

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)

    • Checks supported languages

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • FileCoAuth.exe (PID: 7840)

    • Reads the computer name

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • FileCoAuth.exe (PID: 7840)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 7840)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 7840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (93.8)
.dll | Win32 Dynamic Link Library (generic) (2.3)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)
.exe | Generic Win/DOS Executable (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7456"C:\Users\admin\Desktop\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7504"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Update Setup
Exit code:
2147747664
Version:
1.3.23.9
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7784C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7840"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7940C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 003
Read events
4 003
Write events
0
Delete events
0

Modification events

No data
Executable files
77
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\npGoogleUpdate3.dllexecutable
MD5:E83B541C71965CFA1DEFF846CD6E9ECD
SHA256:21C2AB2A779F365BC28F6B27F294CC4DD4597AE92994CCBC5F45525520871C9A
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\goopdateres_ca.dllexecutable
MD5:19B992944BAFE5D07E94053B91BA0EFF
SHA256:1563EF017AB5E3ECA35CECFF0C03698D81133782EF1A5B38DCA1D4F550FD9447
74562025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeexecutable
MD5:B31DEC7415972187AF8B957096FA4C95
SHA256:88D85E7359CAC1F0F7701B364ABDCE670E5016203443BA3CD900CA8BC9859023
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleCrashHandler.exeexecutable
MD5:7E6B107120108B3A15BFECE0DE3201DB
SHA256:24CE5BA763482BF63F041056DA0741F1EC0D9432E8F0A7B6CBD24ADACDBC0C07
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleUpdateHelper.msibinary
MD5:5B371C3304C06AE62729236F98A2DD20
SHA256:6083667EB7958548035DB5291C35E82580D1D37E36D59CD104315076448BD76B
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\goopdate.dllexecutable
MD5:0928B9C3F2193EE265AA5E9B163D96EB
SHA256:E2044C1098602441657FCBE2661180A7D3E450B5D8ED42410010AC89F866CF45
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\psmachine_64.dllexecutable
MD5:74D1953F791F4F07B1BADEBE96F81AE0
SHA256:B043ABF637E4BD3AF728677DF5D0811CF02C4BA1C90C4782F2F7388CB8E8D93C
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleUpdateBroker.exeexecutable
MD5:398F40FAE5ADA9521544393F1F67A17E
SHA256:B72DA6C2D57B5DD63B7C687825C231E3962CE90C30A7494563E15A4276741139
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleUpdateOnDemand.exeexecutable
MD5:E093151047BBFFC0CD78D52F36490206
SHA256:26F997A0757E8943BF1B83E2356E35AE6856155B50C40940057433AF621BEC10
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\goopdateres_bg.dllexecutable
MD5:96F9309CC9742D6ACE7E141942A4CD10
SHA256:213FE703E75DEE3A42A9B9FD551F51C074A96292812033838F89BBEF86998837
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4208
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4208
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4208
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4208
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4208
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7224
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7940
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader