File name:

2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/0e34dd9e-36e0-421a-9b5e-4814c9106772
Verdict: Malicious activity
Analysis date: May 18, 2025, 16:09:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

EF22AE35692CF31B946BADCE338BA910

SHA1:

422DAFF373FDE63D9113DEE0434EE1E142082163

SHA256:

6EC65FF05BB5E44C583D83EA38C4C3CE47092F11FC9F1B6A5854191F22FE2580

SSDEEP:

49152:9Tu1tqo/RC8oOOWZSE5GPxX+f9m3OclL/p7X83ISuhblZaYPTE5+SYsxSfJOt0o7:x0BRC8oOOWZDgJX7plFgISuhhZaYPTq9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 7840)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)

    • NESHTA mutex has been found

      • FileCoAuth.exe (PID: 7784)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 7784)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)

    • Reads security settings of Internet Explorer

      • FileCoAuth.exe (PID: 7784)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)

    • Executable content was dropped or overwritten

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)

    • Mutex name with non-standard characters

      • FileCoAuth.exe (PID: 7784)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 7840)

  • INFO

    • Create files in a temporary directory

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7840)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)

    • The sample compiled with english language support

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)

    • Checks supported languages

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7840)

    • Reads the computer name

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7504)
      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7840)

    • Process checks computer location settings

      • 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe (PID: 7456)
      • FileCoAuth.exe (PID: 7784)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 7840)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 7840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (93.8)
.dll | Win32 Dynamic Link Library (generic) (2.3)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)
.exe | Generic Win/DOS Executable (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe 2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7456"C:\Users\admin\Desktop\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7504"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Update Setup
Exit code:
2147747664
Version:
1.3.23.9
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7784C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7840"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7940C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 003
Read events
4 003
Write events
0
Delete events
0

Modification events

No data
Executable files
77
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleUpdate.exeexecutable
MD5:506708142BC63DABA64F2D3AD1DCD5BF
SHA256:9C36A08D9E7932FF4DA7B5F24E6B42C92F28685B8ABE964C870E8D7670FD531A
74562025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeexecutable
MD5:B31DEC7415972187AF8B957096FA4C95
SHA256:88D85E7359CAC1F0F7701B364ABDCE670E5016203443BA3CD900CA8BC9859023
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleUpdateHelper.msibinary
MD5:5B371C3304C06AE62729236F98A2DD20
SHA256:6083667EB7958548035DB5291C35E82580D1D37E36D59CD104315076448BD76B
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleCrashHandler.exeexecutable
MD5:7E6B107120108B3A15BFECE0DE3201DB
SHA256:24CE5BA763482BF63F041056DA0741F1EC0D9432E8F0A7B6CBD24ADACDBC0C07
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleUpdateComRegisterShell64.exeexecutable
MD5:6EFC5F64258FE0D9DA3CCFA7FF4D84BD
SHA256:EA63E79B93DF7FAD11A3C0456710BFF66ACCDEAF9FEAC3AE95C22882ACD8560A
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\goopdate.dllexecutable
MD5:0928B9C3F2193EE265AA5E9B163D96EB
SHA256:E2044C1098602441657FCBE2661180A7D3E450B5D8ED42410010AC89F866CF45
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\goopdateres_am.dllexecutable
MD5:140FDDBFA008B1FCBFAD85C0F299275F
SHA256:8CD78A9C9BC81370BEDDB9783D48EAE4E15CA44AC408624CC15C21B0170DB169
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\GoogleCrashHandler64.exeexecutable
MD5:0D5CE0E5AEC3ACC7930AB955334B8533
SHA256:B9A2CA18250A170D4292EFDEC1FCEEADD7A86E8F1D66B33805379BE0E8723F8D
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\goopdateres_ar.dllexecutable
MD5:05E505FBA546536493625827F2584910
SHA256:E1A76534C135931153F02BAEF713BB47773F5181741D11530E85EB16A9DCAA93
75042025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Temp\GUMC361.tmp\goopdateres_ca.dllexecutable
MD5:19B992944BAFE5D07E94053B91BA0EFF
SHA256:1563EF017AB5E3ECA35CECFF0C03698D81133782EF1A5B38DCA1D4F550FD9447
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4208
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4208
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4208
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4208
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4208
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7224
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7940
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_ef22ae35692cf31b946badce338ba910_amadey_elex_gcleaner_neshta_rhadamanthys_smoke-loader