File name:

2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/72e9688b-6ece-40f9-913d-b58ce40c2236
Verdict: Malicious activity
Analysis date: May 16, 2025, 14:54:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DE0F16026E70A2DE4430387FB1F91CC8

SHA1:

883C0B8796765D5A4BA1F834DFAB441DB412A808

SHA256:

7C766644BEC49ECEDBCE958082F22545BA16EDB9BBA3E24C0B1E786C0BB9B251

SSDEEP:

6144:grB9RPyvcfnWYHKgv1GlZtiyg5xAcTciQa8:IdWGv1GlZtiyg5nT9J8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)

    • Connects to the CnC server

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)
      • FileCoAuth.exe (PID: 7716)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)

    • Process drops legitimate windows executable

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)
      • FileCoAuth.exe (PID: 7716)

    • Reads security settings of Internet Explorer

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)
      • FileCoAuth.exe (PID: 7716)

    • Contacting a server suspected of hosting an CnC

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)
      • FileCoAuth.exe (PID: 7716)

  • INFO

    • The sample compiled with english language support

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)
      • FileCoAuth.exe (PID: 7716)

    • Creates files in the program directory

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)

    • Reads the computer name

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)

    • Checks supported languages

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)

    • Checks proxy server information

      • 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe (PID: 7496)
      • FileCoAuth.exe (PID: 7716)
      • slui.exe (PID: 7992)

    • Reads the software policy settings

      • slui.exe (PID: 7992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:12:14 18:33:53+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 10
CodeSize: 47104
InitializedDataSize: 446464
UninitializedDataSize: -
EntryPoint: 0x7142
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 6.0.37.0
ProductVersionNumber: 6.0.37.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Autodesk, Inc.
FileDescription: Autodesk component
FileVersion: 6.0.37.0
LegalCopyright: Copyright (c) 1982-2011 by Autodesk, Inc.
ProductVersion: 6.0.37.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe filecoauth.exe slui.exe 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7448"C:\Users\admin\Desktop\2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exeexplorer.exe
User:
admin
Company:
Autodesk, Inc.
Integrity Level:
MEDIUM
Description:
Autodesk component
Exit code:
3221226540
Version:
6.0.37.0
Modules
Images
c:\users\admin\desktop\2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7496"C:\Users\admin\Desktop\2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Company:
Autodesk, Inc.
Integrity Level:
HIGH
Description:
Autodesk component
Exit code:
1603
Version:
6.0.37.0
Modules
Images
c:\users\admin\desktop\2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7716C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7992C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 266
Read events
4 260
Write events
6
Delete events
0

Modification events

(PID) Process:(7496) 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7496) 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7496) 2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7716) FileCoAuth.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7716) FileCoAuth.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7716) FileCoAuth.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
9
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\MSVCP140.dll.tmpexecutable
MD5:22711954ECB5A355C48F8A65B3C7F28C
SHA256:70368C8BB476AA6CAF23252CA07B016CF9FD52C3F1F4248C0B959E24B830E63D
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-16.1455.7716.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LoggingPlatform.DLL.tmpexecutable
MD5:469E4C7A4FC70B65CAABA7DB1EBBB98F
SHA256:24F14E42D0C8CC16E093027511112CBE58838731EC5959DE5B8AA7BAAB65FA8D
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Telemetry.dll.tmpexecutable
MD5:22281EEB08276934F211D041899D4C0E
SHA256:1B77662316A50AFBB3048D9BF9D667BDABCA089D7A29DFBAB7B1B0158AA6EDF8
74962025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exeC:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\UpdateRingSettings.dll.tmpexecutable
MD5:B7AD18544BAD6964DC3FD6231CA0113D
SHA256:741AD7B22DECAA54F7688E94B91B1A2209A3077FEA957D8FEA109D02DFEEE806
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\VCRUNTIME140.dll.tmpexecutable
MD5:BE4C5ADE5C1F2ACF37695C0485DF1B5B
SHA256:709D58EC6B660D60B96D5C36736BF9842AE646C37BC274AC1481ED071791B7DA
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuthLib.dll.tmpexecutable
MD5:A007324BEFC0E0E89A9406A7E439DA72
SHA256:2F07DF8E4484551EA0A735F5BCAB2717C5D5796F7061D86DB51A80EF30D9BCE0
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe.tmpexecutable
MD5:E288F1AD6CEB2C17B05DF1595D7539C2
SHA256:EB3ACB752AE69A5F742C78D565430C987211D6EF88B7019499F1B77C4E3F0456
7716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-16.1455.7716.1.odlbinary
MD5:B1EB8FEA61BA1A072EE88771AC9B9396
SHA256:A656A402BFDCCA16C87D1DD4F9FA196D77F684E31A525C18D021183F3B1AB884
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
44
DNS requests
15
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7716
FileCoAuth.exe
GET
403
45.56.79.23:80
http://www.aieov.com/logo.gif
unknown
malicious
7496
2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe
GET
45.56.79.23:80
http://www.aieov.com/logo.gif
unknown
malicious
7792
SIHClient.exe
GET
200
2.16.164.96:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7792
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7792
SIHClient.exe
GET
200
2.16.164.96:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7792
SIHClient.exe
GET
200
2.16.164.96:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7792
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7792
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7792
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7792
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7496
2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe
45.56.79.23:80
www.aieov.com
Linode, LLC
US
malicious
7792
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7716
FileCoAuth.exe
45.56.79.23:80
www.aieov.com
Linode, LLC
US
malicious
7792
SIHClient.exe
2.16.164.96:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7792
SIHClient.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7792
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 45.56.79.23
  • 45.33.18.44
  • 45.33.23.183
  • 96.126.123.244
  • 45.33.2.79
  • 72.14.178.174
  • 173.255.194.134
  • 72.14.185.43
  • 45.33.20.235
  • 45.33.30.197
  • 45.79.19.196
  • 198.58.118.167
malicious
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 2.16.164.96
  • 2.16.164.98
  • 2.16.164.42
  • 2.16.164.120
  • 2.16.164.123
  • 2.16.164.9
  • 2.16.164.58
  • 2.16.164.99
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7496
2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
7716
FileCoAuth.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_de0f16026e70a2de4430387fb1f91cc8_amadey_elex_floxif_rhadamanthys_smoke-loader