File name:

2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/2d10dd2a-ddec-4bdd-85f6-b0eb580cd502
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 17:35:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

7346B19539A8C9F01E03DA897B226684

SHA1:

506F2C8EBF08DEF9D67FDED2297FB8A62A4CCB8C

SHA256:

118E4CB01A611B5C787505F8DE7E1CACC70DF418FA8CF3F46D64D0B7230FB34F

SSDEEP:

49152:9ToY/llfA1SdzdVEZV9O6mk6n47nZUSpeBtO0keF4l6sAl72y0Y6i40y1Z1AyO83:xoY/llfA1SdzdVEZVL6ngZUGebO0glCu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • FileCoAuth.exe (PID: 5360)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 2984)
      • vcredist_x86.exe (PID: 5212)
      • vcredist_x86.exe (PID: 4740)
      • vcredist_x64.exe (PID: 904)
      • vcredist_x64.exe (PID: 5156)
      • vcredist_x86.exe (PID: 5132)
      • vcredist_x86.exe (PID: 1600)
      • vcredist_x64.exe (PID: 6244)
      • vcredist_x64.exe (PID: 1660)
      • wyUpdate.exe (PID: 924)
      • QBFC13_0Installer.exe (PID: 5544)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • FileCoAuth.exe (PID: 5360)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)

    • Executable content was dropped or overwritten

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 5956)
      • FileCoAuth.exe (PID: 5360)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • AutoEntry.DesktopSync.Installer.exe (PID: 1272)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 2064)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 1532)
      • vcredist_x86.exe (PID: 4740)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 5360)
      • vcredist_x86.exe (PID: 5212)
      • vcredist_x64.exe (PID: 5156)
      • vcredist_x64.exe (PID: 904)
      • vcredist_x86.exe (PID: 1600)
      • vcredist_x86.exe (PID: 5132)
      • vcredist_x64.exe (PID: 1660)
      • MSI34D0.tmp (PID: 6572)
      • TiWorker.exe (PID: 4284)
      • vcredist_x64.exe (PID: 6244)

    • Mutex name with non-standard characters

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • FileCoAuth.exe (PID: 5360)

    • Searches for installed software

      • dllhost.exe (PID: 6416)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6712)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 5360)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • AutoEntry.DesktopSync.Installer.exe (PID: 1272)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 1532)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 5360)
      • vcredist_x86.exe (PID: 4740)
      • vcredist_x86.exe (PID: 5212)
      • msiexec.exe (PID: 2384)
      • vcredist_x64.exe (PID: 904)
      • vcredist_x64.exe (PID: 5156)
      • vcredist_x86.exe (PID: 1600)
      • vcredist_x86.exe (PID: 5132)
      • vcredist_x64.exe (PID: 1660)
      • vcredist_x64.exe (PID: 6244)
      • MSI34D0.tmp (PID: 6572)
      • TiWorker.exe (PID: 4284)

    • Starts itself from another location

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 2064)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 1532)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 2984)

    • Process requests binary or script from the Internet

      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 1532)

    • Application launched itself

      • vcredist_x86.exe (PID: 5212)
      • vcredist_x64.exe (PID: 904)
      • vcredist_x86.exe (PID: 5132)
      • vcredist_x64.exe (PID: 6244)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 2384)
      • TiWorker.exe (PID: 4284)

  • INFO

    • Checks supported languages

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 5956)
      • AutoEntry.DesktopSync.Installer.exe (PID: 1272)
      • FileCoAuth.exe (PID: 2984)

    • Create files in a temporary directory

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 5956)
      • FileCoAuth.exe (PID: 2984)

    • Reads the computer name

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • AutoEntry.DesktopSync.Installer.exe (PID: 1272)
      • FileCoAuth.exe (PID: 2984)

    • Process checks computer location settings

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 6988)
      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • FileCoAuth.exe (PID: 5360)

    • The sample compiled with english language support

      • 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe (PID: 4424)
      • FileCoAuth.exe (PID: 5360)
      • AutoEntry.DesktopSync.Installer.exe (PID: 1272)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 1532)
      • AutoEntry.Installer.Bootstrapper.VCRedist.exe (PID: 5360)
      • vcredist_x86.exe (PID: 4740)
      • vcredist_x86.exe (PID: 5212)
      • msiexec.exe (PID: 2384)
      • vcredist_x64.exe (PID: 904)
      • vcredist_x64.exe (PID: 5156)
      • vcredist_x86.exe (PID: 5132)
      • vcredist_x64.exe (PID: 1660)
      • vcredist_x64.exe (PID: 6244)
      • vcredist_x86.exe (PID: 1600)
      • MSI34D0.tmp (PID: 6572)
      • TiWorker.exe (PID: 4284)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 2984)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 2984)

    • Manages system restore points

      • SrTasks.exe (PID: 2692)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2384)

    • The sample compiled with chinese language support

      • msiexec.exe (PID: 2384)

    • The sample compiled with german language support

      • msiexec.exe (PID: 2384)

    • The sample compiled with spanish language support

      • msiexec.exe (PID: 2384)

    • The sample compiled with french language support

      • msiexec.exe (PID: 2384)

    • The sample compiled with Italian language support

      • msiexec.exe (PID: 2384)

    • The sample compiled with japanese language support

      • msiexec.exe (PID: 2384)

    • The sample compiled with russian language support

      • msiexec.exe (PID: 2384)

    • The sample compiled with korean language support

      • msiexec.exe (PID: 2384)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (85.5)
.exe | Win32 Executable Delphi generic (4.6)
.scr | Windows screen saver (4.2)
.dll | Win32 Dynamic Link Library (generic) (2.1)
.exe | Win32 Executable (generic) (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
34
Malicious processes
17
Suspicious processes
6

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe 2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe autoentry.desktopsync.installer.exe SPPSurrogate no specs vssvc.exe no specs filecoauth.exe no specs filecoauth.exe no specs srtasks.exe no specs conhost.exe no specs autoentry.installer.isvc2012redistinstalled.exe no specs conhost.exe no specs autoentry.installer.bootstrapper.vcredist.exe autoentry.installer.bootstrapper.vcredist.exe autoentry.installer.bootstrapper.vcredist.exe slui.exe vcredist_x86.exe vcredist_x86.exe SPPSurrogate no specs msiexec.exe vcredist_x64.exe vcredist_x64.exe SPPSurrogate no specs vcredist_x86.exe vcredist_x86.exe vcredist_x64.exe vcredist_x64.exe qbfc13_0installer.exe no specs msiexec.exe no specs msiexec.exe no specs msi34d0.tmp tiworker.exe msiexec.exe no specs wyupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
720C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
904"C:\ProgramData\Package Cache\1A5D93DDDBC431AB27B1DA711CD3370891542797\vcredist_x64.exe" /q /norestartC:\ProgramData\Package Cache\1A5D93DDDBC431AB27B1DA711CD3370891542797\vcredist_x64.exe
AutoEntry.Installer.Bootstrapper.VCRedist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
Exit code:
0
Version:
11.0.61030.0
Modules
Images
c:\programdata\package cache\1a5d93dddbc431ab27b1da711cd3370891542797\vcredist_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
924"C:\Program Files (x86)\OCREX\AutoEntry\wyUpdate.exe" /fromserviceC:\Program Files (x86)\OCREX\AutoEntry\wyUpdate.exe
msiexec.exe
User:
admin
Company:
wyDay
Integrity Level:
HIGH
Description:
wyUpdate
Version:
2.6.18.4
Modules
Images
c:\program files (x86)\ocrex\autoentry\wyupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAutoEntry.Installer.IsVC2012RedistInstalled.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272"C:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.be\AutoEntry.DesktopSync.Installer.exe" -q -burn.elevated BurnPipe.{15C187B7-7186-4098-A3F1-BEFF588E34E5} {C65171FE-92A6-4C26-A2C1-13F293F3663C} 4424C:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.be\AutoEntry.DesktopSync.Installer.exe
2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Company:
AutoEntry
Integrity Level:
HIGH
Description:
AutoEntry Desktop Sync
Version:
2.0
Modules
Images
c:\users\admin\appdata\local\temp\{f2446f38-f0bb-42af-b00c-0fed239b60ff}\.be\autoentry.desktopsync.installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1348MSIEXEC.EXE /i "C:\Users\admin\AppData\Local\Downloaded Installations\{BB7B4E50-E5AA-46C3-A05D-A142E52968FC}\QBFC 13.0.msi" /qn SETUPEXEDIR="C:\ProgramData\Package Cache\FA9735FD3E8DA291A35CC566EEE359114A146F59" SETUPEXENAME="QBFC13_0Installer.exe"C:\Windows\SysWOW64\msiexec.exeQBFC13_0Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1532"C:\Users\admin\AppData\Local\Temp\{87183825-5A72-457B-A1D8-461991B05750}\.cr\AutoEntry.Installer.Bootstrapper.VCRedist.exe" -burn.clean.room="C:\ProgramData\Package Cache\6015E2EF4CDC4DCA22A137466ABA3C637123F2ED\AutoEntry.Installer.Bootstrapper.VCRedist.exe" -burn.filehandle.attached=568 -burn.filehandle.self=564 -burn.filehandle.self=1028 -burn.embedded BurnPipe.{AA8CDB19-9739-4A4F-8682-7F80DD34DE09} {48B3373A-C17D-4560-8319-D7EE82949D63} 1272C:\Users\admin\AppData\Local\Temp\{87183825-5A72-457B-A1D8-461991B05750}\.cr\AutoEntry.Installer.Bootstrapper.VCRedist.exe
AutoEntry.Installer.Bootstrapper.VCRedist.exe
User:
admin
Company:
AutoEntry
Integrity Level:
HIGH
Description:
AutoEntry Desktop Sync
Exit code:
0
Version:
2.0
Modules
Images
c:\users\admin\appdata\local\temp\{87183825-5a72-457b-a1d8-461991b05750}\.cr\autoentry.installer.bootstrapper.vcredist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1600"C:\ProgramData\Package Cache\2A07A32330D5131665378836D542478D3E7BD137\vcredist_x86.exe" /q /norestart REBOOT=ReallySuppress -burn.unelevated BurnPipe.{62CD7EF8-E8CA-4720-88F9-16DC6AC2FEBF} {D85F54AA-76DE-4AAE-8C3E-13BEF3ACF2F7} 5132C:\ProgramData\Package Cache\2A07A32330D5131665378836D542478D3E7BD137\vcredist_x86.exe
vcredist_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660
Exit code:
0
Version:
12.0.40660.0
Modules
Images
c:\programdata\package cache\2a07a32330d5131665378836d542478d3e7bd137\vcredist_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1660"C:\ProgramData\Package Cache\261C2E77D288A513A9EB7849CF5AFCA6167D4FA2\vcredist_x64.exe" /q /norestart -burn.unelevated BurnPipe.{CB669930-C1CC-403D-9537-36BE92171803} {A1FB4C42-E7EF-446B-9DC4-94BA45A8D0C3} 6244C:\ProgramData\Package Cache\261C2E77D288A513A9EB7849CF5AFCA6167D4FA2\vcredist_x64.exe
vcredist_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660
Exit code:
0
Version:
12.0.40660.0
Modules
Images
c:\programdata\package cache\261c2e77d288a513a9eb7849cf5afca6167d4fa2\vcredist_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
67 295
Read events
63 080
Write events
3 759
Delete events
456

Modification events

(PID) Process:(6416) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000018A0FCF988C6DB0110190000900B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1272) AutoEntry.DesktopSync.Installer.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
400000000000000018A0FCF988C6DB01F8040000580B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6416) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000085476AFA88C6DB0110190000900B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6416) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000085476AFA88C6DB0110190000900B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6416) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000534F37FB88C6DB011019000074170000E803000001000000000000000000000019EDEFD5AE7BFD4689918E2DC074C93600000000000000000000000000000000
(PID) Process:(6712) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6712) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(6712) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(6712) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(6712) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
Executable files
282
Suspicious files
306
Text files
90
Unknown types
1

Dropped files

PID
Process
Filename
Type
69882025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeexecutable
MD5:B16ACAAA861B3EB9C7AA8C0721426C3E
SHA256:CB4286F949FEC6B216482E6B270B09D2818F66A69B97DA7C7DE1EC590C9E4DF0
6416dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
44242025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.ba\thm.wxlxml
MD5:FC0DB4142556D3F38B0744A12F5F9D3D
SHA256:8FBEB7F0B546D394D99B49D678D516402E8F54E5DEA590CC91733F502F288019
44242025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.ba\thm.xmlxml
MD5:C29A69F34FF31FF63C3EC6B2D4F903E5
SHA256:8D67851408A62B0F04DBAADDC588CD98499CF3630EC5DF9F7C0699F0D367F79C
44242025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.ba\logo.pngbinary
MD5:31448E49901E83F194F6C85BD7D781FA
SHA256:39710031E317DAA9E109CB0ABBA675D751426C5C21C1E6B87D71FFD0D9D70E41
44242025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.ba\BootstrapperApplicationData.xmlbinary
MD5:D48A537E55DE5906384173AF17A6B71C
SHA256:3CF91A09FD6FC965F71743CEFD3F9D5AB00324A65D34DEDF95A95806A6CF0442
44242025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.ba\wixstdba.dllexecutable
MD5:6BA2E331E0F447AAFF0E8142DF5F7230
SHA256:58A135101A2044D96F470E29369A8214C5C2ADD774488D73C6AE81A588582239
5360FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
69882025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
44242025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{F2446F38-F0BB-42AF-B00C-0FED239B60FF}\.be\AutoEntry.DesktopSync.Installer.exeexecutable
MD5:F4D0D12CE9905DDAC267E7AE8E1DCDFE
SHA256:90E3FD4C697DE8EB1C4FE00F16FB53DAD3EE6F966768096A3A15C8DA375D296B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
85
DNS requests
38
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1272
AutoEntry.DesktopSync.Installer.exe
GET
200
2.23.79.3:80
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.64
  • 20.190.160.22
  • 40.126.32.68
  • 20.190.160.128
  • 20.190.160.131
  • 20.190.160.3
  • 40.126.32.140
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.155
  • 23.48.23.151
  • 23.48.23.160
  • 23.48.23.159
  • 23.48.23.175
  • 23.48.23.161
  • 23.48.23.169
  • 2.16.168.114
  • 2.16.168.124
  • 2.19.11.120
  • 2.19.11.105
  • 23.48.23.191
  • 23.48.23.192
  • 23.48.23.145
  • 23.48.23.139
  • 23.48.23.193
  • 23.48.23.150
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
s3-eu-west-1.amazonaws.com
  • 52.218.46.48
  • 3.5.64.252
  • 52.218.120.64
  • 52.92.2.8
  • 52.218.30.187
  • 52.92.17.24
  • 52.218.37.59
  • 3.5.70.185
  • 52.92.18.184
  • 52.92.4.56
  • 52.218.60.51
  • 3.5.67.225
  • 52.92.0.136
  • 52.218.98.123
  • 3.5.70.64
  • 52.218.96.98
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_7346b19539a8c9f01e03da897b226684_black-basta_coinminer_elex_gcleaner_luca-stealer_neshta