File name:

2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver

Full analysis: https://app.any.run/tasks/791f3350-57cc-4ba3-8996-fb972218ae30
Verdict: Malicious activity
Analysis date: May 16, 2025, 15:37:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
meshagent
rmm-tool
websocket
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

165EF6894935AA71256852DD2DCA3DA5

SHA1:

025C2091733CE80A93663E03D0F63F277852B3B8

SHA256:

55F1D68007790B33722A9176FA3984FA4C148249B10D9BD9BFBF7354FF60E6EE

SSDEEP:

98304:bdrmW4EM6E1vuMR9YQ2TNqG8VA4YriuoGCNSGPOAZVo+7:DMHD7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)
      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)
      • MeshAgent.exe (PID: 4920)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)

    • Reads the date of Windows installation

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)

    • Application launched itself

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)

    • Executable content was dropped or overwritten

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)

    • Creates or modifies Windows services

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)

    • Creates a software uninstall entry

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 4920)

    • MeshAgent potential remote access (YARA)

      • MeshAgent.exe (PID: 4920)

    • There is functionality for taking screenshot (YARA)

      • MeshAgent.exe (PID: 4920)

  • INFO

    • Reads the computer name

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)
      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)
      • MeshAgent.exe (PID: 4920)

    • The sample compiled with english language support

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)
      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)

    • Reads the machine GUID from the registry

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)
      • MeshAgent.exe (PID: 4920)

    • Checks supported languages

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)
      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)
      • MeshAgent.exe (PID: 4920)

    • Process checks computer location settings

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 2340)

    • Creates files in the program directory

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)
      • MeshAgent.exe (PID: 4920)

    • MESHAGENT has been detected

      • 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe (PID: 5392)
      • MeshAgent.exe (PID: 4920)
      • MeshAgent.exe (PID: 4920)

    • Checks proxy server information

      • slui.exe (PID: 672)

    • Reads the software policy settings

      • slui.exe (PID: 672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:07 02:57:17+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2122752
InitializedDataSize: 1482240
UninitializedDataSize: -
EntryPoint: 0x1da03c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: MeshCentral Background Service Agent
FileVersion: 2025-Mar-6 21:44:07+0000
LegalCopyright: Apache 2.0 License
ProductName: MeshCentral Agent
ProductVersion: Commit: 2025-Mar-6 21:44:07+0000
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe no specs conhost.exe no specs 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe conhost.exe no specs #MESHAGENT meshagent.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2340"C:\Users\admin\Desktop\2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe" C:\Users\admin\Desktop\2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\users\admin\desktop\2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
4452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4920"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"C:\Program Files\Mesh Agent\MeshAgent.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
MeshCentral Background Service Agent
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5392"C:\Users\admin\Desktop\2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe" -fullinstall C:\Users\admin\Desktop\2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe
2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Integrity Level:
HIGH
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\users\admin\desktop\2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
4 538
Read events
4 518
Write events
20
Delete events
0

Modification events

(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:ImagePath
Value:
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayName
Value:
Mesh Agent
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallDate
Value:
20250516
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallLocation
Value:
C:\Program Files\Mesh Agent\
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:EstimatedSize
Value:
3399
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoModify
Value:
1
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoRepair
Value:
1
(PID) Process:(5392) 2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:UninstallString
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe -funinstall --meshServiceName="Mesh Agent"
Executable files
1
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
53922025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver.exeC:\Program Files\Mesh Agent\MeshAgent.exeexecutable
MD5:165EF6894935AA71256852DD2DCA3DA5
SHA256:55F1D68007790B33722A9176FA3984FA4C148249B10D9BD9BFBF7354FF60E6EE
4920MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\9C9A0CCD73D2820AB3082FC9675E12EA0A7650F1binary
MD5:57E4092FAB8A9F0CDA847D525D73C0E9
SHA256:921DD114C799AA112C01C3EC3A765C261C97851CD8B81F7B200FACEB13B837B3
4920MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CD40AE5D43DD3588DCC6661924E3FD6F04C8F808binary
MD5:B06F9169EE4161B3E2E30B9A67A4E1E9
SHA256:5CC160ACD1119E4A16DA28FA10A7B5F75E70077FD5D69923A20ABAEFE597B802
4920MeshAgent.exeC:\Program Files\Mesh Agent\MeshAgent.mshtext
MD5:242520E2162C0A0EC24B586B2DDFDF61
SHA256:7D87C2EED889E4858975EF2830DDDFB19C98A2A756CA8A155A4ACAD23DA3E9F4
4920MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\E7768F0FAFE236F50A20CD1181EEC21775479583binary
MD5:09EA9CAA997E3706C3D213BEF04A33E9
SHA256:61F8A5A5AF434E60A69647B45207879D05947BF0906306CEE25D1915FCB0AF95
4920MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\E4C06B218D4425D397873DCDE1DEB28B1C8687D5binary
MD5:AA75BD9F04F6495D7BCE5B6595AB7475
SHA256:BE811CCF110EB9653E8CB4EC162BCA980AA07FC8330132B278CC4D6E73C08E9D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
30
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4920
MeshAgent.exe
176.98.186.24:443
Art-telecom Ltd.
RU
unknown
4
System
192.168.100.255:137
whitelisted
4108
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
672
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_165ef6894935aa71256852dd2dca3da5_black-basta_coinminer_ryuk_sliver