File name:

2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta

Full analysis: https://app.any.run/tasks/43eadd42-09b9-4d13-a732-04048d234dd8
Verdict: Malicious activity
Analysis date: May 17, 2025, 03:51:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

F5A2C0C465A92A2D2B721609F2A544C1

SHA1:

7C08FB8EA9E1F29D52C0FAE1021A3197DE3A132E

SHA256:

6DDD5F9F09E1A60870DEFC4DACF4149D86DDBBBEEC2FC34B36930826451D6461

SSDEEP:

49152:wB21KnHdA7H1gcRuqMMoATHjZmz3ru+zG76GGUr1kXTpnfpZAivaFzkziIJxS:021Kn9AxRRzMM5HjZmz7zzNGGUpQVT9U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7768)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 7828)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7768)

    • Mutex name with non-standard characters

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7768)

    • Executable content was dropped or overwritten

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7768)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 7768)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 7828)

  • INFO

    • Create files in a temporary directory

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7828)

    • Checks supported languages

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7464)
      • FileCoAuth.exe (PID: 7828)

    • Process checks computer location settings

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7768)

    • Reads the computer name

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7828)

    • The sample compiled with english language support

      • 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe (PID: 7420)
      • FileCoAuth.exe (PID: 7768)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 7828)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 7828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x8178
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe 2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7420"C:\Users\admin\Desktop\2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe" C:\Users\admin\Desktop\2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7464"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe
User:
admin
Company:
The Chromium Authors
Integrity Level:
MEDIUM
Description:
Octium
Exit code:
0
Version:
136.0.7103.49
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
7768C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7828"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
8048C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 987
Read events
3 987
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74202025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmpbinary
MD5:C738303F21CE595EB088178D4C64CF1C
SHA256:5FD938734D7A38D0050D8F399D0B4798268E09E0FA817701889EE44D41AFEFDB
74202025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeexecutable
MD5:B10DB74BCEC4468636BCB2338CC4D1E6
SHA256:9866ED399A29B1B8DFE8745A91784E81CF4B3DC0246DC413709C41ED867F33C7
74202025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:5AD18D4DCE1261D22EEE787EF3ACA521
SHA256:6675AC4E0DC6A36D3F684EE9B2FB17D597989E2CB7C28955A5530E7800D2C505
74202025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:94E1E168BEE17E7F56089D3092646594
SHA256:1916FB8FD06CAF423A4B9EE94AAC6E54A9A7C23051C8052DA958024A4235AEBC
74202025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:DA208322FA12146ECCAFB2CBED567F21
SHA256:09BB93A4C010AF9F607006EFA76D5D3A7435864A513BEF9AF0FFA665A3B18440
7828FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-17.0352.7828.1.odlbinary
MD5:C5D8EF69D172410292242DE93553CDF8
SHA256:1BAC63A91F63ABDB62C516BF21595DB0EB76EC2D7FA22A1DAAFF8ED0974CC402
74202025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:717773EA512935FF43DB2A240F73F065
SHA256:FC72BC56F7EEEC39433F09B3756B7664F90575FDA38B037DFA70CBC666A4C80E
7768FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
7828FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-17.0352.7828.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
74202025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:62B17C396323A05211FCB806947C9A73
SHA256:ADD9754D24558AD5692521CFE97E9F1E71144F41E4E99D984BEE71F697D25F55
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
39
DNS requests
19
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7880
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7880
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.73
  • 40.126.31.131
  • 20.190.159.2
  • 20.190.159.130
  • 20.190.159.131
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_f5a2c0c465a92a2d2b721609f2a544c1_black-basta_elex_gcleaner_hijackloader_neshta