File name:

2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver

Full analysis: https://app.any.run/tasks/89c9d56a-cdd6-40a6-9bcc-c02a2d521fe2
Verdict: Malicious activity
Analysis date: April 27, 2025, 05:38:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
meshagent
rmm-tool
websocket
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

F2FDE0642DF7B56B019253E7F8B49A3A

SHA1:

58EF1C4D05A27215C1E2EBAF15D3C6637F48C6DD

SHA256:

833D64D4D7C07FAFEA76A9EDA497DC12AE232CCB86A48B2420201A35129DFB52

SSDEEP:

98304:x/NkRdEtqLdOvOSWHO2mSxzbOep2irTPj/:v+dJ/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)
      • MeshAgent.exe (PID: 1196)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain operating system information

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Reads the date of Windows installation

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Reads security settings of Internet Explorer

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Application launched itself

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Executable content was dropped or overwritten

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 1196)

    • Creates or modifies Windows services

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)

    • Creates a software uninstall entry

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)

  • INFO

    • Reads the machine GUID from the registry

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • MeshAgent.exe (PID: 1196)

    • The sample compiled with english language support

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)

    • Reads the computer name

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)
      • MeshAgent.exe (PID: 1196)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5556)

    • Checks supported languages

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)
      • MeshAgent.exe (PID: 1196)

    • Process checks computer location settings

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Creates files in the program directory

      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)
      • MeshAgent.exe (PID: 1196)

    • MESHAGENT has been detected

      • MeshAgent.exe (PID: 1196)
      • 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe (PID: 6148)
      • MeshAgent.exe (PID: 1196)

    • Checks proxy server information

      • slui.exe (PID: 6372)

    • Reads the software policy settings

      • slui.exe (PID: 6372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2022:12:09 20:12:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2122240
InitializedDataSize: 1475072
UninitializedDataSize: -
EntryPoint: 0x1d9d8c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: MeshCentral Background Service Agent
FileVersion: 2022-Dec-2 11:42:16-0800
LegalCopyright: Apache 2.0 License
ProductName: MeshCentral Agent
ProductVersion: Commit: 2022-Dec-2 11:42:16-0800
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe conhost.exe no specs meshagent.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1196"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"C:\Program Files\Mesh Agent\MeshAgent.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
MeshCentral Background Service Agent
Version:
2022-Dec-2 11:42:16-0800
Modules
Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dbghelp.dll
5556wmic os get oslanguage /FORMAT:LISTC:\Windows\System32\wbem\WMIC.exe2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
6036\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6148"C:\Users\admin\Desktop\2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe" -fullinstall C:\Users\admin\Desktop\2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe
2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Integrity Level:
HIGH
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2022-Dec-2 11:42:16-0800
Modules
Images
c:\users\admin\desktop\2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6372C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7020"C:\Users\admin\Desktop\2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe" C:\Users\admin\Desktop\2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2022-Dec-2 11:42:16-0800
Modules
Images
c:\users\admin\desktop\2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 659
Read events
4 640
Write events
19
Delete events
0

Modification events

(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallLocation
Value:
C:\Program Files\Mesh Agent\
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:EstimatedSize
Value:
3481
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoModify
Value:
1
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoRepair
Value:
1
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:UninstallString
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe -funinstall --meshServiceName="Mesh Agent"
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayVersion
Value:
2022-12-02 19:42:16.000+00:00
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:ImagePath
Value:
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(6148) 2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayName
Value:
Mesh Agent
Executable files
1
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1196MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DD2A4E3AD5801D9A8EB1AA49CB7A4A7E0F0A604Abinary
MD5:79CC6185188E2153DF1E3082F87CF250
SHA256:3126D958C2A2317F05A9A79152A85CD517DF12281F5DF2FDA487D97A344F1CFC
1196MeshAgent.exeC:\Program Files\Mesh Agent\MeshAgent.mshtext
MD5:FA16752F2D3CFDF1E06BA20E3D985ECC
SHA256:CA223B3968749E2CA4288A654B840F2CC319EEA3F3E8286E6F6E65379233A068
61482025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver.exeC:\Program Files\Mesh Agent\MeshAgent.exeexecutable
MD5:F2FDE0642DF7B56B019253E7F8B49A3A
SHA256:833D64D4D7C07FAFEA76A9EDA497DC12AE232CCB86A48B2420201A35129DFB52
1196MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\439A483C4F2165FDFE20697B78DB16300EC6E2E1binary
MD5:996D9FF27514C4CB180A65093932F9A4
SHA256:E83BBD090B7F86A3EF4FE336C8B857A1EABFB6D62B705BD038E1C4E2B0A2E129
1196MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\16CDB75C4551FFA6AFB3849B93F42EBEFA4E33AFbinary
MD5:67AA794AA1A819FFAEC394CD80C9316D
SHA256:639D966789636F10452C7651721C640A66374A2A2D2A2A230AE15BA76CAB7D10
1196MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\A8CA20268826023234A3C97718A1DCA7A9C06F0Fbinary
MD5:6E3D979ACEB0E928649A88D98CD38B21
SHA256:7958E0712575AA16242AEF1F4C7E36F190038871C0A9E191285AD756E8D63C25
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
27
DNS requests
5
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1852
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
101
195.82.147.22:443
https://195.82.147.22/agent.ashx
unknown
1852
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
101
195.82.147.22:443
https://195.82.147.22/agent.ashx
unknown
GET
101
195.82.147.22:443
https://195.82.147.22/agent.ashx
unknown
GET
101
195.82.147.22:443
https://195.82.147.22/agent.ashx
unknown
GET
101
195.82.147.22:443
https://195.82.147.22/agent.ashx
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1852
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1852
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1852
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1196
MeshAgent.exe
195.82.147.22:443
Dreamtorrent Corp
RU
unknown
5776
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6372
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.9
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-27_f2fde0642df7b56b019253e7f8b49a3a_black-basta_coinminer_ryuk_sliver