File name:

2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/12e12114-8650-41c9-8cb0-2b668904bdd1
Verdict: Malicious activity
Analysis date: June 21, 2025, 16:33:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

199376B8B39A438CD443BACA5F984E3E

SHA1:

82FAEE82F7FB461A0749BEAEF55D4DC146F845C5

SHA256:

A0CA55E45215FFC391161DCA6565AF8BD8F798B40B0F328562DEB48EA41763EA

SSDEEP:

24576:95FD8JkzPTDIwTBS3ISGIwShHqs3U33AWOx+n:9TD8kzPTZTBS3ISGIwShHq7AWOx+n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • Reads the date of Windows installation

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • Mutex name with non-standard characters

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • Executable content was dropped or overwritten

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • Starts a Microsoft application from unusual location

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 5712)

  • INFO

    • Checks supported languages

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • Reads the computer name

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • Checks proxy server information

      • slui.exe (PID: 6292)

    • Reads the software policy settings

      • slui.exe (PID: 6292)

    • Create files in a temporary directory

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)

    • Process checks computer location settings

      • 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe (PID: 7080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (93.8)
.dll | Win32 Dynamic Link Library (generic) (2.3)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)
.exe | Generic Win/DOS Executable (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NESHTA 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5712"C:\Users\admin\AppData\Local\Temp\3582-490\2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection DLP Command Line Utility
Exit code:
3221225781
Version:
4.18.25040.2 (82640e7cfde5ee75f6010c8d2c06272146d2bb6b)
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6292C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7080"C:\Users\admin\Desktop\2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
6 841
Read events
6 833
Write events
8
Delete events
0

Modification events

(PID) Process:(7080) 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7080) 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7080) 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7080) 2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
7
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exe
MD5:
SHA256:
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmpbinary
MD5:F199CFE7B46D06AE65379FD1281141C2
SHA256:4DF1D2B1F5DA23EF6168DBFCA53F92892A0285F3F1F47053FC3A6FC3814AE8F8
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:A747FA4161FE3C00C3FBB4BF391D4D4E
SHA256:B7BA59428AF7AE08C5BF927B57E326D5259E6ED31BD4237AA6A44378177364C1
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:178B773B3FB050FCE26E40A9E8C2EE9A
SHA256:1E03573733F25B44004049A535E7E79366FD86FE953F6DFEDAAD05513B46A6C5
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:13C2D5BF03C4A2B28E930F990CCC32DB
SHA256:12D24D0BC0E7CDC902E3540A3C6F7B755094F011A8EAD49A47A00563710B8F80
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
70802025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:1C0BE16E6ED8F5B6F0910650A25F4FA7
SHA256:3028F6A6A7A10DC5D63F256FEEB8275F3818BF3371EAF8B20A2D0BF2FCD5F4A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2792
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2792
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2792
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2792
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
2792
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_199376b8b39a438cd443baca5f984e3e_black-basta_cobalt-strike_elex_gcleaner_luca-stealer_neshta