File name:

2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver

Full analysis: https://app.any.run/tasks/88b85778-9e73-416a-9c50-9102be278e75
Verdict: Malicious activity
Analysis date: May 17, 2025, 07:36:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
meshagent
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

9EF0626B1B079FC25AA155FC5720FFF0

SHA1:

8EA637AB75BAAE4629DFC152348D5B98E80DD225

SHA256:

A943C86D636E69C902ECB8F0AC464A613D37BED83A0D82B4FB523D24C773E8C5

SSDEEP:

98304:WdrmW4EM6E1vuMR9YQ2TNqG8VApYA3uoGCNSGPOAZVoH7:OM267

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Application launched itself

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Executable content was dropped or overwritten

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)

    • Reads security settings of Internet Explorer

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Creates or modifies Windows services

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)

    • Creates a software uninstall entry

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 5064)

    • MeshAgent potential remote access (YARA)

      • MeshAgent.exe (PID: 5064)

  • INFO

    • Reads the computer name

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)
      • MeshAgent.exe (PID: 5064)

    • Checks supported languages

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)
      • MeshAgent.exe (PID: 5064)

    • The sample compiled with english language support

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)
      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)

    • Process checks computer location settings

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 7020)

    • Creates files in the program directory

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)
      • MeshAgent.exe (PID: 5064)

    • MESHAGENT has been detected

      • 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe (PID: 4608)
      • MeshAgent.exe (PID: 5064)
      • MeshAgent.exe (PID: 5064)

    • Checks proxy server information

      • slui.exe (PID: 6080)

    • Reads the software policy settings

      • slui.exe (PID: 6080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:26 03:09:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2122752
InitializedDataSize: 1300992
UninitializedDataSize: -
EntryPoint: 0x1da03c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 10.0.22621.1
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: Host Process for Windows Services
FileVersion: 10.0.22621.1
InternalName: wcsvc
OriginalFileName: svc.exe
ProductName: Security Center
ProductVersion: 10.0.22621.1
LegalCopyright: Microsoft Corporation. All rights reserved
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe no specs conhost.exe no specs 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe conhost.exe no specs #MESHAGENT meshagent.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4608"C:\Users\admin\Desktop\2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe" -fullinstall C:\Users\admin\Desktop\2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe
2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.22621.1
Modules
Images
c:\users\admin\desktop\2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5064"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"C:\Program Files\Mesh Agent\MeshAgent.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22621.1
Modules
Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6080C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6816\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7020"C:\Users\admin\Desktop\2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe" C:\Users\admin\Desktop\2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.22621.1
Modules
Images
c:\users\admin\desktop\2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
4 448
Read events
4 431
Write events
17
Delete events
0

Modification events

(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayName
Value:
Mesh Agent
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:ImagePath
Value:
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallDate
Value:
20250517
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallLocation
Value:
C:\Program Files\Mesh Agent\
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:EstimatedSize
Value:
3406
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoModify
Value:
1
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoRepair
Value:
1
(PID) Process:(4608) 2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:UninstallString
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe -funinstall --meshServiceName="Mesh Agent"
Executable files
1
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5064MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3669D6A4EB7237BDCF2C670BD4EB3400FA404A1Abinary
MD5:AA1BBD5C5CAE7A38E1EB13B6B4185C45
SHA256:EB69C50C250A55BFD9335B2A690D5DCE627DE4880D542F01532DC08E98C3450A
5064MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\8C26056FE9E854F3EFC41082DD1AE010336F242Fbinary
MD5:2B7BB2FF251A5AF25AE4A769299791CE
SHA256:2E1AA8ED4B4275008F310DD9EEF81E4EBC25A2E5691F5DF0CB06D59D8E08BEA7
5064MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7BBA3D9E98A0261A16B0A82BFA94E428CD12428Fbinary
MD5:034E43A3468BC988F630F9674F814D4A
SHA256:4DDF8E61260E9581E98FAF8A32B6E92AE5FEAB92793EF69B163D425421777822
46082025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver.exeC:\Program Files\Mesh Agent\MeshAgent.exeexecutable
MD5:9EF0626B1B079FC25AA155FC5720FFF0
SHA256:A943C86D636E69C902ECB8F0AC464A613D37BED83A0D82B4FB523D24C773E8C5
5064MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\BABF3923A78C600E1D21B4E2B7A8011E5B394893binary
MD5:8F7C348DF5882159EA61B8FF6FEE9588
SHA256:6FAED4DA4FE922DB93C38AE22DF1A6EB5E50D1D765D00570F74179423E7F2BBD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
47
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5204
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
5204
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5204
SIHClient.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5204
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5204
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
496
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.114
  • 2.16.164.99
  • 2.16.164.89
  • 2.16.164.83
  • 2.16.164.81
  • 2.16.164.18
  • 2.16.164.40
  • 2.16.164.10
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.3
  • 20.190.160.5
  • 20.190.160.128
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_9ef0626b1b079fc25aa155fc5720fff0_black-basta_coinminer_ryuk_sliver