File name:

2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk

Full analysis: https://app.any.run/tasks/9061358e-67df-4843-8138-2b8667f39430
Verdict: Malicious activity
Analysis date: May 17, 2025, 10:34:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
meshagent
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

B9ADED03C958EB34AC4C9189AF95DF98

SHA1:

EDAED34C85559FA757D4377A11BAE4554F99B910

SHA256:

CE034B8BDDEF619772F9D33DCA5EBC42B863BFB2F62CF32B2542808E370C1ACE

SSDEEP:

98304:QdrmW4EM6E1vuMR9YQ2TNqG8VA4YriuoGCNSGPOAZVo+f:UMHDf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • MeshAgent.exe (PID: 1020)

    • Reads security settings of Internet Explorer

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 1324)

    • Reads the date of Windows installation

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 1324)

    • Application launched itself

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 1324)

    • Executable content was dropped or overwritten

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)

    • Creates or modifies Windows services

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)

    • Creates a software uninstall entry

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)

  • INFO

    • Reads the computer name

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 1324)
      • MeshAgent.exe (PID: 1020)
      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)

    • MESHAGENT has been detected

      • MeshAgent.exe (PID: 1020)
      • MeshAgent.exe (PID: 1020)
      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)

    • Creates files in the program directory

      • MeshAgent.exe (PID: 1020)
      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)

    • The sample compiled with english language support

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 1324)
      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)

    • Checks supported languages

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 1324)
      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 5176)
      • MeshAgent.exe (PID: 1020)

    • Process checks computer location settings

      • 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe (PID: 1324)

    • Reads the software policy settings

      • slui.exe (PID: 2984)

    • Checks proxy server information

      • slui.exe (PID: 2984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:07 02:57:17+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2122752
InitializedDataSize: 1482240
UninitializedDataSize: -
EntryPoint: 0x1da03c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: MeshCentral Background Service Agent
FileVersion: 2025-Mar-6 21:44:07+0000
LegalCopyright: Apache 2.0 License
ProductName: MeshCentral Agent
ProductVersion: Commit: 2025-Mar-6 21:44:07+0000
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe no specs conhost.exe no specs 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe conhost.exe no specs meshagent.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1020"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"C:\Program Files\Mesh Agent\MeshAgent.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
MeshCentral Background Service Agent
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ucrtbase.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324"C:\Users\admin\Desktop\2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe" C:\Users\admin\Desktop\2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\users\admin\desktop\2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
2984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5176"C:\Users\admin\Desktop\2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe" -fullinstall C:\Users\admin\Desktop\2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe
2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe
User:
admin
Integrity Level:
HIGH
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\users\admin\desktop\2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
Total events
4 469
Read events
4 449
Write events
20
Delete events
0

Modification events

(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayName
Value:
Mesh Agent
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallDate
Value:
20250517
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallLocation
Value:
C:\Program Files\Mesh Agent\
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:EstimatedSize
Value:
3390
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoModify
Value:
1
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoRepair
Value:
1
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:UninstallString
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe -funinstall --meshServiceName="Mesh Agent"
(PID) Process:(5176) 2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayVersion
Value:
2025-03-06 21:44:07.000+00:00
Executable files
1
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1020MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0BECDE0F4477C6BF61F57A77C8EA52081BC1BCEFbinary
MD5:04786F16D4B39576D4B32032FF3435BB
SHA256:F7BBD3DA236D387ECAD19CF46B43A32EAD97B315A2C36E1AF7FAAC351196CCBF
51762025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk.exeC:\Program Files\Mesh Agent\MeshAgent.exeexecutable
MD5:B9ADED03C958EB34AC4C9189AF95DF98
SHA256:CE034B8BDDEF619772F9D33DCA5EBC42B863BFB2F62CF32B2542808E370C1ACE
1020MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\282BB04D8230E42B2B3B2A145281F43C5472E4CDbinary
MD5:63C864E8E6CA63E85CD79A1D6BE72EFB
SHA256:ECF9FA13BF073F35784720CE4A108C9A4477C4AD1548D3FC516065512EBA2CF0
1020MeshAgent.exeC:\Program Files\Mesh Agent\MeshAgent.mshtext
MD5:8008AD1827D290A6A29F8BBB9C661B35
SHA256:5AC7CFAA38B6EDF7B0FBE9306D42D500632A5F1BD937D6B8B6B932A454335385
1020MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FCCC0E4B0E0459661AC6E5E6CD1C8837A180C002binary
MD5:62A2018A09B541B9E2A22A8E91641C3A
SHA256:E1163A91D4813F3A81F84A9FED792E6C4452423134ADEAC869BD1D5159EE9195
1020MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\607D79BE537CA82D10DD79185641954781E4701Bbinary
MD5:BCADD3A8D383A2069AB1E211C0180242
SHA256:7F4067E4B3A8A546142DAA32AB1FCEAEDEB2005EE2D81D8CED67EEC3C9A75186
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
41
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2148
SIHClient.exe
GET
200
23.216.77.23:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
23.216.77.23:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
23.216.77.23:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1020
MeshAgent.exe
239.255.255.235:16989
unknown
2148
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2148
SIHClient.exe
23.216.77.23:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2148
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2148
SIHClient.exe
20.3.187.198:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.216.77.23
  • 23.216.77.10
  • 23.216.77.5
  • 23.216.77.25
  • 23.216.77.21
  • 23.216.77.18
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
login.live.com
  • 20.190.160.67
  • 40.126.32.76
  • 20.190.160.131
  • 20.190.160.64
  • 40.126.32.140
  • 20.190.160.20
  • 20.190.160.17
  • 20.190.160.128
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_b9aded03c958eb34ac4c9189af95df98_black-basta_coinminer_ryuk