File name:

2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/94f447cd-8e37-4583-bdff-a5cdd791d116
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 05, 2025, 05:06:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

454BFA64548EB9973672CE3E3E5DD225

SHA1:

2AE971288F40EBB062990A19ED10916E1E302BEB

SHA256:

D9D7822E8484B533F9676D892FBB29CC4AF53D0D992E611938E451964427C6C7

SSDEEP:

24576:X5FFggkHLWqnivnuhHqaEVYS6IiXm7rxZgccJNqZLN92:XT+gkHLWqnivnuhHqvVYS/iXwrxZgccF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • FileCoAuth.exe (PID: 8144)

    • Actions looks like stealing of personal data

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 6620)

    • Changes the autorun value in the registry

      • AacSetup.exe (PID: 7848)

  • SUSPICIOUS

    • Mutex name with non-standard characters

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • FileCoAuth.exe (PID: 8144)

    • Reads security settings of Internet Explorer

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)
      • FileCoAuth.exe (PID: 8144)

    • Executable content was dropped or overwritten

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7620)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • FileCoAuth.exe (PID: 8144)
      • AacSetup.exe (PID: 7848)

    • Starts itself from another location

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7620)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)

    • Searches for installed software

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)
      • dllhost.exe (PID: 7896)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 8144)

    • There is functionality for taking screenshot (YARA)

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7940)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 6620)

    • Creates a software uninstall entry

      • AacSetup.exe (PID: 7848)

  • INFO

    • Create files in a temporary directory

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7620)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)
      • FileCoAuth.exe (PID: 6620)

    • Reads the computer name

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)
      • AacSetup.exe (PID: 7848)
      • FileCoAuth.exe (PID: 6620)

    • Checks supported languages

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7620)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)
      • AacSetup.exe (PID: 7848)
      • FileCoAuth.exe (PID: 6620)

    • Process checks computer location settings

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7572)
      • FileCoAuth.exe (PID: 8144)
      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)

    • The sample compiled with english language support

      • 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe (PID: 7644)
      • FileCoAuth.exe (PID: 8144)

    • Manages system restore points

      • SrTasks.exe (PID: 5720)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 6620)

    • Creates files in the program directory

      • AacSetup.exe (PID: 7848)

    • Checks proxy server information

      • slui.exe (PID: 7276)

    • Reads the software policy settings

      • slui.exe (PID: 7276)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (58.7)
.scr | Windows screen saver (17.8)
.dll | Win32 Dynamic Link Library (generic) (8.9)
.exe | Win32 Executable (generic) (6.1)
.exe | Win16/32 Executable Delphi generic (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
11
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe 2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe aacsetup.exe SPPSurrogate no specs vssvc.exe no specs filecoauth.exe no specs filecoauth.exe no specs srtasks.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5720C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6620"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7276C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7572"C:\Users\admin\Desktop\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7620"C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
User:
admin
Company:
KINGSTON COMPONENTS INC.
Integrity Level:
MEDIUM
Description:
Kingston AURA DRAM Component
Exit code:
1
Version:
1.1.36
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7644"C:\Users\admin\AppData\Local\Temp\{3449E0B0-3EFA-474C-B810-E6904340227F}\.cr\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe" -burn.filehandle.attached=580 -burn.filehandle.self=576 C:\Users\admin\AppData\Local\Temp\{3449E0B0-3EFA-474C-B810-E6904340227F}\.cr\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
User:
admin
Company:
KINGSTON COMPONENTS INC.
Integrity Level:
MEDIUM
Description:
Kingston AURA DRAM Component
Exit code:
1
Version:
1.1.36
Modules
Images
c:\users\admin\appdata\local\temp\{3449e0b0-3efa-474c-b810-e6904340227f}\.cr\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7848"C:\Users\admin\AppData\Local\Temp\{3C8EDDC1-223E-4173-A47D-068AF5DB6EA5}\.be\AacSetup.exe" -q -burn.elevated BurnPipe.{4BBC9D22-F8BC-4955-A39F-218AE0CB918A} {85EBFBEC-1678-442A-B8FE-F9B80CA56108} 7644C:\Users\admin\AppData\Local\Temp\{3C8EDDC1-223E-4173-A47D-068AF5DB6EA5}\.be\AacSetup.exe
2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exe
User:
admin
Company:
KINGSTON COMPONENTS INC.
Integrity Level:
HIGH
Description:
Kingston AURA DRAM Component
Exit code:
1
Version:
1.1.36
Modules
Images
c:\users\admin\appdata\local\temp\{3c8eddc1-223e-4173-a47d-068af5db6ea5}\.be\aacsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7896C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
7940C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 097
Read events
5 876
Write events
196
Delete events
25

Modification events

(PID) Process:(7896) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000AA7D8081E8A5DB01D81E0000F01E0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7848) AacSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000AA7D8081E8A5DB01A81E0000AC1E0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7896) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000003BFB0582E8A5DB01D81E0000F01E0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7896) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C05F0882E8A5DB01D81E0000F01E0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7896) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000081C30A82E8A5DB01D81E0000F01E0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7896) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7896) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000002E8C0F82E8A5DB01D81E0000F01E0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7896) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000055F58182E8A5DB01D81E00005C1F0000E80300000100000000000000000000003F569A28EFB8AB4D9393CF676A947AE600000000000000000000000000000000
(PID) Process:(7940) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000364C9082E8A5DB01041F0000201F0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7940) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
Executable files
14
Suspicious files
7
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7896dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
75722025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeexecutable
MD5:6D902770A1A701DFCB543950DEFF5EE7
SHA256:EE8A15396E16DE2763AFB473675CFD157212DA10AE05CBF395BDD645C514DC8C
76442025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{3C8EDDC1-223E-4173-A47D-068AF5DB6EA5}\.ba\wixstdba.dllexecutable
MD5:FE7E0BD53F52E6630473C31299A49FDD
SHA256:2BEA14D70943A42D344E09B7C9DE5562FA7E109946E1C615DD584DA30D06CC80
76442025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{3C8EDDC1-223E-4173-A47D-068AF5DB6EA5}\.ba\thm.wxlxml
MD5:FC0DB4142556D3F38B0744A12F5F9D3D
SHA256:8FBEB7F0B546D394D99B49D678D516402E8F54E5DEA590CC91733F502F288019
75722025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:D026B9E26E841107E83D949D47FBCDAA
SHA256:BC57899EE48A674A87E03E5842B55AAE59A8BFEA5986C89FB41340C48D3F55BF
76442025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{3C8EDDC1-223E-4173-A47D-068AF5DB6EA5}\.ba\logo.pngimage
MD5:80DF19F22C1D266C06ACE7C8B9831762
SHA256:E8E37845754F62B6426CE39CBDA1DB032856BD551E6D39BBACA06AA7C44625C4
76202025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\{3449E0B0-3EFA-474C-B810-E6904340227F}\.cr\2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeexecutable
MD5:6D902770A1A701DFCB543950DEFF5EE7
SHA256:EE8A15396E16DE2763AFB473675CFD157212DA10AE05CBF395BDD645C514DC8C
75722025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:029161B0086AB656157D9679726C9034
SHA256:B332CEDC5388345D7A5AA286C812886469807386889670CC619363857A869006
75722025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:BED5120A499CD5999A33D90455A4797F
SHA256:17E0420B42CE3EC312BDAF1D77A2EDDF931C359272E41802E7009CD06D60B809
75722025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:10E3FA799346836C2AA528107AC84830
SHA256:18012C021928250314264F758F1356D968423439FD7A4FFAA8CDBA540ECF924E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
60
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1348
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1348
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1348
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1348
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1348
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1348
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
40.69.42.241:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1348
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1348
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.128
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.64
  • 40.126.31.128
  • 40.126.31.1
  • 20.190.159.0
whitelisted
client.wns.windows.com
  • 20.198.162.78
  • 20.7.1.246
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-05_454bfa64548eb9973672ce3e3e5dd225_black-basta_coinminer_hijackloader_luca-stealer_neshta