File name:

2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/37a926d0-af6e-4c8f-a220-d9e1828de4f4
Verdict: Malicious activity
Analysis date: May 19, 2025, 04:26:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

D2D5969987D6DD3BB3EBF8AFA6ED71C7

SHA1:

447689C137BCA8119F737FAB3CA6714BB1296940

SHA256:

F94A9A927A03744027ECA3CBBD6F2C4D894AA356088148648322F7FBCD06DFA1

SSDEEP:

49152:wBXXUfcEtly0CrLU3FhlG1+QQ5G1+3jjAdJu81+nQ5yPJWo2+mQ5Rnig:0XXUkEby0igB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • FileCoAuth.exe (PID: 6048)

    • NESHTA mutex has been found

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • Reads security settings of Internet Explorer

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • Starts a Microsoft application from unusual location

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • FileCoAuth.exe (PID: 6048)

    • Mutex name with non-standard characters

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 2852)

  • INFO

    • Reads the computer name

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 6048)

    • Create files in a temporary directory

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • FileCoAuth.exe (PID: 6048)

    • Checks supported languages

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 6048)

    • Process checks computer location settings

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • The sample compiled with english language support

      • FileCoAuth.exe (PID: 2852)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 6048)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 6048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (75)
.exe | InstallShield setup (12.2)
.exe | Win32 Executable Delphi generic (4)
.scr | Windows screen saver (3.7)
.dll | Win32 Dynamic Link Library (generic) (1.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x8178
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2516"C:\Users\admin\Desktop\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2852C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5256"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
1
Version:
16.0.4266.1001
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5256C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6048"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
3 991
Read events
3 991
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeexecutable
MD5:385BD5A50D6BC90D7447063C4C03537D
SHA256:B38AD8B5179E7C8FE851EB690B50B5CF0B33CB74A2F00B9B44DFF6A92333DF47
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:A0E43479D1867D37DEEB902F304FA839
SHA256:F93DB31E4EAA82563820FD1F810A3FE4DE61FF37AF96483C6EDEAF21CD057A45
52562025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\dw.logtext
MD5:418747C2175F003E0A93D70117FB98D3
SHA256:942E66C9A0766B19D66F4E5616039AD59F8B9BB7464AE86FAAD5124DD4288746
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmptext
MD5:24EA40392BF4EDF741B2300021582B78
SHA256:A7F9FF077F35E22A6F12FDAA38E07D11F691FB68175B74294D2667FB7B3D15B1
6048FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-19.0427.6048.1.odlbinary
MD5:D314262260496F3DD954034BBC965570
SHA256:B76430111990910E374B07920516F20B1E99CE2E3766834E539BB9B6154D5334
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:CF77ED970673C28AD85D5DF631DF05B0
SHA256:A83AEB23EC4E2BD55CEEF15485FA843A34D2B4B7722E241A5ACFC79EC751E581
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:A44F073E9F2D2AC6EE35CBAB8F9CF778
SHA256:FEDF696861864F350C47C017D4DAEA900A0507953EE2AE95A6A144486E354B37
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:D107892A4685AC898DA78786BCA591D7
SHA256:5790B04F9033AF3C4B7C8FB948B7DE0CBF4308915C11AAD6A37C924D73FA5FF8
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:83ADBC92F28E10801DC961F86654A25A
SHA256:DA724B8FCEE57E386E48C626953CCC95047A9F74C59B18C5D75CBCE5283A0F4D
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:CA51AC79C8F5F6812BC2EB3171C88AD2
SHA256:38B754AC0B9E8976A45DBB4C4CB858A82EB78A458D92ADE883FA65748176BA83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4220
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4220
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4220
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4220
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4220
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5352
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5256
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta