File name:

2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/1fb3f05b-fc44-49a5-8a31-e39f92c813c2
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 02:45:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

2500B971ABFAFE504B882FA29D5E9415

SHA1:

FA60A6D4D1EA3F2927BAFF5BECB3AE511B9970E7

SHA256:

0DE5E6C982EAB096BD84EFA0724F49713ACBE556375E7D40DFA959AB6B869A1C

SSDEEP:

196608:T8BhBiCWMG+A7q/TevfCnCPiwE1MUQ881mwU/ki6/9Ruikhj:TQvWJzq/KvfCnCPifQ6wU/j6R9+j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)

    • RANSOMWARE has been detected

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)

    • Deletes shadow copies

      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 7624)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 7624)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)

    • Executable content was dropped or overwritten

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)

    • Application launched itself

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)
      • cmd.exe (PID: 7624)

    • Loads Python modules

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)

    • Process drops python dynamic module

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)

    • Process drops legitimate windows executable

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)

    • Starts CMD.EXE for commands execution

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)
      • cmd.exe (PID: 7624)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7724)

  • INFO

    • Checks supported languages

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)
      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)

    • Reads the computer name

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)

    • The sample compiled with english language support

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)

    • Create files in a temporary directory

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7564)
      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)

    • Reads the machine GUID from the registry

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)

    • Creates files in the program directory

      • 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe (PID: 7588)

    • Manual execution by a user

      • OpenWith.exe (PID: 3176)
      • notepad.exe (PID: 7208)
      • OpenWith.exe (PID: 6800)
      • OpenWith.exe (PID: 904)
      • OpenWith.exe (PID: 6036)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7836)
      • notepad.exe (PID: 7208)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6800)
      • OpenWith.exe (PID: 3176)
      • OpenWith.exe (PID: 904)
      • OpenWith.exe (PID: 6036)

    • Checks proxy server information

      • slui.exe (PID: 4120)

    • Reads the software policy settings

      • slui.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:27 13:44:09+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
17
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe THREAT 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs slui.exe 2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
904"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Downloads\restaurantsimple.png.x1Ekr9qbxAC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3176"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Downloads\desktop.ini.x1Ekr9qbxAC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4120C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6036"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Downloads\seniorminister.png.x1Ekr9qbxAC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6800"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Downloads\sitechildren.png.x1Ekr9qbxAC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7208"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Downloads\README.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7460"C:\Users\admin\Desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
7564"C:\Users\admin\Desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7588"C:\Users\admin\Desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe
2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7624C:\WINDOWS\system32\cmd.exe /c "cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"C:\Windows\System32\cmd.exe2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
6 457
Read events
6 423
Write events
16
Delete events
18

Modification events

(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Boot\Loader.efi
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:delete keyName:(default)
Value:
(PID) Process:(8008) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:delete keyName:(default)
Value:
Executable files
81
Suspicious files
50
Text files
111
Unknown types
0

Dropped files

PID
Process
Filename
Type
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\PIL\_imaging.cp313-win_amd64.pydexecutable
MD5:A487E7AD30ED2DE466A8590A24D745E7
SHA256:31621E7BB62091C2AA80CAC5F5C929132AF3EC568A061680564DC073F2630357
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\PIL\_webp.cp313-win_amd64.pydexecutable
MD5:DC1EB999BCF2D899D471B0A69D9BD5F5
SHA256:A3CC7904DB99ECD04251770CA451D29A0AACC7719C5634585B750EFF76B08696
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\Pythonwin\mfc140u.dllexecutable
MD5:84B82C149B450D3C8E0D06F09A416B5D
SHA256:1EC2A31A1302E720C799BAD2FD90CF3457C6B2A375C4B41FAEFEE1A91D92F3E0
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\PIL\_imagingcms.cp313-win_amd64.pydexecutable
MD5:9E1C5CC1597928921DC88652279FD297
SHA256:B02A8C0342C51CFEB9BF8A79C79744E791A14F4A21A1A8B4046A7171D4620629
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\PIL\_imagingft.cp313-win_amd64.pydexecutable
MD5:7C4535BCE5A9CCA4E8CCAF301577E411
SHA256:00CAB5720F58B1CCCC7200CC84942139F286CAA7CA7FF2D04628159AE44EA419
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\PIL\_imagingmath.cp313-win_amd64.pydexecutable
MD5:EEEBAB827CC3CD51B5D8457E64347BCF
SHA256:70B431DC693846D430F88A4626966D959E5A6C793508470E8351FF2730939A48
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\PIL\_imagingtk.cp313-win_amd64.pydexecutable
MD5:2CC0C18F26989042CDAD77EFE3CCF3FB
SHA256:A3183192C1CDC7B2D8331B6B78EED6826A0A0594FE45B06FD0E9809414AD6A53
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\Pythonwin\win32ui.pydexecutable
MD5:809745E4202DEEEBAA46CBBA752BAEB0
SHA256:3DB5F9C15C327B7F29880010F11EEFF291CA13CF6E2C987F36AFFEEFBC989E66
75642025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI75642\_ctypes.pydexecutable
MD5:29873384E13B0A78EE9857604161514B
SHA256:3CC8500A958CC125809B0467930EBCCE88A09DCC0CEDD7A45FACF3E332F7DB33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
51
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
6244
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6244
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6244
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6244
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.66
  • 40.126.32.140
  • 20.190.160.4
  • 20.190.160.22
  • 40.126.32.72
  • 20.190.160.67
  • 40.126.32.134
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_2500b971abfafe504b882fa29d5e9415_black-basta_cobalt-strike_satacom