File name:

2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/9f4d317d-9027-4793-b203-a4ce84f486f4
Verdict: Malicious activity
Analysis date: May 16, 2025, 14:18:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
uac
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

A3F40BFC154F591F7C46E51DDA44CC02

SHA1:

130BCCFD4F31D73FEECD97146D5D0BF0A7F681F7

SHA256:

4F51533A6D23F90BAA75CC5CD8E88AB837504A0309D537F1C4FD077381AF0760

SSDEEP:

786432:aw/YPyc7sg0oA9DM5pqfY1jh/Z8Pg6jI1OqoOBKhe7:aoY9r0DDApqQ1JERqoOBKo7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 736)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 5380)

    • Changes Windows Defender settings

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • Changes the autorun value in the registry

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • Adds path to the Windows Defender exclusion list

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

  • SUSPICIOUS

    • Process drops python dynamic module

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • test.exe (PID: 672)

    • Executable content was dropped or overwritten

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • test.exe (PID: 672)

    • Process drops legitimate windows executable

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • test.exe (PID: 672)

    • The process drops C-runtime libraries

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • test.exe (PID: 672)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)

    • Application launched itself

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)

    • Loads Python modules

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • The process checks if it is being run in the virtual environment

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • Starts CMD.EXE for commands execution

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2096)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 6068)

    • Changes default file association

      • reg.exe (PID: 736)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 5200)

    • Found strings related to reading or modifying Windows Defender settings

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • Script adds exclusion path to Windows Defender

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • Executing commands from a ".bat" file

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)

    • The executable file from the user directory is run by the CMD process

      • test.exe (PID: 672)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5436)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5436)

  • INFO

    • Reads the computer name

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)
      • test.exe (PID: 672)

    • Checks supported languages

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • test.exe (PID: 672)

    • Create files in a temporary directory

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • test.exe (PID: 672)

    • The sample compiled with english language support

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)
      • test.exe (PID: 672)

    • PyInstaller has been detected (YARA)

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 7020)
      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6668)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 5380)

    • Checks proxy server information

      • slui.exe (PID: 2656)

    • Reads the software policy settings

      • slui.exe (PID: 2656)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1020)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1020)

    • Auto-launch of the file from Registry key

      • 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe (PID: 6108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:15 15:24:25+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
32
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe slui.exe 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs test.exe taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672"test.exe" C:\Users\admin\test\test.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\test\test.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
736reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
924reg delete hkcu\Software\Classes\ms-settings /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1020powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\admin\test\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1056C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exe2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2096C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe" /f"C:\Windows\System32\cmd.exe2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2656C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2984attrib +s +h .C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
3028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 383
Read events
16 369
Write events
10
Delete events
4

Modification events

(PID) Process:(736) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(5380) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5380) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5380) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5380) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(924) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(924) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(924) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(924) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
(PID) Process:(6108) 2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
Executable files
826
Suspicious files
11
Text files
2 609
Unknown types
0

Dropped files

PID
Process
Filename
Type
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_ctr.pydexecutable
MD5:205813E2A7337905BF8FD09C6B56D30F
SHA256:2DD71F105376628D281F37D5BD3487F223F00FF84EED363275D2A39FDD6114E7
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_arc2.pydexecutable
MD5:74B8B5B84C81699A11E2D2AF30B6539B
SHA256:D7E724BEC8F595372EF82CB6B845DCF3E8EB32A35318AC16642C202A151C9AE0
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:40BBEB0A0004DA7C1D173A8B01F669BA
SHA256:BDC54983CDCD5CC00FD1432B5DFEC3F7866832D77A80CA15B01785210E5E68FC
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_aes.pydexecutable
MD5:CC580305B81F362B37898289DE7BA6EB
SHA256:95584A40C4B159181527EECC33D430076724E9F759927256AD8CDBEE7EED83ED
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:CCC471CE16915649E73E4D30D2E7506E
SHA256:BB0006EE0AC5CB1E902303E14E77F5E014C680E3E66A99F46F01FAE18C2BC9DA
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_des.pydexecutable
MD5:3FF58B379F4ECCA80F01518682E0DF12
SHA256:010A3E3A28AD3ACDE268D38C60249200B567B97253E12956034E4DDE5660C092
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_cfb.pydexecutable
MD5:6DC1ED1C175F73EE167BD647070115CF
SHA256:6DA9E4451AFFD5D4067CC0AFA16F7D42FCD1F65ADC8F8996AB93548D7959020F
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_des3.pydexecutable
MD5:55165ADEBA56F23747D7BA4134ACEB05
SHA256:E9D1213C50CED33EAF33E4314F9E0D4A95AC310274E6A90DE9F4E11E50242C63
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Hash\_BLAKE2s.pydexecutable
MD5:297435D2BF3AE553E09640726E74DC8F
SHA256:00DB5DE612DA79971B3A98CCEE023282DFEEFAB2D5BF3AE47C11DAB4D676E71E
70202025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI70202\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:232B26E8164D8B1981257D521D43CE0D
SHA256:F73011CE1D77C87819F3C96B0A32A18BF700562EE41AE1C2726423ABE17812E6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
42
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7148
SIHClient.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7148
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7148
SIHClient.exe
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7148
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7148
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5216
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.216.77.29
  • 23.216.77.28
  • 23.216.77.15
  • 23.216.77.42
  • 23.216.77.8
  • 23.216.77.31
  • 23.216.77.35
  • 23.216.77.38
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.130
  • 40.126.31.0
  • 20.190.159.0
  • 40.126.31.129
  • 40.126.31.1
  • 20.190.159.4
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_a3f40bfc154f591f7c46e51dda44cc02_black-basta_cobalt-strike_satacom