File name:

2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/07992026-de87-4cc1-a848-7033042914a1
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 02:04:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
evasion
stealer
exela
discord
screenshot
pyinstaller
ims-api
generic
discordgrabber
susp-powershell
growtopia
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

A5A04C9F4F8B732506107AB1ACF93EE1

SHA1:

F85D4262695D331CDEA478B0A11C11B3B270386A

SHA256:

7A672195838F7C3161FAE8D47389B1547DDAE34705FABD43EDA974C83697AF66

SSDEEP:

196608:caawvfk1wE1MU2881mw3P/kiPNAnL5oo:Rrvfk1f26w//jlAVb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Steals credentials from Web Browsers

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 6028)
      • net.exe (PID: 5956)
      • cmd.exe (PID: 5984)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 7388)
      • cmd.exe (PID: 5984)
      • net.exe (PID: 7524)
      • net.exe (PID: 1164)

    • ExelaStealer has been detected

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7020)

    • GROWTOPIA has been detected (YARA)

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6872)

    • DISCORDGRABBER has been detected (YARA)

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)

    • Executable content was dropped or overwritten

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)
      • csc.exe (PID: 5328)

    • Process drops python dynamic module

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)

    • The process drops C-runtime libraries

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)

    • Application launched itself

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)
      • cmd.exe (PID: 1452)
      • cmd.exe (PID: 7232)

    • Loads Python modules

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 7892)

    • Get information on the list of running processes

      • cmd.exe (PID: 5868)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)
      • cmd.exe (PID: 7936)
      • cmd.exe (PID: 7256)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 5984)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 664)
      • cmd.exe (PID: 7000)
      • cmd.exe (PID: 7380)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6028)
      • WMIC.exe (PID: 7148)
      • WMIC.exe (PID: 8124)

    • Starts CMD.EXE for commands execution

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)
      • cmd.exe (PID: 1452)
      • cmd.exe (PID: 7232)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7884)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 8108)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 1196)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7636)
      • cmd.exe (PID: 7020)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5064)

    • Executes JavaScript directly as a command

      • cmd.exe (PID: 4620)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7864)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 5984)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 5984)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 7376)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 5984)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 5984)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 5984)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 5984)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5984)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 5984)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7020)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7020)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5328)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 6872)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7020)

    • Multiple wallet extension IDs have been found

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1804)

  • INFO

    • Checks supported languages

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)
      • chcp.com (PID: 2096)
      • chcp.com (PID: 728)
      • csc.exe (PID: 5328)
      • cvtres.exe (PID: 8132)

    • Reads the computer name

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Create files in a temporary directory

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)
      • csc.exe (PID: 5328)
      • cvtres.exe (PID: 8132)

    • The sample compiled with english language support

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7476)
      • WMIC.exe (PID: 6028)
      • WMIC.exe (PID: 8108)
      • WMIC.exe (PID: 8116)
      • WMIC.exe (PID: 7472)
      • WMIC.exe (PID: 5892)
      • WMIC.exe (PID: 7148)
      • WMIC.exe (PID: 8124)

    • Creates files or folders in the user directory

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 680)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 6808)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7764)

    • PyInstaller has been detected (YARA)

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7688)
      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Reads the time zone

      • net1.exe (PID: 7364)
      • net1.exe (PID: 3132)

    • Checks operating system version

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 5328)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 2504)

    • Application based on Rust

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Attempting to use instant messaging service

      • 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe (PID: 7736)

    • Reads the software policy settings

      • slui.exe (PID: 8108)

    • Checks proxy server information

      • slui.exe (PID: 8108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7736) 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
Discord-Webhook-Tokens (1)1372173143208366190/TDnT2f0uBwLAEVLK10TXwhfwLquKKsBitHEvTirhjunWPoIndiTC-6lFCsQS6beNAQay
Discord-Info-Links
1372173143208366190/TDnT2f0uBwLAEVLK10TXwhfwLquKKsBitHEvTirhjunWPoIndiTC-6lFCsQS6beNAQay
Get Webhook Infohttps://discord.com/api/webhooks/1372173143208366190/TDnT2f0uBwLAEVLK10TXwhfwLquKKsBitHEvTirhjunWPoIndiTC-6lFCsQS6beNAQay
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:14 15:02:45+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 146432
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
88
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe #EXELASTEALER 2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs mshta.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs chcp.com no specs chcp.com no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs svchost.exe tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exe2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
680mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
728chcpC:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
920attrib +h +s "C:\Users\admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe"C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1164net user administrator C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1180C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exe2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1196cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1240systeminfo C:\Windows\System32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1452C:\WINDOWS\system32\cmd.exe /c "cmd.exe /c chcp"C:\Windows\System32\cmd.exe2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
27 325
Read events
27 320
Write events
5
Delete events
0

Modification events

(PID) Process:(680) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(680) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8080) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31180496
(PID) Process:(8080) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
350584286
(PID) Process:(680) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
40
Suspicious files
20
Text files
32
Unknown types
0

Dropped files

PID
Process
Filename
Type
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_ctypes.pydexecutable
MD5:29873384E13B0A78EE9857604161514B
SHA256:3CC8500A958CC125809B0467930EBCCE88A09DCC0CEDD7A45FACF3E332F7DB33
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_overlapped.pydexecutable
MD5:363409FBACB1867F2CE45E3C6922DDB4
SHA256:F154AC9D5CA0646D18F6197C0406F7541B6E0752B2D82A330036C1E39D3A49E7
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\aiohttp\_http_writer.cp313-win_amd64.pydexecutable
MD5:3EAD5784285EDA9417377A93205FCEEC
SHA256:19A16EA9A86AAB9293B80C59B88229C712CB8CDE96D843F539A13FE9EC8D43A7
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_bz2.pydexecutable
MD5:684D656AADA9F7D74F5A5BDCF16D0EDB
SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_decimal.pydexecutable
MD5:21FCB8E3D4310346A5DC1A216E7E23CA
SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_cffi_backend.cp313-win_amd64.pydexecutable
MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_socket.pydexecutable
MD5:566CB4D39B700C19DBD7175BD4F2B649
SHA256:77EBA293FE03253396D7BB6E575187CD026C80766D7A345EB72AD92F0BBBC3AA
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_ssl.pydexecutable
MD5:689F1ABAC772C9E4C2D3BAD3758CB398
SHA256:D3A89AA7E4A1DF1151632A8A5CAF338C4DDDB674EC093BFDBC122ADC9DB28A97
76882025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI76882\_lzma.pydexecutable
MD5:D63E2E743EA103626D33B3C1D882F419
SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
26
DNS requests
6
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
GET
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
GET
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1912
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
4
System
192.168.100.255:137
whitelisted
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
162.159.135.232:443
discord.com
CLOUDFLARENET
whitelisted
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
whitelisted
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
162.159.136.232:443
discord.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
discord.com
  • 162.159.135.232
  • 162.159.137.232
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.138.232
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7736
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_a5a04c9f4f8b732506107ab1acf93ee1_black-basta_cobalt-strike_satacom