File name:

2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/3b32f18c-7236-44e3-afbf-4275d07301d3
Verdict: Malicious activity
Analysis date: July 07, 2025, 01:56:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

C410B2BA6E2DAAE0C77BEBDA8BB6CA13

SHA1:

7937642E0253AEB18BD63A15D20B114BEFA2CE93

SHA256:

8EEF5B9A4C6403CCBFB4978B207FF1E68EE0EF49C013565BB3BFDD537221DB11

SSDEEP:

98304:7IQ107UrNbRzObvVwzr3NuDOM6lEfrp+o7WSYGqjx+dZII643SOpjVAHn3tF:j10WVuoRR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • armsvc.exe (PID: 4764)
      • FlashPlayerUpdateService.exe (PID: 2388)
      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • alg.exe (PID: 5252)
      • AppVClient.exe (PID: 6980)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4012)
      • MicrosoftEdgeUpdate.exe (PID: 7004)
      • GameInputSvc.exe (PID: 4520)
      • GameInputSvc.exe (PID: 1036)
      • elevation_service.exe (PID: 3844)
      • updater.exe (PID: 5992)
      • updater.exe (PID: 1136)
      • updater.exe (PID: 2804)
      • updater.exe (PID: 6304)
      • elevation_service.exe (PID: 1480)
      • updater.exe (PID: 5352)
      • updater.exe (PID: 7004)
      • maintenanceservice.exe (PID: 2612)
      • msdtc.exe (PID: 5424)
      • perfhost.exe (PID: 4844)
      • PerceptionSimulationService.exe (PID: 4232)
      • PSEXESVC.exe (PID: 7188)
      • Locator.exe (PID: 7224)
      • SensorDataService.exe (PID: 7252)
      • snmptrap.exe (PID: 7312)
      • Spectrum.exe (PID: 7352)
      • ssh-agent.exe (PID: 7416)
      • SearchIndexer.exe (PID: 7996)
      • TieringEngineService.exe (PID: 7536)
      • AgentService.exe (PID: 7620)
      • vds.exe (PID: 7660)
      • VSSVC.exe (PID: 7720)
      • wbengine.exe (PID: 7796)
      • WmiApSrv.exe (PID: 7868)
      • FXSSVC.exe (PID: 5116)

    • M0YV has been detected (YARA)

      • armsvc.exe (PID: 4764)
      • alg.exe (PID: 5252)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4012)
      • snmptrap.exe (PID: 7312)
      • GameInputSvc.exe (PID: 4520)
      • GameInputSvc.exe (PID: 1036)
      • elevation_service.exe (PID: 3844)
      • elevation_service.exe (PID: 1480)
      • msdtc.exe (PID: 5424)
      • PerceptionSimulationService.exe (PID: 4232)
      • perfhost.exe (PID: 4844)
      • PSEXESVC.exe (PID: 7188)
      • ssh-agent.exe (PID: 7416)
      • Locator.exe (PID: 7224)
      • Spectrum.exe (PID: 7352)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • armsvc.exe (PID: 4764)

    • Starts a Microsoft application from unusual location

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5264)
      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)

    • Executes as Windows Service

      • armsvc.exe (PID: 4764)
      • FlashPlayerUpdateService.exe (PID: 2388)
      • alg.exe (PID: 5252)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4012)
      • AppVClient.exe (PID: 6980)
      • MicrosoftEdgeUpdate.exe (PID: 7004)
      • FXSSVC.exe (PID: 5116)
      • GameInputSvc.exe (PID: 4520)
      • updater.exe (PID: 5992)
      • updater.exe (PID: 5352)
      • maintenanceservice.exe (PID: 2612)
      • msdtc.exe (PID: 5424)
      • PerceptionSimulationService.exe (PID: 4232)
      • perfhost.exe (PID: 4844)
      • PSEXESVC.exe (PID: 7188)
      • Locator.exe (PID: 7224)
      • snmptrap.exe (PID: 7312)
      • SensorDataService.exe (PID: 7252)
      • Spectrum.exe (PID: 7352)
      • ssh-agent.exe (PID: 7416)
      • TieringEngineService.exe (PID: 7536)
      • AgentService.exe (PID: 7620)
      • vds.exe (PID: 7660)
      • VSSVC.exe (PID: 7720)
      • wbengine.exe (PID: 7796)
      • WmiApSrv.exe (PID: 7868)

    • Reads security settings of Internet Explorer

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)

    • Executable content was dropped or overwritten

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • armsvc.exe (PID: 4764)

    • Application launched itself

      • GameInputSvc.exe (PID: 4520)
      • updater.exe (PID: 5992)
      • updater.exe (PID: 2804)
      • updater.exe (PID: 5352)

  • INFO

    • Checks supported languages

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • armsvc.exe (PID: 4764)
      • FlashPlayerUpdateService.exe (PID: 2388)
      • MicrosoftEdgeUpdate.exe (PID: 7004)
      • elevation_service.exe (PID: 3844)
      • updater.exe (PID: 1136)
      • updater.exe (PID: 5992)
      • updater.exe (PID: 2804)
      • elevation_service.exe (PID: 1480)
      • maintenanceservice.exe (PID: 2612)
      • updater.exe (PID: 5352)
      • updater.exe (PID: 6304)
      • updater.exe (PID: 7004)
      • PSEXESVC.exe (PID: 7188)
      • ssh-agent.exe (PID: 7416)

    • Creates files or folders in the user directory

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)

    • The sample compiled with english language support

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • armsvc.exe (PID: 4764)

    • Creates files in the program directory

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • FXSSVC.exe (PID: 5116)
      • maintenanceservice.exe (PID: 2612)
      • SearchIndexer.exe (PID: 7996)

    • Reads the machine GUID from the registry

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)

    • Reads the computer name

      • armsvc.exe (PID: 4764)
      • FlashPlayerUpdateService.exe (PID: 2388)
      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • MicrosoftEdgeUpdate.exe (PID: 7004)
      • elevation_service.exe (PID: 3844)
      • updater.exe (PID: 5992)
      • updater.exe (PID: 1136)
      • updater.exe (PID: 2804)
      • updater.exe (PID: 6304)
      • elevation_service.exe (PID: 1480)
      • updater.exe (PID: 7004)
      • maintenanceservice.exe (PID: 2612)
      • updater.exe (PID: 5352)
      • PSEXESVC.exe (PID: 7188)
      • ssh-agent.exe (PID: 7416)

    • Checks proxy server information

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)
      • slui.exe (PID: 4960)

    • Reads Environment values

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)

    • Create files in a temporary directory

      • 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4500)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 1036)
      • slui.exe (PID: 4960)

    • Executes as Windows Service

      • elevation_service.exe (PID: 3844)
      • elevation_service.exe (PID: 1480)
      • SearchIndexer.exe (PID: 7996)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 5992)
      • updater.exe (PID: 2804)
      • updater.exe (PID: 5352)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 5424)

    • Reads the time zone

      • TieringEngineService.exe (PID: 7536)

    • The sample compiled with bulgarian language support

      • armsvc.exe (PID: 4764)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 4032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2058:02:23 10:25:42+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 2661888
InitializedDataSize: 963584
UninitializedDataSize: -
EntryPoint: 0xc5f40
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 25.105.601.2
ProductVersionNumber: 25.105.601.2
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft OneDriveFileSyncHelper
InternalName: Microsoft OneDrive
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: FileSyncHelper.exe
ProductName: Microsoft OneDrive
FileVersion: 25.105.0601.0002
ProductVersion: 25.105.0601.0002
SpecialBuild: b/build/f8ec8b9e-1a16-2bbb-dde9-b191243bfeeb
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
40
Malicious processes
35
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe #M0YV armsvc.exe #M0YV flashplayerupdateservice.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe no specs #M0YV microsoftedgeupdate.exe no specs #M0YV fxssvc.exe no specs #M0YV gameinputsvc.exe no specs #M0YV gameinputsvc.exe no specs #M0YV elevation_service.exe no specs #M0YV updater.exe no specs #M0YV updater.exe no specs #M0YV updater.exe no specs #M0YV updater.exe no specs #M0YV elevation_service.exe no specs #M0YV updater.exe no specs #M0YV maintenanceservice.exe no specs #M0YV updater.exe no specs #M0YV msdtc.exe no specs #M0YV perceptionsimulationservice.exe no specs #M0YV perfhost.exe no specs #M0YV psexesvc.exe no specs #M0YV locator.exe no specs #M0YV sensordataservice.exe no specs #M0YV snmptrap.exe no specs #M0YV spectrum.exe no specs #M0YV ssh-agent.exe no specs #M0YV tieringengineservice.exe no specs #M0YV agentservice.exe no specs #M0YV vds.exe no specs #M0YV vssvc.exe no specs #M0YV wbengine.exe no specs #M0YV wmiapsrv.exe no specs #M0YV searchindexer.exe no specs svchost.exe slui.exe searchprotocolhost.exe no specs searchfilterhost.exe no specs 2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1036"C:\WINDOWS\System32\GameInputSvc.exe" Global\GameInputSession_1C:\Windows\System32\GameInputSvc.exe
GameInputSvc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
GameInput Host Service
Version:
0.2309.19041.4046
Modules
Images
c:\windows\system32\gameinputsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
1136"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2fc,0x300,0x304,0x2f8,0x308,0x8bc460,0x8bc46c,0x8bc478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe
updater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1480"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\elevation_service.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2388C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
services.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2612"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
services.exe
User:
SYSTEM
Company:
Mozilla Foundation
Integrity Level:
SYSTEM
Exit code:
0
Version:
136.0
Modules
Images
c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll
2804"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe
updater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3756"C:\WINDOWS\system32\SearchFilterHost.exe" 0 1016 1020 1032 8192 1028 1000 C:\Windows\System32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3844"C:\Program Files\Google\Chrome\Application\133.0.6943.127\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.127\elevation_service.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\133.0.6943.127\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4012C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft (R) Diagnostics Hub Standard Collector
Version:
11.00.19041.3930 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
Total events
16 277
Read events
16 199
Write events
54
Delete events
24

Modification events

(PID) Process:(4764) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1531812
(PID) Process:(5116) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:writeName:RedirectionGuard
Value:
1
(PID) Process:(5116) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Password
Value:
00
(PID) Process:(5116) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:delete valueName:Password
Value:
(PID) Process:(5116) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Server
Value:
(PID) Process:(5116) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:From
Value:
(PID) Process:(5116) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:User
Value:
(PID) Process:(7352) Spectrum.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PerceptionSimulationExtensions
Operation:writeName:DeviceId
Value:
{01B75792-12D8-42D2-B153-E3B1060BD803}
(PID) Process:(7416) ssh-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\Agent
Operation:writeName:ProcessID
Value:
7416
(PID) Process:(7620) AgentService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Subsystem\VirtualRegistry
Operation:writeName:PassThroughPaths
Value:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
Executable files
141
Suspicious files
10
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\FileSyncHelper-2025-07-07.0156.4500.1.aodlbinary
MD5:C43F02A34A05E704A1463D04E21A3352
SHA256:E5662D4AB0573B00E007E90D2C1728FDCD393086D06424FFD678C510B713EF29
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Windows\System32\alg.exeexecutable
MD5:9CF8893E5A2F2821F4337BEEAD3299F4
SHA256:53A4ED598296DE50398BB37FF0FADA8CCB2D48B2293DE7A25D2282596BACFAAD
4764armsvc.exeC:\Windows\System32\AppVClient.exeexecutable
MD5:FE6202F444101DF11117E3DD285BA457
SHA256:FCD2E2F813892DC5B731CB8500BFE5F84CBE9C87E92ABA100BAE99A1896367CF
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:AFF513B097531034099A9D575FC4277D
SHA256:566EAF2CB882792E815F3D429349803A947F664E9368CB2FA576BC15310BDC04
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\.sestext
MD5:2D106BB594646C37D52E408527ADDE7B
SHA256:985FD6CBB8049760D1592E3291BEA86BCF96F4D64182B6337CA4DC60FF98619D
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\FileSyncHelper-2025-07-07.0156.4500.1.odlbinary
MD5:C43F02A34A05E704A1463D04E21A3352
SHA256:E5662D4AB0573B00E007E90D2C1728FDCD393086D06424FFD678C510B713EF29
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:FE037908AE296FFB7D3138488E868F1C
SHA256:686C4963E084A3A90579F806A8A300FA7CD1C8C422F8017D93957D05EEB9D56D
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\standaloneUpdaterTelemetryCache.otc-journalbinary
MD5:4823C081A234437E6645042238E35B76
SHA256:1BF91FC2B9B47B77CDD3CF85F27A01D813A760AA31526DAD8D55A67778A2F40B
45002025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\standaloneUpdaterTelemetryCache.otc-shmbinary
MD5:0247291CCE92523F7FBB683A5460ECA6
SHA256:0B0D36856D969BE06CAF64A90773808AEC34050395E5A7F7261DCD7EC43F6CD2
4764armsvc.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:4D3A2BEAD8A669F183D0DD5C292FC060
SHA256:3186E2EE8BF417A1083D8C98F3A94E6E4C3504FEEAB287BE24C1661DBA596E4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
92
TCP/UDP connections
98
DNS requests
70
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1936
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1936
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4764
armsvc.exe
POST
200
50.16.27.236:80
http://ssbzmoy.biz/mpfi
unknown
unknown
4764
armsvc.exe
POST
200
44.244.22.128:80
http://pywolwnvd.biz/nlomquv
unknown
malicious
4764
armsvc.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/pdxjty
unknown
malicious
4764
armsvc.exe
POST
200
44.244.22.128:80
http://cvgrf.biz/e
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1936
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1936
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1936
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
pywolwnvd.biz
  • 44.244.22.128
malicious
ssbzmoy.biz
  • 50.16.27.236
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
cvgrf.biz
  • 44.244.22.128
malicious
npukfztj.biz
  • 3.229.117.57
malicious
przvgke.biz
  • 172.233.219.49
  • 172.237.146.8
  • 172.233.219.123
  • 172.237.146.38
  • 172.237.146.25
  • 172.237.146.49
  • 172.233.219.78
unknown
zlenh.biz
unknown

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
4764
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
4764
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-07_c410b2ba6e2daae0c77bebda8bb6ca13_black-basta_cobalt-strike_luca-stealer_satacom_vidar