File name:

2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe

Full analysis: https://app.any.run/tasks/1de245c5-e697-4592-8e9f-0873c4f8ed81
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 01:30:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
stealer
pyinstaller
ims-api
generic
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

2CDDFEBDD21637E9A8CB648BB07B957D

SHA1:

C8F52918533E82CDD2F024E7A7A20DC40EF61664

SHA256:

A23CF8B280D40A233D90ABE06FC72D1E674B59593DCE47395260CCA3513C4180

SSDEEP:

196608:ZzohBiCWMG+A7q/TC9fE55ztawQb30881mwKuzN1QW90aAqlp:WvWJzq/e9fQ5ztazk6wKuzN1QWB/T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Actions looks like stealing of personal data

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • The process drops C-runtime libraries

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Application launched itself

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Process drops python dynamic module

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Executable content was dropped or overwritten

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Loads Python modules

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • There is functionality for taking screenshot (YARA)

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Gets CPU ID (POWERSHELL)

      • powershell.exe (PID: 6900)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

  • INFO

    • Checks supported languages

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Reads the computer name

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • The sample compiled with english language support

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Create files in a temporary directory

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Checks proxy server information

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)
      • slui.exe (PID: 3624)

    • Reads the machine GUID from the registry

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • PyInstaller has been detected (YARA)

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Application based on Rust

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Reads the software policy settings

      • slui.exe (PID: 3624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4020) 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
Discord-Webhook-Tokens (1)1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Discord-Info-Links
1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Get Webhook Infohttps://discord.com/api/webhooks/1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:28 16:42:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3624C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3932powershell -Command "(Get-WmiObject -Class Win32_ComputerSystemProduct).UUID"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4020"C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(4020) 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
Discord-Webhook-Tokens (1)1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Discord-Info-Links
1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Get Webhook Infohttps://discord.com/api/webhooks/1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
4232powershell -Command "(Get-WmiObject -Class Win32_BIOS).SerialNumber"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4444powershell -Command "(Get-WmiObject -Class Win32_BaseBoard).SerialNumber"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4520powershell -Command "(Get-WmiObject -Class Win32_BIOS).OEMStringArray"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
5468"C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
35 783
Read events
35 783
Write events
0
Delete events
0

Modification events

No data
Executable files
92
Suspicious files
3
Text files
40
Unknown types
2

Dropped files

PID
Process
Filename
Type
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_ctr.pydexecutable
MD5:C22F3989DD44FCB927F0E9B2DFE7805D
SHA256:6BFE4C4637D81D815051B357C0593D9351D9409D28BFB3D87D2FAF89E46C9A30
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_des3.pydexecutable
MD5:7B0BCE99E559C6868CC43FB9C3F921D9
SHA256:8EA8CFD1D8714343EADF340C060DDBAE685438A6B986CDD07282ED4663B7DA6E
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_aes.pydexecutable
MD5:4C869A3047220F0B344536CA22B2987E
SHA256:78B51FCB81E97CD3B0EFB48237DA9EBF57D796D8E5DCBFC5E213A8E23EFAB054
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:0B2596C23BD2792FA5CDB304417DD36D
SHA256:2369F44274DC7F03B5F37D77F39BA77EC9146CF53170CB4E9EFC2001197C698F
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_pkcs1_decode.pydexecutable
MD5:0900E8E081214B321E38C80670BE196E
SHA256:5ACAE29721A43D32B2602D32BF8CC9F4224191F886894CBB0BC0A4407C4D16FE
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:73D2494C8BCD6738B2767FE7819DF72A
SHA256:93ECBA417C3E6E0C44DFD0D86D2A04474E0DDDCA5C7835E4802E6139C0A732D4
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_cfb.pydexecutable
MD5:8C2022FC051E9DC0279A2FE507E54837
SHA256:574A60FECD3B3D738F42B870C63BEDF8E00C013921EB0BBA708F9F77240A23C0
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_arc2.pydexecutable
MD5:85F63E63DF3607939B73A8DFD6E97378
SHA256:EA0D32C15FFF0FB6FC91F4878DB501C8B92B52A3B09BA73AA53EC0C86BD81AE9
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_ARC4.pydexecutable
MD5:41851AA1DD56679C1F5EC9853B9CC616
SHA256:0E17085905FA32E6C16DC6E40F1D8348BFCFAC838B879E6D54D8640B40B39445
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_cast.pydexecutable
MD5:85EF185BC09402AB82F26D77119A8C94
SHA256:DBB5559743D3474D557811366F2B24E4C8CE134D254FDA8F1BFEDE5187F12292
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
30
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4020
2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/None
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.3.109.244
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
api.ipify.org
  • 104.26.12.205
  • 172.67.74.152
  • 104.26.13.205
shared
ip-api.com
  • 208.95.112.1
whitelisted
api.gofile.io
  • 45.112.123.126
  • 51.75.242.210
whitelisted
store4.gofile.io
  • 31.14.70.245
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.128.233
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.135.232
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe