File name:

2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe

Full analysis: https://app.any.run/tasks/1de245c5-e697-4592-8e9f-0873c4f8ed81
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 01:30:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
stealer
pyinstaller
ims-api
generic
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

2CDDFEBDD21637E9A8CB648BB07B957D

SHA1:

C8F52918533E82CDD2F024E7A7A20DC40EF61664

SHA256:

A23CF8B280D40A233D90ABE06FC72D1E674B59593DCE47395260CCA3513C4180

SSDEEP:

196608:ZzohBiCWMG+A7q/TC9fE55ztawQb30881mwKuzN1QW90aAqlp:WvWJzq/e9fQ5ztazk6wKuzN1QWB/T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Actions looks like stealing of personal data

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • The process drops C-runtime libraries

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Process drops legitimate windows executable

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Process drops python dynamic module

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Application launched itself

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Loads Python modules

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • There is functionality for taking screenshot (YARA)

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Gets CPU ID (POWERSHELL)

      • powershell.exe (PID: 6900)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

  • INFO

    • Checks supported languages

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Reads the computer name

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • The sample compiled with english language support

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)

    • Create files in a temporary directory

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Checks proxy server information

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)
      • slui.exe (PID: 3624)

    • Reads the machine GUID from the registry

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • PyInstaller has been detected (YARA)

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5468)
      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Application based on Rust

      • 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4020)

    • Reads the software policy settings

      • slui.exe (PID: 3624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4020) 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
Discord-Webhook-Tokens (1)1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Discord-Info-Links
1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Get Webhook Infohttps://discord.com/api/webhooks/1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:28 16:42:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3624C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3932powershell -Command "(Get-WmiObject -Class Win32_ComputerSystemProduct).UUID"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4020"C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(4020) 2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
Discord-Webhook-Tokens (1)1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Discord-Info-Links
1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
Get Webhook Infohttps://discord.com/api/webhooks/1399428048696381461/qJUa1ZpZnDxoykLDKxosgQ_dFBehl6TVrS8FiWmF9yF6qxKwhso9m_849scJE275okTv
4232powershell -Command "(Get-WmiObject -Class Win32_BIOS).SerialNumber"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4444powershell -Command "(Get-WmiObject -Class Win32_BaseBoard).SerialNumber"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4520powershell -Command "(Get-WmiObject -Class Win32_BIOS).OEMStringArray"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
5468"C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
35 783
Read events
35 783
Write events
0
Delete events
0

Modification events

No data
Executable files
92
Suspicious files
3
Text files
40
Unknown types
2

Dropped files

PID
Process
Filename
Type
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:0B2596C23BD2792FA5CDB304417DD36D
SHA256:2369F44274DC7F03B5F37D77F39BA77EC9146CF53170CB4E9EFC2001197C698F
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_ofb.pydexecutable
MD5:6C34645D200C996F4D43B566AC3FCE08
SHA256:15595179178E351C8E24F83147B654BDFFEA76D82B2DB79528BA6479D5638B50
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_eksblowfish.pydexecutable
MD5:1A6B2B8D0ED65C54C609815445D6C45B
SHA256:3800ED2BEAB7F9C33337A8E9C7B14CCBDC17D538DE8EF35E2B179F9A77F927F4
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_des3.pydexecutable
MD5:7B0BCE99E559C6868CC43FB9C3F921D9
SHA256:8EA8CFD1D8714343EADF340C060DDBAE685438A6B986CDD07282ED4663B7DA6E
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:73D2494C8BCD6738B2767FE7819DF72A
SHA256:93ECBA417C3E6E0C44DFD0D86D2A04474E0DDDCA5C7835E4802E6139C0A732D4
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_ARC4.pydexecutable
MD5:41851AA1DD56679C1F5EC9853B9CC616
SHA256:0E17085905FA32E6C16DC6E40F1D8348BFCFAC838B879E6D54D8640B40B39445
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_aes.pydexecutable
MD5:4C869A3047220F0B344536CA22B2987E
SHA256:78B51FCB81E97CD3B0EFB48237DA9EBF57D796D8E5DCBFC5E213A8E23EFAB054
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_ecb.pydexecutable
MD5:FC23D10DB102260CED6D1B0A82E83017
SHA256:633CB61F67986877CDB10E6D2FCD19B29B8F1880FAFBE17E6CE3CF3DF3E64952
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_cast.pydexecutable
MD5:85EF185BC09402AB82F26D77119A8C94
SHA256:DBB5559743D3474D557811366F2B24E4C8CE134D254FDA8F1BFEDE5187F12292
54682025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI54682\Cryptodome\Cipher\_raw_des.pydexecutable
MD5:53F7B88C994A12109A43169E16D9FEA0
SHA256:89446AFF1D4833DCFCF3EB6F4392900CD095F656FA621928D69C589477DF772A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
30
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
4020
2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/None
US
binary
58 b
whitelisted
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
1268
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.3.109.244
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
api.ipify.org
  • 104.26.12.205
  • 172.67.74.152
  • 104.26.13.205
shared
ip-api.com
  • 208.95.112.1
whitelisted
api.gofile.io
  • 45.112.123.126
  • 51.75.242.210
whitelisted
store4.gofile.io
  • 31.14.70.245
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.128.233
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.135.232
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-08-01_2cddfebdd21637e9a8cb648bb07b957d_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe