File name:

2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe

Full analysis: https://app.any.run/tasks/bda28f12-c417-495b-bfea-8618551e07b7
Verdict: Malicious activity
Analysis date: July 08, 2025, 17:59:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

298DD0EA20E5F471357884DFF787FBBC

SHA1:

19595AC83713B11FD3643648294D7B2E1B4EAB29

SHA256:

A70AC5724602DF1E625433F5F80FA0E238C44172CC44BB7A9F1E6E784FF12A4C

SSDEEP:

49152:nyYS07uxr8T8XqJdE4aVgcU+NpX2dM+Vc+J+WO3N2EvybNV6dANU:nfJ5SvU+fX27VFvEHA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • AppVClient.exe (PID: 3644)
      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)
      • armsvc.exe (PID: 4088)
      • FlashPlayerUpdateService.exe (PID: 1480)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 3720)
      • MicrosoftEdgeUpdate.exe (PID: 4500)
      • GameInputSvc.exe (PID: 632)
      • GameInputSvc.exe (PID: 3608)
      • FXSSVC.exe (PID: 620)
      • updater.exe (PID: 1204)
      • updater.exe (PID: 3740)
      • updater.exe (PID: 6716)
      • alg.exe (PID: 3940)
      • elevation_service.exe (PID: 6772)
      • updater.exe (PID: 4832)
      • updater.exe (PID: 4820)
      • maintenanceservice.exe (PID: 2696)
      • msdtc.exe (PID: 6236)
      • PerceptionSimulationService.exe (PID: 1068)
      • perfhost.exe (PID: 6768)
      • PSEXESVC.exe (PID: 1976)
      • snmptrap.exe (PID: 1564)
      • Locator.exe (PID: 6256)
      • SensorDataService.exe (PID: 4748)
      • Spectrum.exe (PID: 7192)
      • ssh-agent.exe (PID: 7252)
      • TieringEngineService.exe (PID: 7340)
      • AgentService.exe (PID: 7412)
      • vds.exe (PID: 7464)
      • VSSVC.exe (PID: 7508)
      • wbengine.exe (PID: 7576)
      • WmiApSrv.exe (PID: 7632)
      • SearchIndexer.exe (PID: 7724)
      • updater.exe (PID: 320)

    • M0YV has been detected (YARA)

      • armsvc.exe (PID: 4088)
      • alg.exe (PID: 3940)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 3720)
      • GameInputSvc.exe (PID: 632)
      • elevation_service.exe (PID: 6772)
      • msdtc.exe (PID: 6236)
      • GameInputSvc.exe (PID: 3608)
      • PerceptionSimulationService.exe (PID: 1068)
      • perfhost.exe (PID: 6768)
      • PSEXESVC.exe (PID: 1976)
      • Locator.exe (PID: 6256)
      • snmptrap.exe (PID: 1564)
      • Spectrum.exe (PID: 7192)
      • ssh-agent.exe (PID: 7252)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)
      • armsvc.exe (PID: 4088)

    • Executes as Windows Service

      • armsvc.exe (PID: 4088)
      • FlashPlayerUpdateService.exe (PID: 1480)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 3720)
      • MicrosoftEdgeUpdate.exe (PID: 4500)
      • GameInputSvc.exe (PID: 632)
      • FXSSVC.exe (PID: 620)
      • updater.exe (PID: 1204)
      • AppVClient.exe (PID: 3644)
      • alg.exe (PID: 3940)
      • updater.exe (PID: 4832)
      • maintenanceservice.exe (PID: 2696)
      • msdtc.exe (PID: 6236)
      • PerceptionSimulationService.exe (PID: 1068)
      • perfhost.exe (PID: 6768)
      • PSEXESVC.exe (PID: 1976)
      • Locator.exe (PID: 6256)
      • Spectrum.exe (PID: 7192)
      • snmptrap.exe (PID: 1564)
      • SensorDataService.exe (PID: 4748)
      • ssh-agent.exe (PID: 7252)
      • TieringEngineService.exe (PID: 7340)
      • AgentService.exe (PID: 7412)
      • vds.exe (PID: 7464)
      • wbengine.exe (PID: 7576)
      • WmiApSrv.exe (PID: 7632)
      • VSSVC.exe (PID: 7508)

    • Application launched itself

      • GameInputSvc.exe (PID: 632)
      • updater.exe (PID: 1204)
      • updater.exe (PID: 6716)
      • updater.exe (PID: 4832)

    • Process drops legitimate windows executable

      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)
      • armsvc.exe (PID: 4088)

  • INFO

    • Checks supported languages

      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)
      • armsvc.exe (PID: 4088)
      • FlashPlayerUpdateService.exe (PID: 1480)
      • MicrosoftEdgeUpdate.exe (PID: 4500)
      • updater.exe (PID: 1204)
      • updater.exe (PID: 3740)
      • updater.exe (PID: 6716)
      • updater.exe (PID: 320)
      • updater.exe (PID: 4832)
      • updater.exe (PID: 4820)
      • maintenanceservice.exe (PID: 2696)
      • PSEXESVC.exe (PID: 1976)
      • ssh-agent.exe (PID: 7252)
      • elevation_service.exe (PID: 6772)

    • The sample compiled with russian language support

      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)

    • Creates files or folders in the user directory

      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)

    • Reads the computer name

      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)
      • armsvc.exe (PID: 4088)
      • MicrosoftEdgeUpdate.exe (PID: 4500)
      • updater.exe (PID: 1204)
      • updater.exe (PID: 3740)
      • updater.exe (PID: 6716)
      • updater.exe (PID: 320)
      • FlashPlayerUpdateService.exe (PID: 1480)
      • elevation_service.exe (PID: 6772)
      • updater.exe (PID: 4832)
      • updater.exe (PID: 4820)
      • maintenanceservice.exe (PID: 2696)
      • PSEXESVC.exe (PID: 1976)
      • ssh-agent.exe (PID: 7252)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 620)
      • maintenanceservice.exe (PID: 2696)
      • SearchIndexer.exe (PID: 7724)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 3608)
      • slui.exe (PID: 1740)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 1204)
      • updater.exe (PID: 6716)
      • updater.exe (PID: 4832)

    • Executes as Windows Service

      • elevation_service.exe (PID: 6772)
      • SearchIndexer.exe (PID: 7724)

    • The sample compiled with english language support

      • 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe (PID: 7064)
      • armsvc.exe (PID: 4088)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 6236)

    • Reads the time zone

      • TieringEngineService.exe (PID: 7340)

    • The sample compiled with bulgarian language support

      • armsvc.exe (PID: 4088)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 856)

    • Checks proxy server information

      • slui.exe (PID: 1740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2022:08:08 10:51:59+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 108544
InitializedDataSize: 65536
UninitializedDataSize: -
EntryPoint: 0x4f00
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: ROSTPAY LTD
FileDescription: Driver install
FileVersion: 1.0.0.0
InternalName: Installer.exe
LegalCopyright: © ROSTPAY LTD. All rights reserved.
OriginalFileName: Installer.exe
ProductName: DriverHub
ProductVersion: 1.3.2.1453
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
39
Malicious processes
34
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe armsvc.exe flashplayerupdateservice.exe no specs alg.exe no specs appvclient.exe no specs diagnosticshub.standardcollector.service.exe no specs microsoftedgeupdate.exe no specs fxssvc.exe no specs gameinputsvc.exe no specs gameinputsvc.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs updater.exe no specs elevation_service.exe no specs updater.exe no specs updater.exe no specs maintenanceservice.exe no specs msdtc.exe no specs perceptionsimulationservice.exe no specs perfhost.exe no specs psexesvc.exe no specs locator.exe no specs sensordataservice.exe no specs snmptrap.exe no specs spectrum.exe no specs ssh-agent.exe no specs tieringengineservice.exe no specs agentservice.exe no specs vds.exe no specs vssvc.exe no specs wbengine.exe no specs wmiapsrv.exe no specs searchindexer.exe no specs svchost.exe slui.exe searchprotocolhost.exe no specs searchfilterhost.exe no specs 2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2fc,0x300,0x304,0x2f8,0x308,0x8bc460,0x8bc46c,0x8bc478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
620C:\WINDOWS\system32\fxssvc.exeC:\Windows\System32\FXSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Fax Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fxssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll
632C:\WINDOWS\System32\GameInputSvc.exeC:\Windows\System32\GameInputSvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
GameInput Host Service
Version:
0.2309.19041.4046
Modules
Images
c:\windows\system32\gameinputsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
724"C:\Users\admin\Desktop\2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe" C:\Users\admin\Desktop\2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeexplorer.exe
User:
admin
Company:
ROSTPAY LTD
Integrity Level:
MEDIUM
Description:
Driver install
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe
c:\windows\system32\ntdll.dll
856"C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\tquery.dll
1068C:\WINDOWS\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Perception Simulation Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1204"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --system --windows-service --service=update-internalC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeservices.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1480C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeservices.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1564C:\WINDOWS\System32\snmptrap.exeC:\Windows\System32\snmptrap.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
SNMP Trap
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\snmptrap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
15 912
Read events
15 834
Write events
54
Delete events
24

Modification events

(PID) Process:(620) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:writeName:RedirectionGuard
Value:
1
(PID) Process:(620) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Password
Value:
00
(PID) Process:(620) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:delete valueName:Password
Value:
(PID) Process:(620) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Server
Value:
(PID) Process:(620) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:From
Value:
(PID) Process:(620) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:User
Value:
(PID) Process:(4088) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1532796
(PID) Process:(7192) Spectrum.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PerceptionSimulationExtensions
Operation:writeName:DeviceId
Value:
{E1C130A5-D812-434F-B6E4-AD177C1B13A0}
(PID) Process:(7192) Spectrum.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Spectrum
Operation:writeName:HeadCenterOfRotationFloat3
Value:
000000000AD7A3BD0AD7A33D
(PID) Process:(7252) ssh-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\Agent
Operation:writeName:ProcessID
Value:
7252
Executable files
141
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
70642025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeC:\Windows\System32\alg.exeexecutable
MD5:ED0BEE4898986D1FFF7617E1DC42AAA3
SHA256:BD004860B41E593AB3A760972A20558496760600B709B148FA27D4698DD9DE5A
70642025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:C2FEACB17E9529DD4CC290C13628F475
SHA256:E2820B3485ACC0DA3F11061AF7622674609EAB2297E1A71684817EE114A14830
70642025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:D87F6E3931E6870F1DA73D7870C26E75
SHA256:5E22CD47AA26E32E97606D1C566C2CEA23C03CB4AA3640290560385F3708E530
70642025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeC:\Windows\System32\GameInputSvc.exeexecutable
MD5:65A09EE99A591B8EC9ABBF2352A49526
SHA256:50B4D6B1DBB451CB03AD6A39E325CE9E2549297FB0F106B82A4D6510AABA6990
70642025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeC:\Windows\System32\FXSSVC.exeexecutable
MD5:7A4DCCEE69C690C5372F130806D036DD
SHA256:A8864F95002A5E7D9F15BF01CA186A43E1BBE9740ADA6BB6EEE6B83AA20D34F8
3740updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:332F8B2877CE0C235B9B17E4A3DCB47D
SHA256:251AF05176B2FADDF4A16C28FE9DFA37ACA6D905A47F8DD48FF0EBBB3BA66191
70642025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeC:\Program Files\Google\Chrome\Application\133.0.6943.127\elevation_service.exeexecutable
MD5:F2D1B126A3E77CD9FC16E7B30F863981
SHA256:FE116930323EE924AE42C7F495DB370468DE8AF01C6D31E239C8016E171D7199
4088armsvc.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:E0F544FC286FC5654A99FF982E984BF3
SHA256:419CB65464B7AFD2BE379E638CA0AAF151477209BE06F6972E5756CFBAF145DD
70642025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeexecutable
MD5:E673AB9F3A87EEC264985203361650D2
SHA256:83C7E546060F426AC700BBED9A20F684F214D0D8495D62C74E91F6A6BA471FF7
4088armsvc.exeC:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeexecutable
MD5:E7EB9CAC9E80741874FE1134946BBA23
SHA256:8247291B69F2236B575E00EA6E90DB11E43E44A325ECA6CFBB0B48CEE20543BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
95
DNS requests
67
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3980
RUXIMICS.exe
GET
200
23.216.77.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3980
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4088
armsvc.exe
POST
200
44.244.22.128:80
http://pywolwnvd.biz/yswnktdiufod
unknown
malicious
4088
armsvc.exe
POST
200
44.244.22.128:80
http://cvgrf.biz/wme
unknown
malicious
4088
armsvc.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/lhgulmavaxto
unknown
malicious
4088
armsvc.exe
POST
200
172.237.146.38:80
http://przvgke.biz/dsudrgt
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3980
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.43:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.43:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3980
RUXIMICS.exe
23.216.77.43:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.216.77.43
  • 23.216.77.31
  • 23.216.77.5
  • 23.216.77.37
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.38
  • 23.216.77.35
  • 23.216.77.29
  • 2.18.121.139
  • 2.18.121.147
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.100.102.101
whitelisted
pywolwnvd.biz
  • 44.244.22.128
malicious
ssbzmoy.biz
  • 50.16.27.236
unknown
cvgrf.biz
  • 44.244.22.128
malicious
npukfztj.biz
  • 3.229.117.57
malicious
przvgke.biz
  • 172.237.146.38
  • 172.237.146.8
  • 172.233.219.78
  • 172.237.146.25
  • 172.233.219.49
  • 172.233.219.123
unknown
zlenh.biz
unknown

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
4088
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
4088
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-08_298dd0ea20e5f471357884dff787fbbc_black-basta_cobalt-strike_satacom_vidar.exe