File name:

2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/80f133a5-cbbd-4f21-a72c-80d82b43d986
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 10:51:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
sheetrat
rat
auto-sch
auto-reg
api-base64
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

09B6AC77217C3642CA1105794238E88C

SHA1:

D370A59DBE646574E35B3FA7D9C68077F1735F02

SHA256:

B3CDE0EA1003B8F5C7660B966F329C7D047861059F79FE4F0F59AA86D68AA0B1

SSDEEP:

98304:9xb2fC/emyBMyB3vqeLnc1ZaDPHUFK/uXbQx2Uc9XLDbenkuA83wpYp2twXLM4ZQ:mOKVCTyMNUfF4939W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • INST.exe (PID: 856)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7052)
      • cmd.exe (PID: 496)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 6656)
      • cmd.exe (PID: 536)
      • cmd.exe (PID: 2064)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 7012)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 3968)
      • cmd.exe (PID: 6248)
      • cmd.exe (PID: 5640)
      • cmd.exe (PID: 456)
      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 6436)
      • cmd.exe (PID: 6148)
      • cmd.exe (PID: 4164)
      • cmd.exe (PID: 5968)
      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 5056)
      • cmd.exe (PID: 5960)
      • cmd.exe (PID: 4436)
      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 1328)
      • cmd.exe (PID: 4464)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 6068)
      • cmd.exe (PID: 5780)
      • cmd.exe (PID: 1040)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 5172)
      • cmd.exe (PID: 788)
      • cmd.exe (PID: 4868)
      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 4932)
      • cmd.exe (PID: 132)
      • cmd.exe (PID: 2564)
      • cmd.exe (PID: 6828)
      • cmd.exe (PID: 2240)

    • SHEETRAT mutex has been found

      • INST.exe (PID: 856)
      • xdwdQuicken.exe (PID: 6828)
      • xdwdQuicken.exe (PID: 5452)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 1228)

    • Changes the AppInit_DLLs value (autorun option)

      • INST.exe (PID: 856)

    • Changes the login/logoff helper path in the registry

      • INST.exe (PID: 856)

  • SUSPICIOUS

    • Process drops python dynamic module

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)

    • Executable content was dropped or overwritten

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)
      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5280)
      • INST.exe (PID: 856)

    • Process drops legitimate windows executable

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)

    • The process drops C-runtime libraries

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)

    • Application launched itself

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)
      • INST.exe (PID: 6300)

    • Loads Python modules

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5280)

    • Starts CMD.EXE for commands execution

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5280)
      • INST.exe (PID: 856)
      • xdwdQuicken.exe (PID: 4188)
      • xdwdDaVinci Resolve.exe (PID: 1568)
      • xdwdQuicken.exe (PID: 5452)
      • xdwdQuicken.exe (PID: 6828)

    • The executable file from the user directory is run by the CMD process

      • INST.exe (PID: 6300)

    • Reads security settings of Internet Explorer

      • INST.exe (PID: 6300)

    • Reads the date of Windows installation

      • INST.exe (PID: 6300)

    • Connects to unusual port

      • INST.exe (PID: 856)

    • The process executes via Task Scheduler

      • xdwdQuicken.exe (PID: 6828)
      • xdwdQuicken.exe (PID: 5452)

  • INFO

    • Create files in a temporary directory

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)
      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5280)

    • Checks supported languages

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)
      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5280)
      • INST.exe (PID: 6300)
      • INST.exe (PID: 856)
      • xdwdQuicken.exe (PID: 4188)
      • xdwdDaVinci Resolve.exe (PID: 1568)
      • xdwdQuicken.exe (PID: 6828)
      • xdwdQuicken.exe (PID: 5452)

    • Reads the computer name

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)
      • INST.exe (PID: 6300)
      • INST.exe (PID: 856)
      • xdwdQuicken.exe (PID: 4188)
      • xdwdDaVinci Resolve.exe (PID: 1568)
      • xdwdQuicken.exe (PID: 6828)
      • xdwdQuicken.exe (PID: 5452)

    • The sample compiled with english language support

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)

    • Reads the machine GUID from the registry

      • INST.exe (PID: 6300)
      • INST.exe (PID: 856)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5280)

    • PyInstaller has been detected (YARA)

      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5124)
      • 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe (PID: 5280)

    • Process checks computer location settings

      • INST.exe (PID: 6300)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 7052)
      • cmd.exe (PID: 6656)
      • cmd.exe (PID: 496)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 3968)
      • cmd.exe (PID: 536)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 7012)
      • cmd.exe (PID: 2064)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 6248)
      • cmd.exe (PID: 6148)
      • cmd.exe (PID: 5640)
      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 456)
      • cmd.exe (PID: 6436)
      • cmd.exe (PID: 4164)
      • cmd.exe (PID: 5968)
      • cmd.exe (PID: 5056)
      • cmd.exe (PID: 4436)
      • cmd.exe (PID: 5960)
      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 1328)
      • cmd.exe (PID: 4464)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 6068)
      • cmd.exe (PID: 5780)
      • cmd.exe (PID: 1040)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 4868)
      • cmd.exe (PID: 5172)
      • cmd.exe (PID: 788)
      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 4932)
      • cmd.exe (PID: 132)
      • cmd.exe (PID: 2564)
      • cmd.exe (PID: 6828)
      • cmd.exe (PID: 2240)

    • Auto-launch of the file from Registry key

      • INST.exe (PID: 856)

    • Manual execution by a user

      • xdwdQuicken.exe (PID: 4188)
      • xdwdDaVinci Resolve.exe (PID: 1568)

    • Reads the software policy settings

      • slui.exe (PID: 1228)

    • Checks proxy server information

      • slui.exe (PID: 1228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:12 06:58:38+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 178688
InitializedDataSize: 153600
UninitializedDataSize: -
EntryPoint: 0xc380
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
268
Monitored processes
145
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe conhost.exe no specs 2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe cmd.exe no specs cmd.exe no specs inst.exe no specs #SHEETRAT inst.exe cmd.exe conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs xdwdquicken.exe no specs svchost.exe xdwddavinci resolve.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs #SHEETRAT xdwdquicken.exe no specs slui.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs #SHEETRAT xdwdquicken.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Camtasia" /tr "C:\WINDOWS\xdwdQuicken.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeINST.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
456"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Camtasia" /tr "C:\WINDOWS\xdwdQuicken.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeINST.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
496C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\INST.exeC:\Windows\System32\cmd.exe2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
496"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Camtasia" /tr "C:\WINDOWS\xdwdQuicken.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeINST.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
536"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Avast Antivirus Upgrade" /tr "C:\Users\admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeINST.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728SchTaSKs /create /f /sc minute /mo -1 /tn "Camtasia" /tr "C:\WINDOWS\xdwdQuicken.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
732SchTaSKs /create /f /sc minute /mo -1 /tn "Camtasia" /tr "C:\WINDOWS\xdwdQuicken.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
7 242
Read events
7 236
Write events
6
Delete events
0

Modification events

(PID) Process:(6300) INST.exeKey:HKEY_CURRENT_USER\SOFTWARE
Operation:writeName:hwid
Value:
MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
(PID) Process:(856) INST.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:AppInit_DLLs
Value:
C:\WINDOWS\xdwd.dll
(PID) Process:(856) INST.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:LoadAppInit_DLLs
Value:
1
(PID) Process:(856) INST.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:RequireSignedAppInit_DLLs
Value:
0
(PID) Process:(856) INST.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
C:\Windows\System32\userinit.exe,C:\WINDOWS\xdwdQuicken.exe
(PID) Process:(856) INST.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System32
Value:
C:\Users\admin\Videos\xdwdDaVinci Resolve.exe
Executable files
57
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\_hashlib.pydexecutable
MD5:CF4120BAD9A7F77993DD7A95568D83D7
SHA256:14765E83996FE6D50AEDC11BB41D7C427A3E846A6A6293A4A46F7EA7E3F14148
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\_bz2.pydexecutable
MD5:057325E89B4DB46E6B18A52D1A691CAA
SHA256:5BA872CAA7FCEE0F4FB81C6E0201CEED9BD92A3624F16828DD316144D292A869
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\_lzma.pydexecutable
MD5:3E73BC69EFB418E76D38BE5857A77027
SHA256:6F48E7EBA363CB67F3465A6C91B5872454B44FC30B82710DFA4A4489270CE95C
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\_decimal.pydexecutable
MD5:F465C15E7BACEAC920DC58A5FB922C1C
SHA256:F4A486A0CA6A53659159A404614C7E7EDCCB6BFBCDEB844F6CEE544436A826CB
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:226A5983AE2CBBF0C1BDA85D65948ABC
SHA256:591358EB4D1531E9563EE0813E4301C552CE364C912CE684D16576EABF195DC3
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\_socket.pydexecutable
MD5:69C4A9A654CF6D1684B73A431949B333
SHA256:8DAEFAFF53E6956F5AEA5279A7C71F17D8C63E2B0D54031C3B9E82FCB0FB84DB
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:8F8EB9CB9E78E3A611BC8ACAEC4399CB
SHA256:1BD81DFD19204B44662510D9054852FB77C9F25C1088D647881C9B976CC16818
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:9F746F4F7D845F063FEA3C37DCEBC27C
SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5
SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8
51242025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI51242\api-ms-win-core-fibers-l1-1-1.dllexecutable
MD5:050A30A687E7A2FA6F086A0DB89AA131
SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
60
DNS requests
16
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.4
  • 20.190.160.2
  • 40.126.32.133
  • 20.190.160.128
  • 40.126.32.136
  • 40.126.32.74
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
relations-hiring.gl.at.ply.gg
  • 147.185.221.28
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_09b6ac77217c3642ca1105794238e88c_black-basta_cobalt-strike_satacom