File name:

25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe

Full analysis: https://app.any.run/tasks/90f64330-728a-4ce3-be31-06723ee3fa18
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: October 03, 2025, 17:31:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 10 sections
MD5:

0DCB8B2DFD1F769EECB77DABCB47EB14

SHA1:

1331BE65E2CB9F29810AC0C94605E0A069D4BB39

SHA256:

25E89FE9B7A662BD7D2B4E4632C27877911DAF32A05748423C3A82FBF9B6D787

SSDEEP:

49152:qbDR3EU3TZ7O66466UU6+TX83/DS+6Or0cN1g0ooPoO3i:tQbG/DS+6Or0e9oOy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)

    • COBALTSTRIKE has been detected (YARA)

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)

  • SUSPICIOUS

    • Working with threads in the GNU C Compiler (GCC) libraries related mutex has been found

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)

    • Reads security settings of Internet Explorer

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)

    • Connects to unusual port

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)

  • INFO

    • Checks proxy server information

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)
      • slui.exe (PID: 2840)

    • Checks supported languages

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)

    • Reads the computer name

      • 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe (PID: 6384)

    • Reads the software policy settings

      • slui.exe (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(6384) 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe
C2113.44.44.242:8777/MQfY
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:10:01 12:16:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.24
CodeSize: 491008
InitializedDataSize: 1288704
UninitializedDataSize: 6144
EntryPoint: 0x14d0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2840C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6384"C:\Users\admin\Desktop\25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe" C:\Users\admin\Desktop\25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
CobalStrike
(PID) Process(6384) 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe
C2113.44.44.242:8777/MQfY
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)
Total events
4 007
Read events
3 999
Write events
8
Delete events
0

Modification events

(PID) Process:(6384) 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6384) 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6384) 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6384) 25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
4.154.209.85:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
unknown
POST
500
4.154.209.85:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6016
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7656
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6384
25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe
113.44.44.242:8777
CN
unknown
6016
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5948
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7036
slui.exe
4.154.209.85:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2840
slui.exe
4.154.209.85:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
activation-v2.sls.microsoft.com
  • 4.154.209.85
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
25e89fe9b7a662bd7d2b4e4632c27877911daf32a05748423c3a82fbf9b6d787.exe