File name:

3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe

Full analysis: https://app.any.run/tasks/5f75d5c5-a623-4395-95fa-4068254f44a3
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 22:20:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cobaltstrike
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

AA8B75B290C1FA73E00DD91DBAB13F27

SHA1:

6FD3C021980CC00360E211F83F2E0C14A02DD5F4

SHA256:

3E53DAC6FF6DF102B3D056CFA5F08F9DF434171ADD4E8FAD6BB1CF57B56E72E0

SSDEEP:

192:FQauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqnffmS4uEZfptL7GbUaYnCrUR1p7g5:hWXGaNp+QWAClYRH0n7GbUanrUPYD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (SURICATA)

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

    • Connects to the CnC server

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

    • COBALTSTRIKE has been detected (YARA)

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

    • Connects to unusual port

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

    • Contacting a server suspected of hosting an CnC

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

  • INFO

    • Reads the computer name

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

    • Checks proxy server information

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

    • Checks supported languages

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)

    • Reads the machine GUID from the registry

      • 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe (PID: 5376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(5376) 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
C28.130.132.210:7777/Rpc
HeadersAccept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.34
CodeSize: 8704
InitializedDataSize: 18432
UninitializedDataSize: 2560
EntryPoint: 0x14c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4756C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5364"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5376"C:\Users\admin\AppData\Local\Temp\3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe" C:\Users\admin\AppData\Local\Temp\3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
CobalStrike
(PID) Process(5376) 3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
C28.130.132.210:7777/Rpc
HeadersAccept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Total events
529
Read events
529
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
25
DNS requests
13
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
GET
200
8.130.132.210:7777
http://8.130.132.210:7777/Rpc
unknown
unknown
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
GET
200
8.130.132.210:7777
http://8.130.132.210:7777/login/?wa=LGfyWnHTBGLBLLMfWl_i3d-C-Hv0Nm4asosXaTu01o3IT3AbTITyBJzHNECd2l3d5hC-McSzkGZL754I3XoyQDrAEuI33BdGgOr8Sz1SKgcs5H1KHl54F2POcWENyuOdhdsq7uzn4twlIWwmpBWyGViduvt59-hruer9JJaKqu4&path=/calendar
unknown
unknown
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2692
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2692
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
GET
200
8.130.132.210:7777
http://8.130.132.210:7777/login/?wa=LGfyWnHTBGLBLLMfWl_i3d-C-Hv0Nm4asosXaTu01o3IT3AbTITyBJzHNECd2l3d5hC-McSzkGZL754I3XoyQDrAEuI33BdGgOr8Sz1SKgcs5H1KHl54F2POcWENyuOdhdsq7uzn4twlIWwmpBWyGViduvt59-hruer9JJaKqu4&path=/calendar
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
8.130.132.210:7777
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.66
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.132
  • 40.126.32.133
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
A Network Trojan was detected
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
Malware Command and Control Activity Detected
ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
Malware Command and Control Activity Detected
ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2
5376
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe
Malware Command and Control Activity Detected
ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3e53dac6ff6df102b3d056cfa5f08f9df434171add4e8fad6bb1cf57b56e72e0.exe