File name:

15219ED1CA4F2613CCB74EBC27B571C1.exe

Full analysis: https://app.any.run/tasks/73af7a34-3125-4193-9c0e-8f7e2ad4f24c
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 13:24:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

15219ED1CA4F2613CCB74EBC27B571C1

SHA1:

232D7FFC1F874317377A57E52F710FE5748CD767

SHA256:

755B9E89416A664F52A0DFEE6DE54687F15AE900A7317763B0A4144996724F6A

SSDEEP:

6144:tqi8gTOpTkAk0H3j6I7E60SpR5i5UlMfd1jRoqN1196vCMYqOtBiUzcKAk3IBggR:t8NeAki3j6GJr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)

    • Connects to unusual port

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)

  • INFO

    • Checks supported languages

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)

    • Checks proxy server information

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)
      • slui.exe (PID: 3956)

    • Reads the machine GUID from the registry

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)

    • Reads the computer name

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)

    • Reads the software policy settings

      • 15219ED1CA4F2613CCB74EBC27B571C1.exe (PID: 7636)
      • slui.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(7636) 15219ED1CA4F2613CCB74EBC27B571C1.exe
C2 (1)103.171.35.26/dot.gif
BeaconTypeHTTPS
Port9443
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYwABfVZCivHbnjZUO+BO81zPg D/iC2oPyKTKg/ktH1Zbz3KyDsPWnMof9juyAfTGI73mxgqkNUk3MwtLRfIqw+cle DaWzp4gE2tnKy9qy4dqKpTA6yNxxtvSYH3EW3YQb7BsYeNZclmAmezp4zgRUwqyd V21a6CYhEsjH2IeQ7wIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stubcc4ba01c076d925ce1fc333d59ba83db
ProcInject_AllocationMethodVirtualAllocEx
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.34
CodeSize: 8704
InitializedDataSize: 294912
UninitializedDataSize: 2560
EntryPoint: 0x14c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 15219ed1ca4f2613ccb74ebc27b571c1.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3956C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7636"C:\Users\admin\Desktop\15219ED1CA4F2613CCB74EBC27B571C1.exe" C:\Users\admin\Desktop\15219ED1CA4F2613CCB74EBC27B571C1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\15219ed1ca4f2613ccb74ebc27b571c1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
CobalStrike
(PID) Process(7636) 15219ED1CA4F2613CCB74EBC27B571C1.exe
C2 (1)103.171.35.26/dot.gif
BeaconTypeHTTPS
Port9443
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYwABfVZCivHbnjZUO+BO81zPg D/iC2oPyKTKg/ktH1Zbz3KyDsPWnMof9juyAfTGI73mxgqkNUk3MwtLRfIqw+cle DaWzp4gE2tnKy9qy4dqKpTA6yNxxtvSYH3EW3YQb7BsYeNZclmAmezp4zgRUwqyd V21a6CYhEsjH2IeQ7wIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stubcc4ba01c076d925ce1fc333d59ba83db
ProcInject_AllocationMethodVirtualAllocEx
Total events
6 757
Read events
6 754
Write events
3
Delete events
0

Modification events

(PID) Process:(7636) 15219ED1CA4F2613CCB74EBC27B571C1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7636) 15219ED1CA4F2613CCB74EBC27B571C1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7636) 15219ED1CA4F2613CCB74EBC27B571C1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
69
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7636
15219ED1CA4F2613CCB74EBC27B571C1.exe
103.171.35.26:9443
VH Global Limited
HK
malicious
4
System
192.168.100.255:137
whitelisted
7892
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.128
  • 20.190.159.0
  • 40.126.31.2
  • 20.190.159.23
  • 20.190.159.131
  • 40.126.31.73
  • 20.190.159.129
whitelisted
google.com
  • 172.217.17.110
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
15219ED1CA4F2613CCB74EBC27B571C1.exe