File name:

8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa

Full analysis: https://app.any.run/tasks/3877bf37-54f6-411f-ae92-d167a518bee1
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 11:43:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

8AE73211301778E5B2135A58F3F6F47D

SHA1:

9A2B46ECB2481DA4E80BB194A5AFB3B4284E0B24

SHA256:

8312FC843C1E70468A144A5DEE36D0964D44B57076276FE10226BEF4F89162FA

SSDEEP:

98304:c1T2Q688IsdJE8slJ7CxPy9xolFZgHkjmroIaAZhhRb4bBafg5j+6KnrUjxiZwlS:xbTyYAwn3yoeZKI+kld3o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

  • SUSPICIOUS

    • Process drops python dynamic module

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)

    • Executable content was dropped or overwritten

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)

    • The process drops C-runtime libraries

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)

    • Process drops legitimate windows executable

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)

    • Application launched itself

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)

    • Loads Python modules

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • Starts CMD.EXE for commands execution

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 7752)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 7848)
      • cmd.exe (PID: 7216)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 7956)

    • The process checks if it is being run in the virtual environment

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7188)

    • There is functionality for taking screenshot (YARA)

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)
      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • Reads security settings of Internet Explorer

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • Connects to unusual port

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

  • INFO

    • Reads the computer name

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)
      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • Create files in a temporary directory

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)

    • Checks supported languages

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)
      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • The sample compiled with english language support

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7804)
      • WMIC.exe (PID: 7908)
      • WMIC.exe (PID: 8012)
      • WMIC.exe (PID: 4784)

    • Checks proxy server information

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)
      • slui.exe (PID: 1628)

    • PyInstaller has been detected (YARA)

      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7560)
      • 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe (PID: 7604)

    • Reads the software policy settings

      • slui.exe (PID: 1628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(7604) 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe
C247.109.177.97:1111/fNTU
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:15 09:50:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
24
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe #COBALTSTRIKE 8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs find.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1244reg query HKLM\SOFTWARE\VMware, Inc.\VMware ToolsC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1628C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2656find /c /v ""C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
4784wmic diskdrive get caption C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ucrtbase.dll
6488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6652C:\WINDOWS\system32\cmd.exe /c "reg query HKLM\SOFTWARE\VMware, Inc.\VMware Tools"C:\Windows\System32\cmd.exe8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7148reg query HKLM\SOFTWARE\Oracle\VirtualBox Guest AdditionsC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7188C:\WINDOWS\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions"C:\Windows\System32\cmd.exe8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
4 772
Read events
4 772
Write events
0
Delete events
0

Modification events

No data
Executable files
109
Suspicious files
1
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA256:8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_ARC4.pydexecutable
MD5:BCD8CAAF9342AB891BB1D8DD45EF0098
SHA256:78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_Salsa20.pydexecutable
MD5:F19CB847E567A31FAB97435536C7B783
SHA256:1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_raw_arc2.pydexecutable
MD5:F14E1AA2590D621BE8C10321B2C43132
SHA256:FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_raw_aes.pydexecutable
MD5:0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA256:6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_raw_blowfish.pydexecutable
MD5:B127CAE435AEB8A2A37D2A1BC1C27282
SHA256:538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_chacha20.pydexecutable
MD5:DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA256:68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_raw_cfb.pydexecutable
MD5:899895C0ED6830C4C9A3328CC7DF95B6
SHA256:18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA256:5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
75608312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exeC:\Users\admin\AppData\Local\Temp\_MEI75602\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:78AEF441C9152A17DD4DC40C7CC9DF69
SHA256:56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
28
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7604
8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa.exe
47.109.177.97:1111
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
7308
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1628
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8312fc843c1e70468a144a5dee36d0964d44b57076276fe10226bef4f89162fa