File name:

Slawd-sleep1sec.exe

Full analysis: https://app.any.run/tasks/9ba2ddd7-4d2d-4d22-97f6-422fa503909a
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 15:58:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cobaltstrike
rust
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

A40F6E0F17D53EFD522B1DA4455ED460

SHA1:

E5207A04DFFE4DF3E65D89E39A7D71D9575B77F8

SHA256:

A665DC3D0E8890B660D9084AAB04EAC00FD970EBA9AFBBFFE925E2482246F325

SSDEEP:

6144:mJXeSV4dpYP6LEBfIqUvBRvfgAgOOxt57e:mJXeSV4dpYP6LsfIBvBOAjot57e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • Slawd-sleep1sec.exe (PID: 6988)

    • COBALTSTRIKE has been detected (SURICATA)

      • Slawd-sleep1sec.exe (PID: 6988)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Slawd-sleep1sec.exe (PID: 6988)

  • INFO

    • Checks supported languages

      • Slawd-sleep1sec.exe (PID: 6988)

    • Reads the computer name

      • Slawd-sleep1sec.exe (PID: 6988)

    • Checks proxy server information

      • Slawd-sleep1sec.exe (PID: 6988)
      • slui.exe (PID: 3272)

    • Create files in a temporary directory

      • Slawd-sleep1sec.exe (PID: 6988)

    • Reads the machine GUID from the registry

      • Slawd-sleep1sec.exe (PID: 6988)

    • Application based on Rust

      • Slawd-sleep1sec.exe (PID: 6988)

    • Reads the software policy settings

      • slui.exe (PID: 3272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(6988) Slawd-sleep1sec.exe
C2 (1)192.168.40.131/match
BeaconTypeHTTP
Port80
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCurHEYGtPWAJ5pJwkNWztnzHft rgCerc+/2MVvSL6xpYVZKSDmqojoiKPuDJjiTM0Z3zTS720ZjEtCUiJeruKZHuQH oiRvrqy/9BrFAf5gnspLbVBVNbUEGfsLvbgAWkMlwEM9fKOEyUPDhuanXqgdGZLr aBNp4XfslcAiX0EJ/wIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark100000
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MASP)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stub04e0a11be59147a8d73d2b3e9fea832c
ProcInject_AllocationMethodVirtualAllocEx
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:07 14:01:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 128512
InitializedDataSize: 4852736
UninitializedDataSize: -
EntryPoint: 0x1df54
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE slawd-sleep1sec.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3272C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6988"C:\Users\admin\Desktop\Slawd-sleep1sec.exe" C:\Users\admin\Desktop\Slawd-sleep1sec.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\slawd-sleep1sec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
CobalStrike
(PID) Process(6988) Slawd-sleep1sec.exe
C2 (1)192.168.40.131/match
BeaconTypeHTTP
Port80
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCurHEYGtPWAJ5pJwkNWztnzHft rgCerc+/2MVvSL6xpYVZKSDmqojoiKPuDJjiTM0Z3zTS720ZjEtCUiJeruKZHuQH oiRvrqy/9BrFAf5gnspLbVBVNbUEGfsLvbgAWkMlwEM9fKOEyUPDhuanXqgdGZLr aBNp4XfslcAiX0EJ/wIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark100000
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MASP)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stub04e0a11be59147a8d73d2b3e9fea832c
ProcInject_AllocationMethodVirtualAllocEx
Total events
3 831
Read events
3 831
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
51
DNS requests
18
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6988
Slawd-sleep1sec.exe
GET
104.16.133.229:80
http://cloudflare.com/cdn-cgi/trace/
unknown
whitelisted
5960
SIHClient.exe
GET
200
23.216.77.15:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5960
SIHClient.exe
GET
200
23.216.77.15:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5960
SIHClient.exe
GET
200
23.216.77.15:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6988
Slawd-sleep1sec.exe
104.40.149.189:123
time.windows.com
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6988
Slawd-sleep1sec.exe
104.16.133.229:80
cloudflare.com
CLOUDFLARENET
whitelisted
6988
Slawd-sleep1sec.exe
192.168.40.131:80
unknown
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
time.windows.com
  • 104.40.149.189
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.129
  • 40.126.31.131
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.128
  • 40.126.31.2
whitelisted
cloudflare.com
  • 104.16.133.229
  • 104.16.132.229
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
  • 4.245.163.56
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.216.77.15
  • 23.216.77.17
  • 23.216.77.19
  • 23.216.77.16
  • 23.216.77.12
  • 23.216.77.21
  • 23.216.77.13
  • 23.216.77.7
  • 23.216.77.18
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Slawd-sleep1sec.exe