File name:

2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/e5f86048-af4b-42aa-9e4a-01b77711864f
Verdict: Malicious activity
Analysis date: April 29, 2025, 18:51:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
rust
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

FAB6AD8AD8AFD49199D3D5346F0CBD99

SHA1:

57BB44FBBCD765064961E7EDDCAEC5F49140B702

SHA256:

BBC4F49BD024CE23F952A1644451D68F80445E52E24E90FF448E5B9D2C1D7C0D

SSDEEP:

98304:B8WUp3P3b13Ob0EPGkxaqxGEA3Pu2N2qI81u/POuLr+Erc7IFYn/DLw/DBW0616b:STXJpOCQX6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • XORed URL has been found (YARA)

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6744)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6744)
      • powershell.exe (PID: 1276)

    • Changes Windows Defender settings

      • ReleaseDirect.exe (PID: 6576)

    • Adds path to the Windows Defender exclusion list

      • ReleaseDirect.exe (PID: 6576)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain data on processes

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Drops 7-zip archiver for unpacking

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Starts process via Powershell

      • powershell.exe (PID: 1276)
      • powershell.exe (PID: 6744)

    • Executable content was dropped or overwritten

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • ReleaseDirect.exe (PID: 6576)

    • The process hides Powershell's copyright startup banner

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • ReleaseDirect.exe (PID: 6576)

    • Uses NSLOOKUP.EXE to check DNS info

      • ReleaseDirect.exe (PID: 6576)
      • LearnLead.exe (PID: 6744)

    • Script adds exclusion path to Windows Defender

      • ReleaseDirect.exe (PID: 6576)

    • The process executes via Task Scheduler

      • LearnLead.exe (PID: 6744)

    • Executes as Windows Service

      • wsc_proxy.exe (PID: 5400)

    • Executes application which crashes

      • wsc_proxy.exe (PID: 5400)

    • The process bypasses the loading of PowerShell profile settings

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 496)

    • Connects to unusual port

      • dllhost.exe (PID: 496)

  • INFO

    • Checks proxy server information

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • dllhost.exe (PID: 496)
      • slui.exe (PID: 1348)

    • Reads the computer name

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 1616)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • ReleaseDirect.exe (PID: 6576)
      • wsc_proxy.exe (PID: 5400)

    • Checks supported languages

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 1616)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • ReleaseDirect.exe (PID: 6576)
      • LearnLead.exe (PID: 6744)
      • wsc_proxy.exe (PID: 5400)

    • Creates files in the program directory

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 1616)
      • MIdCXYueaYVjpwb.exe (PID: 4208)
      • wsc_proxy.exe (PID: 5400)
      • dllhost.exe (PID: 496)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6708)
      • WMIC.exe (PID: 6028)
      • dllhost.exe (PID: 496)

    • The sample compiled with english language support

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)
      • MIdCXYueaYVjpwb.exe (PID: 4208)

    • Application based on Rust

      • 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe (PID: 2852)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • ReleaseDirect.exe (PID: 6576)
      • LearnLead.exe (PID: 6744)

    • Application based on Golang

      • ReleaseDirect.exe (PID: 6576)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2644)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2644)

    • Reads the machine GUID from the registry

      • wsc_proxy.exe (PID: 5400)

    • Reads CPU info

      • wsc_proxy.exe (PID: 5400)

    • Reads the software policy settings

      • slui.exe (PID: 1348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(2852) 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
Decrypted-URLs (3)http://code.jquery.com/
http://wan.baidu.com/gift
http://xueshu.baidu.com
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:27 16:05:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 2279424
InitializedDataSize: 22918656
UninitializedDataSize: -
EntryPoint: 0x212828
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.1.0.0
ProductVersionNumber: 0.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
LegalCopyright: Copyright © 2023
ProductVersion: 0.1.0
FileVersion: 0.1.0
ProductName: Application Setup
FileDescription: Application Setup
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
31
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XOR-URL 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs midcxyueayvjpwb.exe no specs powershell.exe no specs conhost.exe no specs midcxyueayvjpwb.exe conhost.exe no specs releasedirect.exe nslookup.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs learnlead.exe no specs nslookup.exe conhost.exe no specs dllhost.exe no specs svchost.exe Virtual Factory for MaintenanceUI no specs dllhost.exe dllhost.exe no specs dllhost.exe no specs wsc_proxy.exe werfault.exe no specs Virtual Factory for MaintenanceUI no specs slui.exe 2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\Desktop\2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Application Setup
Exit code:
3221226540
Version:
0.1.0
Modules
Images
c:\users\admin\desktop\2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
496 /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}C:\Windows\SysWOW64\dllhost.exe
ReleaseDirect.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMIdCXYueaYVjpwb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
928C:\WINDOWS\system32\DllHost.exe /Processid:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276"powershell" -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "Start-Process -NoNewWindow -Wait -FilePath \"C:\Program Files (x86)\BrokerAdminister\MIdCXYueaYVjpwb.exe\" -ArgumentList @(\"x\",'\"C:\Program Files (x86)\BrokerAdminister\InspireInvestigatorJubilant\"', '\"-p9)=88wzYxSImproveProtectorCreative\"', '-o\"C:\Program Files (x86)\BrokerAdminister\"', \"-y\")"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1276 /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}C:\Windows\SysWOW64\dllhost.exeReleaseDirect.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
32 385
Read events
31 329
Write events
27
Delete events
1 029

Modification events

(PID) Process:(2148) dllhost.exeKey:HKEY_CURRENT_USER\WEByte\Setup
Operation:delete valueName:kpi
Value:
(PID) Process:(6576) ReleaseDirect.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast
Operation:writeName:ProgramFolder
Value:
C:\Windows
(PID) Process:(496) dllhost.exeKey:HKEY_CURRENT_USER\WEByte\Setup
Operation:writeName:MarkTime
Value:
2025-04-29 18:52
(PID) Process:(5400) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\properties
Operation:writeName:UseRegistry
Value:
1
(PID) Process:(5400) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast\Wsc
Operation:writeName:IWscASStatus
Value:
Windows °²È«ÖÐÐÄ
(PID) Process:(5400) wsc_proxy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast\Wsc
Operation:writeName:IWscAVStatus4
Value:
Windows °²È«ÖÐÐÄ
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile\wsc_proxy.exe|16071c0161cb698e
Operation:writeName:ProgramId
Value:
0006b6aa4fee73eab365f3bda034d8ea1e0e00000904
(PID) Process:(2332) WerFault.exeKey:\REGISTRY\A\{283fd4da-e520-1ae2-47e6-12e835c77cc8}\Root\InventoryApplicationFile\wsc_proxy.exe|16071c0161cb698e
Operation:writeName:FileId
Value:
0000ff2d55a844c1fd37b3841cefa7e2d21de5fa8bac
Executable files
20
Suspicious files
12
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kf4nepno.tjd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
28522025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exeC:\Program Files (x86)\BrokerAdminister\MIdCXYueaYVjpwb.exeexecutable
MD5:E877ED2D9463E6729DB5768F23640AA4
SHA256:2E2E69B6E3DA6D3BB46207D1393D6253E96ECB7DD1C4D6A41EC41A55F1516549
28522025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exeC:\Program Files (x86)\BrokerAdminister\InspireInvestigatorJubilantcompressed
MD5:A47FC9FF96285807EBAFB754D8F47DCD
SHA256:91161956EDF08F76352D77582416FF4940DA5FBA212563E05D8CFC97BD195199
4208MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\EmphasizeEmphasize.exeexecutable
MD5:4E85CC36ADC996C3DDD3A9825D4B7F73
SHA256:7B36E127E1FA53E0C6462312777C5D004EA83BDE67E6DF32FB8920B6C001D664
4208MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\powrprof.dllexecutable
MD5:FB761CCEF534D74C038EB2BB06D92520
SHA256:8D3A3A1395853AD3370751C9FA42BE7C402003B7A24A747A48BCD67BE1BB8B87
6744powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rw3ytz0t.qzw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4208MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\LocateInvestigate.sysbinary
MD5:F9439325476953659B217D9B3C69E11F
SHA256:6AE39D629A811E4F77EC6C20E324C05E3192E2C71940FE39F52F6819CC0CACD7
28522025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exeC:\Program Files (x86)\BrokerAdminister\ReleaseDirect.exeexecutable
MD5:17E91366D47747E4BC057CE3AC756F2F
SHA256:994ADE4418FBE04B5B36C8822C2C83A993E3ABF9E39251BFEC8B6FB97166BFEF
4208MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\GroupDefine.exeexecutable
MD5:662AFB17F56E59E568FA3BC4967540AD
SHA256:CF6AA755224E5DA3CEE8B256269ABDD4D76D59906F5C60FD85851BCD9E0708F7
1616MIdCXYueaYVjpwb.exeC:\Program Files (x86)\BrokerAdminister\InfluenceBackerAstutecompressed
MD5:622C52C222A5835FC8653C85CA5439DF
SHA256:E94BF30D4A9982C84365D979DCCF844DB22524BE822C26E3AA1F58AABE0744B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
54
DNS requests
69
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2852
2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom.exe
GET
110.242.69.67:80
http://110.242.69.67:80/gift
unknown
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
2984
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
2984
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2984
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1616
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1616
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.126.29.7:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
40.126.29.7:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.194
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.158
  • 23.48.23.164
  • 23.48.23.169
  • 23.48.23.159
  • 23.48.23.147
  • 23.48.23.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.29.7
  • 40.126.29.13
  • 20.190.157.11
  • 40.126.29.5
  • 40.126.29.12
  • 20.190.157.12
  • 20.190.157.9
  • 20.190.157.13
whitelisted
wan.baidu.com
  • 110.242.69.67
  • 110.242.69.7
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
2.100.168.192.in-addr.arpa
whitelisted
jiankang.baidu.com
  • 2.16.10.163
  • 2.16.10.183
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Process
Message
wsc_proxy.exe
[2025-04-29 18:52:02.303] [error ] [crashguard ] [ 5400: 5436] [E9669F: 103] Dump path 'C:\ProgramData\Avast Software\Avast\log' does not exist. Directory should be already created.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_fab6ad8ad8afd49199d3d5346f0cbd99_akira_cobalt-strike_satacom