File name:

ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe

Full analysis: https://app.any.run/tasks/df26c7d6-093f-4749-9af0-7f7abca72342
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 03:32:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 7 sections
MD5:

3EC9655402026ED87A5B440F6CBF5439

SHA1:

1B790428886E0F912AD8EB2039BDD880E9C07179

SHA256:

CCD8BBE7E7753CBEC4DE55A9F1A949332FEDB4A08677F7A41D0AF77ECFD88485

SSDEEP:

3072:Bxd5JNE/zp9X3OFUYAjvWhfFJmC+qtm+oFYt7ysBkNT+agtBi9hmuIIIII33TTT/:bE/d9ESqTtyFYtFBkNT6Bi9hlR0RQjD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe (PID: 2976)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe (PID: 2976)

    • Connects to unusual port

      • ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe (PID: 2976)

  • INFO

    • Reads the computer name

      • ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe (PID: 2976)

    • Checks supported languages

      • ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe (PID: 2976)

    • Checks proxy server information

      • ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe (PID: 2976)
      • slui.exe (PID: 700)

    • Reads the machine GUID from the registry

      • ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe (PID: 2976)

    • Reads the software policy settings

      • slui.exe (PID: 700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(2976) ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe
C2 (1)59.110.81.93/activity
BeaconTypeHTTP
Port12121
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBkIuSPVnJvBF/opluas15MxvK Zg4DVSFhhJ089jIcKOB+FbiSexGZYT+nuRJJi6Hg8rrh8G9FTiYiG0GE0Ry8Fci8 Yykd5neAe1w7u9VAAAFcXCQBNoq3uD2nd5cN6XWzL61yDcl1W93PzgznYOnhuPvE AU+S//z/WrIiBqNidwIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTod7a9ca15a07f82bfd3b63020da38aa16
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark391144938
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stubb50b86d735412685eb6044ad8d01781c
ProcInject_AllocationMethodVirtualAllocEx
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.3)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.34
CodeSize: 7168
InitializedDataSize: 290304
UninitializedDataSize: 1536
EntryPoint: 0x14a0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
700C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2976"C:\Users\admin\Desktop\ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe" C:\Users\admin\Desktop\ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
CobalStrike
(PID) Process(2976) ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe
C2 (1)59.110.81.93/activity
BeaconTypeHTTP
Port12121
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBkIuSPVnJvBF/opluas15MxvK Zg4DVSFhhJ089jIcKOB+FbiSexGZYT+nuRJJi6Hg8rrh8G9FTiYiG0GE0Ry8Fci8 Yykd5neAe1w7u9VAAAFcXCQBNoq3uD2nd5cN6XWzL61yDcl1W93PzgznYOnhuPvE AU+S//z/WrIiBqNidwIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTod7a9ca15a07f82bfd3b63020da38aa16
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark391144938
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stubb50b86d735412685eb6044ad8d01781c
ProcInject_AllocationMethodVirtualAllocEx
Total events
3 935
Read events
3 935
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
50
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3092
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
4080
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3092
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3092
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.14
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.5
  • 40.126.32.136
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.74
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ccd8bbe7e7753cbec4de55a9f1a949332fedb4a08677f7a41d0af77ecfd88485.exe