File name:

dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe

Full analysis: https://app.any.run/tasks/36d8d836-28cf-4582-87b9-b558e44d9ee9
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: March 05, 2026, 05:24:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

F75D0E36B52AE18653E35C7F5C41BCA6

SHA1:

E9CA91B1DEAB302D68B1CE5DC0A96C5FD68D0B92

SHA256:

DD4417BB37F61E39C0AA69FA3CA3972E33460BB344E2CFA90F3A0B569BAD5AD3

SSDEEP:

192:mauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqnTh3xeptL7GbUaYnCrUR1p7gJTD:BWXGaNp+QWAClYRen7GbUanrUPYD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe (PID: 8108)

  • SUSPICIOUS

    • Connects to SSH

      • dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe (PID: 8108)

  • INFO

    • Checks proxy server information

      • dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe (PID: 8108)
      • slui.exe (PID: 8824)

    • Reads the computer name

      • dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe (PID: 8108)

    • Checks supported languages

      • dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe (PID: 8108)

    • Reads security settings of Internet Explorer

      • dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe (PID: 8108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(8108) dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
C2 (1)192.238.192.11:22/sJKU
Options
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.34
CodeSize: 8704
InitializedDataSize: 18432
UninitializedDataSize: 2560
EntryPoint: 0x14c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
8108"C:\Users\admin\Desktop\dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe" C:\Users\admin\Desktop\dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
CobalStrike
(PID) Process(8108) dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
C2 (1)192.238.192.11:22/sJKU
Options
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
8824C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 843
Read events
3 843
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
30
DNS requests
10
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
3348
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5900
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3348
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5900
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5900
svchost.exe
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
5.70 Kb
whitelisted
2872
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
binary
512 b
whitelisted
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
3348
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5900
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.22:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3348
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5900
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3348
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 184.86.251.22
  • 184.86.251.19
  • 184.86.251.27
whitelisted
google.com
  • 142.251.127.101
  • 142.251.127.100
  • 142.251.127.139
  • 142.251.127.113
  • 142.251.127.138
  • 142.251.127.102
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
self.events.data.microsoft.com
  • 20.42.65.85
whitelisted

Threats

PID
Process
Class
Message
6768
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8108
dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
8108
dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
8108
dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
8108
dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
8108
dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
8108
dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dd4417bb37f61e39c0aa69fa3ca3972e33460bb344e2cfa90f3a0b569bad5ad3.exe