File name:

27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8

Full analysis: https://app.any.run/tasks/8ca7ed30-89d8-48e9-8ad7-e56fcc0867df
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 03:20:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

438AC89D50568022B844C3EED61536A1

SHA1:

A76CB58FE5634D51E36B83171EC5E9C6F0E42FDF

SHA256:

27ABD7D5B735F27F9A51B8B79EEF4D9EDE2AF348E83A7C5136948893D2CEB6A8

SSDEEP:

384:98tIO7Yv8Wq2anWI/YWc17p8aXs+wZab3iH:qWnan1YWs8Us+wZab3C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe (PID: 7632)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe (PID: 7632)

    • Executes application which crashes

      • 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe (PID: 7632)

  • INFO

    • Reads the computer name

      • 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe (PID: 7632)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 8096)

    • Checks supported languages

      • 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe (PID: 7632)

    • Checks proxy server information

      • 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe (PID: 7632)
      • slui.exe (PID: 7224)

    • Reads the software policy settings

      • slui.exe (PID: 7224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(7632) 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe
C2192.168.1.150:9999/UTmG
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:25 01:46:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 7168
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x1f80
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe conhost.exe no specs werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7224C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7632"C:\Users\admin\Desktop\27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe" C:\Users\admin\Desktop\27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
CobalStrike
(PID) Process(7632) 27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe
C2192.168.1.150:9999/UTmG
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)
7640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8096C:\WINDOWS\system32\WerFault.exe -u -p 7632 -s 1124C:\Windows\System32\WerFault.exe27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
5 478
Read events
5 478
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
8096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_27abd7d5b735f27f_e416678e4cd3d19593e7ca011be23c97f64829_7eddb340_cf1600ea-87ae-45e7-b3a2-0759a435af58\Report.wer
MD5:
SHA256:
8096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3E3E.tmp.dmpbinary
MD5:A08B1854A0661C52A4A6E019D271351C
SHA256:5CDF9624DAFD534991FB510FB5271C0B2163294959A3F647ACAD228775BFACA2
8096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2A.tmp.WERInternalMetadata.xmlbinary
MD5:FBE6EEA7DF4EAE5D8A7DC7EA689704EC
SHA256:69FAB9D5E02B7C7296BCB4DB534F1E6BD04C28F67F5C1AEFFBEBE1C18B65B2A7
8096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER3F5A.tmp.xmlxml
MD5:4A942730375DB78A7B72DCD74A59DF32
SHA256:6CC5AD1AED0F8044CD3D5D836137BC9B8EB0516E285B36AABCB03674C12AC838
8096WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8.exe.7632.dmpbinary
MD5:23E476C7D75F122B6E89C2916044CF61
SHA256:55802FCAD8DFA4C4B035AAC6B82000CCB8CD8050177560C7B321432449097DDE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.77:49748
unknown
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
7424
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.104.136.2
unknown
google.com
  • 142.250.185.174
unknown
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
27abd7d5b735f27f9a51b8b79eef4d9ede2af348e83a7c5136948893d2ceb6a8