File name:	6a6c8a4e59adea74921297fcc45fcf788af610bc5a637b60d21a677669a46755
Full analysis:	https://app.any.run/tasks/ad66bfcf-fc9d-4802-91c7-16b70745c008
Verdict:	Malicious activity
Threats:	Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 20:59:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	cobaltstrike
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:	AD8429F1BA7719D4F29F3433FFB95FA7
SHA1:	AF2DD741E2B9CC59ED850DE3ED408DF2400FBE03
SHA256:	6A6C8A4E59ADEA74921297FCC45FCF788AF610BC5A637B60D21A677669A46755
SSDEEP:	192:OauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqnVKqpLptL7GbUaYnCrUR1p7gJTD:pWXGaNp+QWAClYRwiLn7GbUanrUPYD

.exe	\|	Win64 Executable (generic) (87.2)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	2.34
CodeSize:	8704
InitializedDataSize:	18432
UninitializedDataSize:	2560
EntryPoint:	0x14c0
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI

PID	Process	Filename		Type
1740	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6a6c8a4e59adea74_e9389e16dfd48ec971768136fad8754b9692b5_1bce1676_ffd8987b-8555-4e55-aae0-909ed4f51432\Report.wer		—
		MD5:—	SHA256:—
1740	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE080.tmp.dmp		binary
		MD5:E30873B6831602D07201A8225F370A4F	SHA256:829E6D45F09D80120481530B1DF5EADA1D71AFB0D32DCBDFAC7879DAC17EE766
1740	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE11D.tmp.WERInternalMetadata.xml		xml
		MD5:AA4C4FEBD2A8BA4F3BDDADECD61D1479	SHA256:34B124D4BDA8067DCA0BD0105BA208F2D3965887DBE19CDB6D3FEDB6EE374A2B
1740	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\6a6c8a4e59adea74921297fcc45fcf788af610bc5a637b60d21a677669a46755.exe.3876.dmp		binary
		MD5:A0A1893AA965FC7858E3BE926E63CA25	SHA256:1F0C1A016762A083E984A41D069CD79628EA22C4106F4D82A6653AEB9C502EFF
1740	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE13D.tmp.xml		xml
		MD5:4C729E7964EC4D0F58C52A299A20B814	SHA256:5A771E20DF0D2CB25EFE1BF624C756B8F3BB1980E5227BE5C8FCCE85A864A559

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
880	RUXIMICS.exe	GET	200	23.48.23.159:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.159:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
244	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
880	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
880	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
244	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	92.123.104.26:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	192.168.100.49:49679	—	—	—	unknown
880	RUXIMICS.exe	23.48.23.159:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.159:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
880	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
www.bing.com	92.123.104.26 92.123.104.25 92.123.104.14 92.123.104.28 92.123.104.5 92.123.104.11 92.123.104.8 92.123.104.10 92.123.104.23	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.48.23.159 23.48.23.140 23.48.23.158 23.48.23.177 23.48.23.141 23.48.23.178 23.48.23.191 23.48.23.134 23.48.23.135	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
watson.events.data.microsoft.com	20.42.65.92	whitelisted
self.events.data.microsoft.com	20.50.73.13	whitelisted

General Info

6a6c8a4e59adea74921297fcc45fcf788af610bc5a637b60d21a677669a46755

AD8429F1BA7719D4F29F3433FFB95FA7

AF2DD741E2B9CC59ED850DE3ED408DF2400FBE03

6A6C8A4E59ADEA74921297FCC45FCF788AF610BC5A637B60D21A677669A46755

192:OauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqnVKqpLptL7GbUaYnCrUR1p7gJTD:pWXGaNp+QWAClYRwiLn7GbUanrUPYD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

COBALTSTRIKE has been detected (YARA)

SUSPICIOUS

Executes application which crashes

Reads security settings of Internet Explorer

INFO

Reads the computer name

Checks proxy server information

Reads the software policy settings

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings