File name:

f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9

Full analysis: https://app.any.run/tasks/fea2f7a6-3eaa-470c-9ae7-6ecee9821e96
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 14:27:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

2EBFF82217D45035FB94F186048A53B1

SHA1:

57C43FD2334BFA22DFE3360DA3111A268476737B

SHA256:

F4BC0FD36A8A3E2E11AE39FA4991B74EA92CF86B2C25CFF02A76FD3B0018C6A9

SSDEEP:

192:bJkwn8tIO7Yv8WqPq4jju24jjLAemNsd4fYuIAP69DhhYFV6hJUXq1+dye67f1i/:p8tIO7Yv8WqS4QuIAP6iYaXs+west3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe (PID: 2088)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe (PID: 2088)

    • Executes application which crashes

      • f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe (PID: 2088)

  • INFO

    • Checks supported languages

      • f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe (PID: 2088)

    • Checks proxy server information

      • f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe (PID: 2088)
      • slui.exe (PID: 2384)

    • Reads the computer name

      • f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe (PID: 2088)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5776)

    • Reads the software policy settings

      • slui.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(2088) f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe
C2192.168.1.150:9999/UTmG
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:24 12:21:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 7680
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x2060
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe conhost.exe no specs werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\Users\admin\Desktop\f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe" C:\Users\admin\Desktop\f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\wininet.dll
CobalStrike
(PID) Process(2088) f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe
C2192.168.1.150:9999/UTmG
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)
2384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4408\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exef4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5776C:\WINDOWS\system32\WerFault.exe -u -p 2088 -s 580C:\Windows\System32\WerFault.exef4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
5 478
Read events
5 478
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5776WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_f4bc0fd36a8a3e2e_dbf0f0c2ae22de8b0511fc0be5f522c2c9a7878_fce48952_dfc7dd51-3d8d-4dbc-ac9d-256e2faf8584\Report.wer
MD5:
SHA256:
5776WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER4768.tmp.xmlxml
MD5:2B88D7F2B3231D5FB20558A4723B60B3
SHA256:B1FBBB4A43A0B7E1F15D233DA570C44E6403B02A80934BB51F3C7D401D142CB3
5776WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9.exe.2088.dmpbinary
MD5:E6F48623F1AE665BB051697EBC934CD2
SHA256:7CF3F9DC9C62C15F534064A04F6079A31A24BE0D8B50F69A95A517CF6C85722B
5776WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER469B.tmp.dmpbinary
MD5:F9AC64B4A13B6A34C25FA409A1CD8153
SHA256:11C4674C74620AF40BB1E1A5B3D444BF1DF4A4F371914F836B79AB9ED3C0D37A
5776WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER4748.tmp.WERInternalMetadata.xmlbinary
MD5:A0F2EFC1755C88D96B56BD198EAD092F
SHA256:EC3CF7EBA7086D1382548F16AFAAE579D97A163BA9840D571A1838BFAC6DC453
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.62:49748
unknown
2104
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3268
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2384
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f4bc0fd36a8a3e2e11ae39fa4991b74ea92cf86b2c25cff02a76fd3b0018c6a9