File name:

Lee.6B4k4ja1.exe.part.exe

Full analysis: https://app.any.run/tasks/ca5d224b-4cd6-4f34-808c-8c9c94227339
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: November 20, 2024, 12:40:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
backdoor
cobaltstrike
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

A7FCB5EC6DFEF33922B57A9FB7251743

SHA1:

95CAF01828C0E39528E02309081AC752BB6624B6

SHA256:

FE3848B53BF6701306CB0FA9618527DBAD319A882D2D1307F8693F005C61C772

SSDEEP:

12288:9CZFmWfphayzyJZMxF2PfVln2he6KZYd63vPb1yBEft6sgIxUP5i:9CZoyphayzyJZMxF2PfVln2xKZYd63vx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

    • COBALTSTRIKE has been detected (SURICATA)

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

    • Access to an unwanted program domain was detected

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

    • Connects to unusual port

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

  • INFO

    • Reads the machine GUID from the registry

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

    • Reads the computer name

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

    • Checks supported languages

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)

    • Checks proxy server information

      • Lee.6B4k4ja1.exe.part.exe (PID: 5124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:06:09 00:17:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.22
CodeSize: 8704
InitializedDataSize: 278528
UninitializedDataSize: 3072
EntryPoint: 0x14b0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE lee.6b4k4ja1.exe.part.exe

Process information

PID
CMD
Path
Indicators
Parent process
5124"C:\Users\admin\Desktop\Lee.6B4k4ja1.exe.part.exe" C:\Users\admin\Desktop\Lee.6B4k4ja1.exe.part.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\lee.6b4k4ja1.exe.part.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
357
Read events
357
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
7
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5124
Lee.6B4k4ja1.exe.part.exe
GET
200
101.133.156.69:7001
http://101.133.156.69:7001/fwlink
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4932
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5124
Lee.6B4k4ja1.exe.part.exe
GET
200
101.133.156.69:7001
http://101.133.156.69:7001/fwlink
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5572
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4932
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5572
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5124
Lee.6B4k4ja1.exe.part.exe
GET
200
101.133.156.69:7001
http://101.133.156.69:7001/fwlink
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5572
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4932
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5124
Lee.6B4k4ja1.exe.part.exe
101.133.156.69:7001
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
4932
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5572
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4932
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 20.42.73.27
whitelisted

Threats

PID
Process
Class
Message
5124
Lee.6B4k4ja1.exe.part.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Fun Web Products Spyware User-Agent (FunWebProducts)
5124
Lee.6B4k4ja1.exe.part.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
5124
Lee.6B4k4ja1.exe.part.exe
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
5124
Lee.6B4k4ja1.exe.part.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
5124
Lee.6B4k4ja1.exe.part.exe
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
5124
Lee.6B4k4ja1.exe.part.exe
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
5124
Lee.6B4k4ja1.exe.part.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Lee.6B4k4ja1.exe.part.exe