File name:	2a46cb0bcaddf532d54171c0466e6fe92d4fb3ecd7cd9e1bc70160dbb1952d53.exe
Full analysis:	https://app.any.run/tasks/8059f785-0aca-43c1-a0fe-6bb235dc57c6
Verdict:	Malicious activity
Threats:	Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 16:25:04
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader cobaltstrike
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	6DC9EEAA01A79D8CA32CB76308DB82C1
SHA1:	95DD4407F1E33C9569196A7DC1A1C7A2EDBDF4C7
SHA256:	2A46CB0BCADDF532D54171C0466E6FE92D4FB3ECD7CD9E1BC70160DBB1952D53
SSDEEP:	49152:Q/4cQIiElP/DTtUQlzmwuz8YrtYKAx/9M0oryIOJXoeOjRyt44IrXhdvF3GB2oPd:Q/iYl3DCazmwuxC53oTjRyS4gNoZ/jT

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:07:23 23:08:14+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	1407488
InitializedDataSize:	1076736
UninitializedDataSize:	-
EntryPoint:	0x13997c
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	109.0.0.0
ProductVersionNumber:	109.0.0.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Chromium Embedded Framework (CEF) Dynamic Link Library
FileVersion:	109.0.0-5414-shared-texture.2727+gc81f89b+chromium-109.0.5414.120
InternalName:	libcef
LegalCopyright:	Copyright (C) 2024 The Chromium Embedded Framework Authors
OriginalFileName:	libcef.dll
ProductName:	Chromium Embedded Framework (CEF) Dynamic Link Library
ProductVersion:	109.0.0-5414-shared-texture.2727+gc81f89b+chromium-109.0.5414.120

PID	Process	Filename		Type
5416	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_logi_crashpad_ha_dee239711d4e1fa6ad923cb16c633f90e99d95_f91a3427_cecc6e32-9d6a-49d2-a5e8-393a55b81005\Report.wer		—
		MD5:—	SHA256:—
4008	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_logi_crashpad_ha_dee239711d4e1fa6ad923cb16c633f90e99d95_f91a3427_e122cb6c-2051-4899-8270-14089598f96f\Report.wer		—
		MD5:—	SHA256:—
1164	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_logi_crashpad_ha_dee239711d4e1fa6ad923cb16c633f90e99d95_f91a3427_2b2509a1-95d8-4748-a7b6-44e1ca2c5c2d\Report.wer		—
		MD5:—	SHA256:—
1348	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_logi_crashpad_ha_dee239711d4e1fa6ad923cb16c633f90e99d95_f91a3427_54c2d76c-c3aa-463c-ad89-3ef8444da227\Report.wer		—
		MD5:—	SHA256:—
3140	2a46cb0bcaddf532d54171c0466e6fe92d4fb3ecd7cd9e1bc70160dbb1952d53.exe	C:\LGHUB\system_tray\logi_crashpad_handler.exe		executable
		MD5:6DC9EEAA01A79D8CA32CB76308DB82C1	SHA256:2A46CB0BCADDF532D54171C0466E6FE92D4FB3ECD7CD9E1BC70160DBB1952D53
5776	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_logi_crashpad_ha_dee239711d4e1fa6ad923cb16c633f90e99d95_f91a3427_caa33963-fb72-4e1d-ad6d-d3c40b16e8ac\Report.wer		—
		MD5:—	SHA256:—
5416	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9EA.tmp.WERInternalMetadata.xml		binary
		MD5:F8BA9931D2B111AD8AF6F78917AFD979	SHA256:9F261B15CF1AB0D68B26E9BE8DB2897A4E32EFABA1209BAD430B5A8223936399
4008	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD85.tmp.xml		xml
		MD5:CCBF4E21D761F0BA2ED112263952CB06	SHA256:E841235AB39C0DCE502E680D5D0F974215A4836DAD400DA1471E79DB21A6F52B
4008	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\logi_crashpad_handler.exe(1).1188.dmp		binary
		MD5:138DDB6824B61F65944BE0B8E00F3D86	SHA256:3DEA284003A1A64DDA6368CE9450E9BDFCDF5F6277C8BFD8C85BDA791F8629B1
5416	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8D0.tmp.dmp		binary
		MD5:588C295EFE1DD7AC79A3D59FE638AFE2	SHA256:1771C75D9E5101FB3F9935F93808923FD33377EC7400A41E2F44BC6345C328A5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1188	logi_crashpad_handler.exe	GET	200	154.204.35.241:80	http://www.baidu.com/js/PromotionBanner.Main.min.js	unknown	—	—	whitelisted
1188	logi_crashpad_handler.exe	GET	404	103.235.46.102:80	http://www.baidu.com/js/PromotionBanner.Main.min.js	unknown	—	—	whitelisted
6388	SIHClient.exe	GET	200	23.216.77.38:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6388	SIHClient.exe	GET	200	23.216.77.38:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6388	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6388	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
1188	logi_crashpad_handler.exe	GET	200	154.204.35.241:80	http://www.baidu.com/js/PromotionBanner.Main.min.js	unknown	—	—	whitelisted
1188	logi_crashpad_handler.exe	GET	200	154.204.35.241:80	http://www.baidu.com/js/PromotionBanner.Main.min.js	unknown	—	—	whitelisted
6388	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
1188	logi_crashpad_handler.exe	GET	200	154.204.35.241:80	http://www.baidu.com/js/PromotionBanner.Main.min.js	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1188	logi_crashpad_handler.exe	154.204.35.241:80	—	SonderCloud Limited	HK	malicious
1188	logi_crashpad_handler.exe	103.235.46.102:80	www.baidu.com	Beijing Baidu Netcom Science and Technology Co., Ltd.	HK	whitelisted
6388	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6388	SIHClient.exe	23.216.77.38:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6388	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6388	SIHClient.exe	52.165.164.15:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	216.58.206.78	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
www.baidu.com	103.235.46.102 103.235.46.115	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
crl.microsoft.com	23.216.77.38 23.216.77.17 23.216.77.16 23.216.77.21 23.216.77.25 23.216.77.35 23.216.77.18 23.216.77.20 23.216.77.26	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.43	whitelisted

General Info

2a46cb0bcaddf532d54171c0466e6fe92d4fb3ecd7cd9e1bc70160dbb1952d53.exe

6DC9EEAA01A79D8CA32CB76308DB82C1

95DD4407F1E33C9569196A7DC1A1C7A2EDBDF4C7

2A46CB0BCADDF532D54171C0466E6FE92D4FB3ECD7CD9E1BC70160DBB1952D53

49152:Q/4cQIiElP/DTtUQlzmwuz8YrtYKAx/9M0oryIOJXoeOjRyt44IrXhdvF3GB2oPd:Q/iYl3DCazmwuxC53oTjRyS4gNoZ/jT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

COBALTSTRIKE has been detected (YARA)

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Process requests binary or script from the Internet

Executes application which crashes

Starts itself from another location

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads Microsoft Outlook installation path

INFO

Checks supported languages

The sample compiled with english language support

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Reads the software policy settings

Malware configuration

CobalStrike

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

CobalStrike

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings