| File name: | loader.exe |
| Full analysis: | https://app.any.run/tasks/da369be5-e95b-4378-95c1-c273280443dd |
| Verdict: | Malicious activity |
| Analysis date: | June 21, 2025, 18:07:59 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 7 sections |
| MD5: | 064A57945C5391A77C7464D3410CED6B |
| SHA1: | 7F1D197795A31010AFAB1E661871E9254F3828FD |
| SHA256: | 1947B6109D861BFD5998A55CDD3A87CB36417797AB94985F199EABCADBB785C9 |
| SSDEEP: | 98304:J/0Cirbvag2KOXUJGHna2v0k+kzK/7ueSnKHdJPxl8duesHGHI6jdoRpl89a/ylG:QTeRi/BqynosD |
MALICIOUS
No malicious indicators.SUSPICIOUS
The process drops C-runtime libraries
- loader.exe (PID: 2952)
Process drops legitimate windows executable
- loader.exe (PID: 2952)
Executable content was dropped or overwritten
- loader.exe (PID: 2952)
Process drops python dynamic module
- loader.exe (PID: 2952)
Application launched itself
- loader.exe (PID: 2952)
Loads Python modules
- loader.exe (PID: 5712)
INFO
Reads the computer name
- loader.exe (PID: 2952)
Checks supported languages
- loader.exe (PID: 2952)
- loader.exe (PID: 5712)
The sample compiled with english language support
- loader.exe (PID: 2952)
Create files in a temporary directory
- loader.exe (PID: 2952)
Reads the software policy settings
- slui.exe (PID: 1472)
Checks proxy server information
- slui.exe (PID: 1472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:06:21 18:04:17+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 178688 |
| InitializedDataSize: | 153600 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc380 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
137
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1472 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2404 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | loader.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2952 | "C:\Users\admin\Desktop\loader.exe" | C:\Users\admin\Desktop\loader.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 5712 | "C:\Users\admin\Desktop\loader.exe" | C:\Users\admin\Desktop\loader.exe | — | loader.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
Total events
3 645
Read events
3 645
Write events
0
Delete events
0
Modification events
Executable files
51
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:A538B281F8E84CECDAC507C73A43D744 | SHA256:45AFAF08D1CD7E43AC5DED47ED5FD708B86E835A9470C81E8130ED6955B84DB8 | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\_decimal.pyd | executable | |
MD5:D47E6ACF09EAD5774D5B471AB3AB96FF | SHA256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:1DC5B99C16502D75DD924EEDA562461C | SHA256:4E08856FF5203592C27F943F5586D2214B7C5DACDE1B1EF75C2316590AB788C9 | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:1BEBD9B65ED18B680F7E39BEF09FE6CE | SHA256:E756F6970905657CF73ECB3F57BAE55A67BE29AFA75AE4D16046B0F7229708EB | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:7DC2026ABEDAA10841EAE4129EF1A9AE | SHA256:E83D5E5EB772070999F34A214EBFFCF0A6068EBC1C4B4F1991188448F323808D | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-fibers-l1-1-0.dll | executable | |
MD5:824A1932C5C58891152AE1DE02EEF652 | SHA256:3082B0E09DFAC27233B6DF097EE0C9A45D395ADEADC0026B157106424EA98389 | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:8AD4771E23185CB7672F71EC16C580CF | SHA256:B153FF5D667C8297776F21C5F440CFF28C3E3A5B1F748FD4700306E1FB283ED8 | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:BCC620DCC9A3A9DFD38663A971B7044B | SHA256:F73000652CA7CA7468CA6134663C99CBAF7BD97740BDBDD5D1E1E23CCFD5DB75 | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\_lzma.pyd | executable | |
MD5:337B0E65A856568778E25660F77BC80A | SHA256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A | |||
| 2952 | loader.exe | C:\Users\admin\AppData\Local\Temp\_MEI29522\VCRUNTIME140.dll | executable | |
MD5:F12681A472B9DD04A812E16096514974 | SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
42
DNS requests
18
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 184.24.77.18:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 184.24.77.18:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3964 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.159.128:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | POST | 200 | 20.190.159.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 16.7 Kb | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
— | — | GET | 200 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
— | — | POST | 200 | 40.126.31.130:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3964 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 184.24.77.18:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 184.24.77.18:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1268 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3964 | RUXIMICS.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |