Malware analysis Loader.exe Malicious activity | ANY.RUN

Add for printing

File name:	Loader.exe
Full analysis:	https://app.any.run/tasks/19fd0b94-0145-498e-943c-dbc667393e41
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 27, 2024, 19:24:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	themida discord exfiltration stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	95F249E7F8AAFE595B5EF65A379169B7
SHA1:	CF7910CB9D0A6BBCCA60374C24C03DC68AFFF62C
SHA256:	1D46459322962266ED47129484D2C0DC5CCBA0B95C7FEB79115E5D79900314B8
SSDEEP:	196608:Qh5JEv53+SJTj2q05EHF1wxKw0UqLGulUf:QhEB3JJv2q0WSE/dGuc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Loader.exe (PID: 4024)
- Creates a writable file in the system directory
  - Loader.exe (PID: 4024)
- Scans artifacts that could help determine the target
  - Loader.exe (PID: 4024)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Loader.exe (PID: 4024)
- Reads the BIOS version
  - Loader.exe (PID: 4024)
- Drops a system driver (possible attempt to evade defenses)
  - Loader.exe (PID: 4024)
- Creates files in the driver directory
  - Loader.exe (PID: 4024)
- Executable content was dropped or overwritten
  - Loader.exe (PID: 4024)
- Reads the date of Windows installation
  - Loader.exe (PID: 4024)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2012)
  - cmd.exe (PID: 880)
  - cmd.exe (PID: 640)
  - cmd.exe (PID: 5820)
- Creates file in the systems drive root
  - Loader.exe (PID: 4024)
- Checks Windows Trust Settings
  - Loader.exe (PID: 4024)
- Starts CMD.EXE for commands execution
  - Loader.exe (PID: 4024)
- The process connected to a server suspected of theft
  - Loader.exe (PID: 4024)
INFO
- Process checks whether UAC notifications are on
  - Loader.exe (PID: 4024)
- Checks supported languages
  - Loader.exe (PID: 4024)
- Reads the computer name
  - Loader.exe (PID: 4024)
- Checks proxy server information
  - Loader.exe (PID: 4024)
- Process checks computer location settings
  - Loader.exe (PID: 4024)
- Themida protector has been detected
  - Loader.exe (PID: 4024)
- Reads the machine GUID from the registry
  - Loader.exe (PID: 4024)
- Reads the software policy settings
  - Loader.exe (PID: 4024)
- Creates files or folders in the user directory
  - Loader.exe (PID: 4024)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:06:27 09:29:36+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	8666112
InitializedDataSize:	3179008
UninitializedDataSize:	-
EntryPoint:	0x189b058
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

640

"C:\Windows\System32\cmd.exe" /C sc start windowsproc

C:\Windows\System32\cmd.exe

—

Loader.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

880

"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\System32\cmd.exe

—

Loader.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

880

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

—

Loader.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

960

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1020

"C:\Users\admin\AppData\Local\Temp\Loader.exe"

C:\Users\admin\AppData\Local\Temp\Loader.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\loader.exe
c:\windows\system32\ntdll.dll

1272

sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1760

sc start windowsproc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1848

sc start windowsproc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

2012

"C:\Windows\System32\cmd.exe" /C sc start windowsproc

C:\Windows\System32\cmd.exe

—

Loader.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

3976

find /i /v "md5"

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

Add for printing

Total events

3 168

Read events

3 154

Write events

Delete events

Modification events


(PID) Process:	(4024) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4024) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4024) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4024) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4024) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4024) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4024) Loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5792) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:	(5792) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:	(5792) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4024	Loader.exe	\Device\Harddisk0\DR0		—
		MD5:—	SHA256:—
4024	Loader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464		binary
		MD5:721106D7181A9FF119EEDE56F87D0413	SHA256:F3C214942F78290CEB5088729A272567FE379CAE9A9F500DA21AF99406D3BCA7
4024	Loader.exe	C:\Windows\System32\drivers\winhb.sys		executable
		MD5:607FA999176AFF89978996E3A9CB27E3	SHA256:EE1700AF169ADAB64827080F604E9818CDD7D4672E7D66DA137F00681E4E0C38
4024	Loader.exe	C:\test.jpg		image
		MD5:71E311EDC901A0FC17E7B1C537AE4F08	SHA256:02B4A34B61B799B92740B8546E189A29FBEC26C9AE18476B1FABE132D7513E07
4024	Loader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:B0D2E465A754C99ED19CB3A2CBC5979E	SHA256:3C8C3BFD056DF20236ECE3A092470137991C9C627FB6F67A91BE016A206CFE1D
4024	Loader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		der
		MD5:4D74EF49EC59E1C1E59C58766B4B5F21	SHA256:1334EFD75E10A8E074A2DCF2091A5B85D57AE1FE578B7FD4808D04B7875ECDA4
4024	Loader.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464		der
		MD5:8202A1CD02E7D69597995CABBE881A12	SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4024	Loader.exe	GET	200	172.217.18.3:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	unknown
1544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
768	lsass.exe	GET	200	69.192.161.44:80	http://x2.c.lencr.org/	unknown	—	—	unknown
4024	Loader.exe	GET	200	172.217.18.3:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D	unknown	—	—	unknown
768	lsass.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D	unknown	—	—	unknown
3040	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
768	lsass.exe	GET	200	172.217.18.3:80	http://c.pki.goog/r/r4.crl	unknown	—	—	unknown
5980	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5980	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
3848	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
4656	SearchApp.exe	92.123.104.17:443	r.bing.com	Akamai International B.V.	DE	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5980	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3516	RUXIMICS.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2060	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4024	Loader.exe	104.21.14.14:443	www.simpletoolz.fun	CLOUDFLARENET	—	unknown
4024	Loader.exe	172.217.18.3:80	ocsp.pki.goog	GOOGLE	US	whitelisted
1544	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

DNS requests

Domain	IP	Reputation
r.bing.com	92.123.104.17 92.123.104.20 92.123.104.16 92.123.104.18 92.123.104.30 92.123.104.31 92.123.104.19 92.123.104.24 92.123.104.29	whitelisted
www.simpletoolz.fun	104.21.14.14 172.67.133.190	unknown
download.simpletoolz.fun	104.21.14.14 172.67.133.190	unknown
ocsp.pki.goog	172.217.18.3	whitelisted
login.live.com	20.190.160.14 40.126.32.133 40.126.32.134 40.126.32.76 40.126.32.74 40.126.32.68 20.190.160.20 40.126.32.140	whitelisted
keyauth.win	172.67.72.57 104.26.1.5 104.26.0.5	malicious
x2.c.lencr.org	69.192.161.44	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
self.events.data.microsoft.com	20.189.173.26	whitelisted
discord.com	162.159.137.232 162.159.135.232 162.159.128.233 162.159.136.232 162.159.138.232	whitelisted

Threats

PID	Process	Class	Message
2168	svchost.exe	Potentially Bad Traffic	ET INFO Fake Game Cheat Related Domain in DNS Lookup (keyauth .win)
4024	Loader.exe	Potentially Bad Traffic	ET INFO Fake Game Cheat Related Domain (keyauth .win) in TLS SNI
2168	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4024	Loader.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
4024	Loader.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
4024	Loader.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord

Add for printing

No debug info

General Info

Loader.exe

95F249E7F8AAFE595B5EF65A379169B7

CF7910CB9D0A6BBCCA60374C24C03DC68AFFF62C

1D46459322962266ED47129484D2C0DC5CCBA0B95C7FEB79115E5D79900314B8

196608:Qh5JEv53+SJTj2q05EHF1wxKw0UqLGulUf:QhEB3JJv2q0WSE/dGuc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

Scans artifacts that could help determine the target

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the BIOS version

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Executable content was dropped or overwritten

Reads the date of Windows installation

Starts SC.EXE for service management

Creates file in the systems drive root

Checks Windows Trust Settings

Starts CMD.EXE for commands execution

The process connected to a server suspected of theft

INFO

Process checks whether UAC notifications are on

Checks supported languages

Reads the computer name

Checks proxy server information

Process checks computer location settings

Themida protector has been detected

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings