| File name: | loader.exe |
| Full analysis: | https://app.any.run/tasks/25767df3-9402-4a94-8d0f-199658bac38d |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 06, 2025, 18:15:50 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | F866D0D2DCDF7843642D8984D00FC937 |
| SHA1: | 15DB950B60DC56B1A4B040B29A1C3B9E6AC1B239 |
| SHA256: | 3F791C60419A32C215AD1ADB2A551909BFFBC430B77439E318891B25CF5F8144 |
| SSDEEP: | 3072:9flxvXGBvkTnMX0BFS9uDr4cLkByhLVf1t5bH:xlxvX4vJX0zS8DrIByxtpH |
MALICIOUS
Application was injected by another process
- svchost.exe (PID: 4248)
- svchost.exe (PID: 4204)
- ctfmon.exe (PID: 4468)
- explorer.exe (PID: 4772)
- RuntimeBroker.exe (PID: 5448)
- svchost.exe (PID: 5048)
- SearchApp.exe (PID: 5328)
- RuntimeBroker.exe (PID: 4376)
- dllhost.exe (PID: 5604)
- RuntimeBroker.exe (PID: 5224)
- UserOOBEBroker.exe (PID: 5936)
- ApplicationFrameHost.exe (PID: 5096)
- firefox.exe (PID: 5904)
- dllhost.exe (PID: 2484)
- svchost.exe (PID: 6984)
- default-browser-agent.exe (PID: 6128)
- RuntimeBroker.exe (PID: 7092)
- firefox.exe (PID: 5900)
- TextInputHost.exe (PID: 2772)
- StartMenuExperienceHost.exe (PID: 5160)
- sihost.exe (PID: 4180)
Vulnerable driver has been detected
- mapper.exe (PID: 2348)
Runs injected code in another process
- slui.exe (PID: 7588)
- winupd.exe (PID: 4648)
SUSPICIOUS
Reads security settings of Internet Explorer
- loader.exe (PID: 6612)
- StartMenuExperienceHost.exe (PID: 5160)
- winupd.exe (PID: 4648)
Reads the date of Windows installation
- loader.exe (PID: 6612)
Executable content was dropped or overwritten
- loader.exe (PID: 6612)
- TextInputHost.exe (PID: 2772)
- winupd.exe (PID: 4648)
- StartMenuExperienceHost.exe (PID: 5160)
- mapper.exe (PID: 2348)
Drops a system driver (possible attempt to evade defenses)
- winupd.exe (PID: 4648)
Creates or modifies Windows services
- mapper.exe (PID: 2348)
Starts CMD.EXE for commands execution
- mapper.exe (PID: 2348)
Starts itself from another location
- loader.exe (PID: 6612)
INFO
Reads the computer name
- loader.exe (PID: 6612)
- winupd.exe (PID: 4648)
Reads the machine GUID from the registry
- loader.exe (PID: 6612)
- winupd.exe (PID: 4648)
- StartMenuExperienceHost.exe (PID: 5160)
- TextInputHost.exe (PID: 2772)
Checks proxy server information
- loader.exe (PID: 6612)
- StartMenuExperienceHost.exe (PID: 5160)
- winupd.exe (PID: 4648)
- TextInputHost.exe (PID: 2772)
- slui.exe (PID: 7588)
Checks supported languages
- loader.exe (PID: 6612)
- mapper.exe (PID: 2348)
- winupd.exe (PID: 4648)
Reads the software policy settings
- loader.exe (PID: 6612)
- TextInputHost.exe (PID: 2772)
- winupd.exe (PID: 4648)
- StartMenuExperienceHost.exe (PID: 5160)
- slui.exe (PID: 7588)
Creates files or folders in the user directory
- loader.exe (PID: 6612)
- TextInputHost.exe (PID: 2772)
- StartMenuExperienceHost.exe (PID: 5160)
- winupd.exe (PID: 4648)
Process checks computer location settings
- loader.exe (PID: 6612)
Create files in a temporary directory
- loader.exe (PID: 6612)
- mapper.exe (PID: 2348)
The sample compiled with english language support
- mapper.exe (PID: 2348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:07:06 11:11:44+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.44 |
| CodeSize: | 9216 |
| InitializedDataSize: | 88576 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x226c |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
142
Monitored processes
28
Malicious processes
21
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1472 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | mapper.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2348 | "C:\WINDOWS\system32\mapper.exe" "C:\WINDOWS\system32\ghost.sys" | C:\Windows\System32\mapper.exe | winupd.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 2484 | C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F} | C:\Windows\System32\dllhost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2772 | "C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Version: 123.26505.0.0 Modules
| |||||||||||||||
| 3888 | "C:\Users\admin\Desktop\loader.exe" | C:\Users\admin\Desktop\loader.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 4180 | sihost.exe | C:\Windows\System32\sihost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Shell Infrastructure Host Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4204 | C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4248 | C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4376 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4468 | "ctfmon.exe" | C:\Windows\System32\ctfmon.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CTF Loader Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
24 538
Read events
24 512
Write events
25
Delete events
1
Modification events
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content |
| Operation: | write | Name: | CacheVersion |
Value: 1 | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content |
| Operation: | write | Name: | CacheLimit |
Value: 51200 | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
| Operation: | write | Name: | CacheVersion |
Value: 1 | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
| Operation: | write | Name: | CacheLimit |
Value: 1 | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History |
| Operation: | write | Name: | CacheVersion |
Value: 1 | |||
| (PID) Process: | (5160) StartMenuExperienceHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History |
| Operation: | write | Name: | CacheLimit |
Value: 1 | |||
| (PID) Process: | (2772) TextInputHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
Executable files
11
Suspicious files
4
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5904 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.bin | binary | |
MD5:9C5B8DB6410704CD9BADB267BA8FECD1 | SHA256:F94C3077089A0CCBA345322AB9498A8AF59C291B58861769D49A5D1C7B12FF3E | |||
| 6612 | loader.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\spread[1].dll | executable | |
MD5:A1A7B820B083BC1AE01F6AA094D5A296 | SHA256:74578DF785DDF3743BDFE111B5B615F704E973D58F3C7AED2BD8D3836087555B | |||
| 4648 | winupd.exe | C:\Windows\System32\mapper.exe | executable | |
MD5:0F06B86EE5CBEFB966315EBBB1574468 | SHA256:105E3F35565C4E514F0D32B5BCFFD96B4E3094D007C3CFD76F3A21E5A2382A0F | |||
| 6612 | loader.exe | C:\Windows\System32\spread.dll | executable | |
MD5:A1A7B820B083BC1AE01F6AA094D5A296 | SHA256:74578DF785DDF3743BDFE111B5B615F704E973D58F3C7AED2BD8D3836087555B | |||
| 4648 | winupd.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\mapper[1].exe | executable | |
MD5:0F06B86EE5CBEFB966315EBBB1574468 | SHA256:105E3F35565C4E514F0D32B5BCFFD96B4E3094D007C3CFD76F3A21E5A2382A0F | |||
| 2772 | TextInputHost.exe | C:\Users\admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\winupd.exe | executable | |
MD5:8D5F3A8AAA974201DFBA81E796389C61 | SHA256:30DC15D3D5E14872F04883E203B2388CDBB996E832F9B37C3D73FAE20CD15729 | |||
| 5160 | StartMenuExperienceHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\winupd.exe | executable | |
MD5:8D5F3A8AAA974201DFBA81E796389C61 | SHA256:30DC15D3D5E14872F04883E203B2388CDBB996E832F9B37C3D73FAE20CD15729 | |||
| 2348 | mapper.exe | C:\Users\admin\AppData\Local\Temp\dDtgdXqVxhINYUbnODKHoNqLmrb | executable | |
MD5:1898CEDA3247213C084F43637EF163B3 | SHA256:4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B | |||
| 4648 | winupd.exe | C:\Windows\System32\ghost.sys | executable | |
MD5:8DE1440DA98277C6D4DCC3AAEC8FA73E | SHA256:6B29E26AD4DBE7A76681A7214627E6AA19E6131EDA6DFC0BD38AF93FB8443074 | |||
| 4648 | winupd.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\ghost[1].sys | executable | |
MD5:8DE1440DA98277C6D4DCC3AAEC8FA73E | SHA256:6B29E26AD4DBE7A76681A7214627E6AA19E6131EDA6DFC0BD38AF93FB8443074 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
148
TCP/UDP connections
58
DNS requests
22
Threats
36
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 104.21.57.147:443 | https://cdn.starlab.sh/uploads/winupd.exe | unknown | executable | 104 Kb | — |
— | — | GET | 200 | 104.21.57.147:443 | https://cdn.starlab.sh/uploads/ghost.sys | unknown | executable | 7.00 Kb | — |
— | — | GET | 200 | 172.67.146.164:443 | https://cdn.starlab.sh/uploads/winupd.exe | unknown | executable | 104 Kb | — |
— | — | GET | 200 | 172.67.146.164:443 | https://cdn.starlab.sh/uploads/winupd.exe | unknown | executable | 104 Kb | — |
— | — | GET | 200 | 104.21.57.147:443 | https://cdn.starlab.sh/uploads/spread.dll | unknown | executable | 48.0 Kb | — |
1268 | svchost.exe | GET | 200 | 23.216.77.5:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.5:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6356 | RUXIMICS.exe | GET | 200 | 23.216.77.5:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6356 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6612 | loader.exe | 104.21.57.147:443 | cdn.starlab.sh | CLOUDFLARENET | — | unknown |
1268 | svchost.exe | 23.216.77.5:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.5:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6356 | RUXIMICS.exe | 23.216.77.5:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.253.202:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
cdn.starlab.sh |
| unknown |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET INFO Observed UA-CPU Header |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO EXE - Served Inline HTTP |
— | — | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
— | — | Misc activity | ET HUNTING Suspicious Windows Executable WriteProcessMemory |
— | — | Misc activity | ET HUNTING Suspicious Windows Executable CreateRemoteThread |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Misc activity | ET INFO EXE - Served Inline HTTP |