File name:

LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe

Full analysis: https://app.any.run/tasks/f7b86dad-1b6e-4396-bcfe-e55a96525412
Verdict: Malicious activity
Analysis date: May 22, 2025, 17:16:54
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

422892E2E35043CC2219606F9FA3D855

SHA1:

2FB4970F33E55DF52AEDEADF48CDC896E9589B0E

SHA256:

4DA86B047E5F05ACCD66484032B6EAB439A359EA6BE0560F538843620C338CE7

SSDEEP:

98304:GswnWCZtNTdtQCuiQXkbFeVHgccnjfff58S5RESHkN5Yo+LzVHPAVG2CP3ew4k/J:GX2vEuVuPP/O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes application which crashes

      • LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe (PID: 1640)

    • Reads the Internet Settings

      • WerFault.exe (PID: 2200)

  • INFO

    • Creates files or folders in the user directory

      • LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe (PID: 1640)
      • WerFault.exe (PID: 2200)

    • Checks supported languages

      • LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe (PID: 1640)

    • Checks proxy server information

      • WerFault.exe (PID: 2200)

    • Reads the computer name

      • LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe (PID: 1640)

    • Reads the software policy settings

      • WerFault.exe (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:18 05:08:29+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 2116608
InitializedDataSize: 3629568
UninitializedDataSize: -
EntryPoint: 0xf077c4
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
105
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start logicalloader-j3i2kzsy9trlizdsrdfuze1dd2djyw.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1640"C:\Users\admin\Desktop\LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe" C:\Users\admin\Desktop\LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\logicalloader-j3i2kzsy9trlizdsrdfuze1dd2djyw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2200C:\Windows\system32\WerFault.exe -u -p 1640 -s 1652C:\Windows\System32\WerFault.exe
LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.348 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
6 064
Read events
6 060
Write events
4
Delete events
0

Modification events

(PID) Process:(2200) WerFault.exeKey:HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
Operation:writeName:00188011688DA068
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB0100000066BCA8D214FA3A4FA3554A1C2C3F24480000000002000000000010660000000100002000000092E29708BD061819FD6BE6D89EDD6D93FA1D931604DD96A7D8A2D56ECD0B02A1000000000E8000000002000020000000996BD9064855BF1F04A58E21B3D434A8BD0D7D604AF6D394A95ABF8A3C2FD5528000000039CD8CE0188152DFB152DAFE6D94C65C7AEB610F183F6E1A9604FEE07A1CE7534AA97DE1C7371A120B42CBD99B203BF28C233B34F93127FD3999001E8414087D87E80BF630294D614C4C26E5AAF6AFBE87F77207F05F46F93AB8BC3BCD69878D9E1F184B18762AD58B3F4DABA55A9A83AF2B1F00A786D3AECBF58EAC3DED61354000000010E9F3DF54BD44CF5F3EEC86A8CD047DCFF4A3B2F54DC701C5A13E0836C48534F3634AF29AED83F3946BE0A3AE6E27D213517545390FED709DF865E8415E6580
(PID) Process:(2200) WerFault.exeKey:HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceTicket
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB0100000066BCA8D214FA3A4FA3554A1C2C3F24480000000002000000000010660000000100002000000087DAD7CC9D216F334739BF152267C64CA74D00D138444B44D970D95A3112D270000000000E8000000002000020000000299EA522EEC02330D840FF5F9716F22B5EF637B02F375CC6B810C9E726FD6B9D700A00001CBA17AA93184E534C7587E995BEBD35721F5642A62CF26A7E7F00A467B63370AD51CD0FB6F43F857463E306D9CF0B9F467CC0897951D37E93F8A84938FF1775320D75B0282570E2EA0F31768F22123C5C3E97D21C7F1984A21AD0D413A8371CC58C9A6A0627B1FF8A4CA564A0679E7AEC7FA0B893120E878CB7A783D7A71256333269380171740AAF935665735D7EFAEF2C0956E5186C8017397F00591D17CD8F63E64D92FE82FCCA3F764ABBF53BFC0F65B1CE9FE5B0569D276BE5342D549B40EAA5FD532C7E34C49B78FE5CF8BF317A63AC0EF5F9BCD72B8F49DF2A4B6D4339731170202D2EBBCFA4CB857927647541BF9FFC9779F02395848AEE772451C4B6402FAB5CE6B8D1216C62289833983FF4BDA05A9C56688FA9C1E0DB5BA7C6D789E51E12B40CD879C1B8B9294DB30481EE1C24F4591EA7FA2F2E6E064C352744294E17A751F52DCC18E8C2A5DDFDF361D54BBB3DAF0005A04B7B054FC3F04B6B93954505E524850336D6B7A5102D7F43ED67949D100E8754E5B0982E25E979EA2CAD5765F4189825EF0359D1C1A45BFBE5A40B3725D5288AD115A332CF1DD81EA5923C62BEE0C9798BB29D5BF731B27E555080DA13482D848DDC50D40149AFB280A95DEDE61B4D95F6CC032BC0D2A62C0E4DBD2A430DF61F43D73A78FED6D0D70DA74B9D35F5FFBC21E9B501B4878B6D163222AFCA86BECD722FAE0324B7AF1981E9B6FB93372B174C352F986D75371739B4820A2482E4FBA190CD52ECA83F8ECEDD62030123DCB5775808A07599DC5D81F18005D28692E3BE17449E43BCF15A07CCFCC186ECB84DB647AE1587D8695244C77E861EDAC9AD0F3646AA94410737A9E6290A70BD003E90975440D4FD423B0E3BB5471964D7833DA61EF4910C6ECB42BA097DA79ADADC953AC7F3323C3ADE7CFAAED5D3E3ECFC49E6955C63635C4448937990BC037DB14B01BBF8AF09271FAB6EE1AC2BFBA48A7A504C0A9F9811FFF3ACE5E940867258D7BC7FC820FFA34143CED795673199DD12598C549E4854D17C73926464F46FFDDF36FA60F5514B315FC6C24EAC5E52C36583110EDEDA24E8DBDDABB6DE27B507C39A5C5891526188289A45EDAE613CC3CDF613196C63498454B94C4FA0F33B811EB963307EC5C442D020E0CC2E0DD4CDE66AD37BA6BDFCE9E932409FDFDD311DCD05E2DB92E6598CDF3F9CFB4EE78046B56A2335D73DEB5AD1EB154DE25A881602CAC178BB4E425ACE908F6FCF652F8B18D5E74B0A54D716AE524D35D4EC67FE40789F994BFC773FC0EBC8DF4F60C7BB173E24865930119BC6A0138522D425A6E2EDD7E8B4D6A9331F27101F5BA6AD82ADCC9DF2F85CAF82BB44B157420A1279BC7A50E4D2E2A96CCB32664D659D4DAA457C5A85434CA9FA4DDA1946678C12F4AE66714B994D7909A1B22C1D2983682EC68BFD4EE213AF1122362E7653BB37C90669929D5FA5E1D8ADEC3F1665113DD609A068C981ECC05EFF3CB1F763056C7B7294029EE1A71C3FA3C9743CCDF0C649E75CD80334BE629F38B674447F55BED9071FFE518DD61990F5E205C16EA835FCE0B19FF88D5BD936DF36796139F62E3D94B11BA8CC0D59EBBAD0AE2A2F1284A6778F0EC93D976669748ECE3D5F224A530C8ABFB231C233D051644A84CA194B75AF0AD9F8A3B9661863AD722D8FB697D1EDBCC67BA8C81E4BCA7DE50A14C34DDA948727483A32606EABABC292E2196EF393084DE29B4F4CCE2A559653401E53170A6A9E2300C6F51428699EE950083DA787CA69E5B389C9599CE48CC7ACA461578CB807DD20424E210C1D7F3CC0C72E3278BE086BE45C7CE7314B419229D002FC7DCF542BA433EF6739A51C1E9EFBB68F518882252C80017C0480C4C335DD3ACEC4E975A408190A755906F4AA9AF9269C5FEA62B61C49D292E9CB16FEC411175588C231EC657693674560A885AC6E6222EAE8B74F2CA431DD4CEE8831DFCA0596ABC845AC359B2DBFEF0CC20858CD4C49132E4CE2A46B0FF8E80E0992C4E3D3B8F8384B13CC64A15470773CCDE262DEFF492EDAD129F3B2079E120B2944930A8792C79E51BDADBE27A9FE818FED6B075389085935707B32F5A186BC683DA12774467903A7A1D5445C77088259040DC8268C9D11EDBA96C9B97A7E2A2E1E057578610F87885509FC371413A3DD10779CAFA5E14FECFC6D81F1E1A476E3E7FB08B292EAB8C66F552D9E768F628000C3F5634D2F160392C92C29DF5FB3CA3117D61EAEAEA8D58183083A0520CC2AC5D46E89695A4499CD75CA1D4241491605D14AD1706F306272F889574B9EB2F31A8706DAFB73ACE313587B53B27043835ED7630D3311FF5BD0E6074E257D88B5E83096B6ECE9892AF3ABB7509D2EFA2B232DE329F7708A7A394648AAE6A35C81F2673D6175CD3892FA4A1E493F97B42EECCA895074FA52C3918617C64C3CD0E0D5BDA641347CE5D8B915C7F042DFFF34F8B73565A360005E3AAFC5984BA63A4C42B6ACC04A44428A8BE3C046CAE4630B8C540D0D611442BFE5A1A4D12230A0A7B43184984D2DE4591E6404CF63AC8F5B9EB4DCFC5796B103120A36B572E83403127617729AB17D32DA799F7FA5557FF320E44E1F9C52A23BED1E24E857D02B19DD3EAE39AE303752076DAE2EC7E319D10EAAA01E3950E1F2FD8F8DE621A08A9BB94C3F29CF6520285B54AFBCB43403EC6BA40BBDE92C9811741FBBBFAE21C612BD81CC599DB3F3031F8886BED4D66D52E1D83646C332B7B118B2BAD094F297AB1FE187A66641C6880A5F3F7C5EA05666DE502100FF52936C502E7E83C5B8CC3487C1A1B7F0D3E0B6B615292383AF4F02F5D0FA9ADB83D3E0A8BA7E25FB50DE2096CB77DD2F9C84886AE8E6EC109D225895D43D58793D5E6E66423BEE62C9F30CECC72750E3E80D961E44A07C497B2BCFF0DF956ED7261B069D295DB22D102B784B7BBBF046E16328854E76830E0A59A919C988DD204D0D49204DA91A4B9D5EC85D070EF61A783B30E9CEEEDFF50B8AB48C756378EE6A50A9B75D7E275EEEAD31CBC01FBA80E38E0108931B9052DAB6B343567909F02AB25805E1FA7AF5F2672629BF5A2F1A73A949B2DC3364BA24E0A1C52607EA463E6006AC894423C7088E85720668359FFF064D66DAA7EB5F0F4381CEE6A417B5CEFDA4E0DFE6D1F57A72891F5C3AB8005BC85810F56A28975FFDBC57E679070B75FC7D758D05DE565BED8B0ECE861BFE7E7C43B84DF871D39F7E003942B574B6ABCA5BCFF8B1588999904C9ECF7E5FAA85B430816BC209C20B89A6582BB596721D449C68439D8051911E78A3314D04CC55AE0FBDC9A016AF3F4A7E041A4059B8D9E188569F846F2D79F27B91FCCC2B3E31603160A9040AD77CB8B81ACDAAC5D4468103AD44BD6A8D6D023B33EC5CE0FF655E68D4E5BA85A8BD5F0D5B75060F214F54BF274B5BE65CFB668385697EA80BEEC1A9425689D4E2AABF0A9728B1B332BB0FEB499335D6E2E63EB891983C654C688D346D1E99C9D475FE9073A5618E093CED8906B3DD2BE176C89288B105A0E1474ED9B465C6B57C3AE7D71CE0C753C5D555CD90ABF58AEA852026C1F3C30C53A967461EDA096CD4B5119ACE71444331E172C02B77F53890E5752F0801C893E92048D5F9A3F86C0887223BEF94F00829D703FC4BB173AC2F5ED392741FF8A1ABF49D44F2507691D5D4390AE2BE8049FCCDC272289EA27B89612811C387B706B86681000F60F252E9A6099AEFD69B8CCB9B035FAB90FC4A8DB5900B71C0545815BC2324290EE16040000000F8FF344F4D7E88C43E31348BB3B29C302E994A2F04F11587663A1AF8A6CC20C395C6339BB4646700E41743B05A8C1BAC52CC03EDB81D7CCDC9AC676525D2D66D
(PID) Process:(2200) WerFault.exeKey:HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceId
Value:
00188011688DA068
(PID) Process:(2200) WerFault.exeKey:HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:ApplicationFlags
Value:
1
Executable files
0
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2200WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LogicalLoader-j3_51ffc83ecf7a9e54dba77dd6fc29ea7df4aaa6dd_16b427cf_cd819c00-45ad-4e89-9b83-9ff0e473c893\Report.wer
MD5:
SHA256:
2200WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.3d003aeb-f936-467b-90e8-8909e311bbb7.tmp.xmlxml
MD5:C26A05C08DFA29C42D498B75B295191A
SHA256:0433B20DF6B36BA2356C33831D332D845E0E3E6AC41330A90834517E360E53AF
2200WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.768d3ea7-4a7c-4b1a-a105-c38fa5a5e033.tmp.WERInternalMetadata.xmlxml
MD5:B832DB04747D53F8D6C5E6E9D4123ACA
SHA256:2B911B771BF53B61EBE7EE218A37FA0B293AD26E00E3B6662F02302263E99953
2200WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.401a4810-ad02-44fd-a022-51d42779d81f.tmp.dmpbinary
MD5:6428ACD8D0CC97E51D8CCCD17232649A
SHA256:AF6957F940EF1AD334A90B6DB2C9B7980384855973E299CDCFF45CC4F3184B30
2200WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe.1640.dmpbinary
MD5:8703C88CA87946F813B92C3620625917
SHA256:09F9CB6109BAC6A0996FC11031991B691CF9946558A06EAF06E18AB3E6102E77
1640LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exeC:\Users\admin\AppData\Local\LogicalRL\Loader\LogicalLoader-1747934225.logtext
MD5:7E11658142F76C995EA8F8D47E7556EB
SHA256:42F3577A78DEE0720ACE0A203362C52B9A689CDF13CCEFD1AC82FFDEE68CB63A
1640LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exeC:\Users\admin\AppData\Local\LogicalRL\Loader\Config.jsonbinary
MD5:98FBD33E76DE25A0D0889F0001A2F8D7
SHA256:742FB116D21D1BFC11CC1CAF02019AAE43E86604A193928B6C7BB4A612314CDC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
19
DNS requests
11
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.18.64.212:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
5340
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?950a680a463b6661
unknown
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
172.205.25.163:443
https://checkappexec.microsoft.com/windows/shell/actions
unknown
binary
182 b
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
whitelisted
HEAD
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
GET
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
binary
55 b
whitelisted
2768
svchost.exe
GET
200
2.22.50.112:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e631054164025918
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.18.64.212:80
Administracion Nacional de Telecomunicaciones
UY
unknown
5340
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5340
MoUsoCoreWorker.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3640
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1640
LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe
66.33.60.193:443
api.logicalrl.com
COGECO-PEER1
US
unknown
2744
smartscreen.exe
48.209.162.134:443
checkappexec.microsoft.com
US
whitelisted
2200
WerFault.exe
20.42.65.92:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4120
svchost.exe
104.102.63.189:443
fs.microsoft.com
AKAMAI-AS
US
whitelisted
2768
svchost.exe
2.22.50.112:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
  • 2.22.50.112
  • 2.22.50.118
  • 2.22.50.132
  • 2.22.50.131
  • 2.22.50.102
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.133
  • 20.190.160.66
  • 20.190.160.4
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.3
  • 20.190.160.65
whitelisted
api.logicalrl.com
  • 66.33.60.193
  • 76.76.21.22
unknown
checkappexec.microsoft.com
  • 48.209.162.134
whitelisted
umwatson.events.data.microsoft.com
  • 20.42.65.92
whitelisted
fs.microsoft.com
  • 104.102.63.189
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
A Network Trojan was detected
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LogicalLoader-j3I2kzSy9trlIZdsrdFuze1DD2DJYw.exe