File name:	loader.exe
Full analysis:	https://app.any.run/tasks/8367a236-bbb7-4a4f-9502-392737b75af1
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 20:35:59
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	miner winring0x64-sys vuln-driver silentcryptominer xor-url generic xmrig upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	E68E90150A7C7988436F9814416F50B4
SHA1:	C3074D438EE2659A35B8F5D5DE068CC311B5EC99
SHA256:	70A0F07A778BD5AD82FA219A7B73A94175BEC448203E1A8A162C93FCA4549668
SSDEEP:	98304:97fPLz0iAdC9b3JehbMyQHogZpazLMwOeUOBvnj11t21Qa/2dl2l9Fni17MFlres:lfTVGOciyQHppiMwOeUIp+2bcLd7A9sx

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:05:04 05:00:13+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	41984
InitializedDataSize:	5447168
UninitializedDataSize:	-
EntryPoint:	0x1140
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(7768) CTRUpdater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1

PID	Process	Filename		Type
7616	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lydopebn.b5u.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7836	loader.exe	C:\ProgramData\Microsoft\Windows\CTRUpdater.exe		executable
		MD5:E68E90150A7C7988436F9814416F50B4	SHA256:70A0F07A778BD5AD82FA219A7B73A94175BEC448203E1A8A162C93FCA4549668
7616	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5g3ujrhd.10k.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7656	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_auumybsy.guo.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7656	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_5fytjhcj.fl0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5176	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ctyzwtgz.scx.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7656	powershell.exe	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:0EBF36AC46D6166BB4DC893DF9A9D7C7	SHA256:3DF2187BCE69FC832B2470932CFBAB2731DDBB6BE40F3C3DBCEAA0A293FA8246
7768	CTRUpdater.exe	C:\Windows\Temp\fgbwbbpyxnsz.sys		executable
		MD5:0C0195C48B6B8582FA6F6373032118DA	SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
7656	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_evg1rwhn.5iv.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7656	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_gu3imcir.m4x.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.48.23.158:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8096	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
8096	SIHClient.exe	GET	200	23.48.23.177:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
8096	SIHClient.exe	GET	200	23.48.23.177:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
8096	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8096	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
8096	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
8096	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
2136	dialer.exe	POST	200	23.94.13.29:80	http://softwarebreakers.info/api/endpoint.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	23.48.23.158:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6544	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
8096	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.185.142	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
crl.microsoft.com	23.48.23.158 23.48.23.194 23.48.23.146 23.48.23.138 23.48.23.145 23.48.23.191 23.48.23.147 23.48.23.159 23.48.23.150 23.48.23.177 23.48.23.161 23.48.23.166 23.48.23.156 23.48.23.164 23.48.23.173 23.48.23.153	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
login.live.com	20.190.160.130 20.190.160.4 20.190.160.66 20.190.160.22 40.126.32.68 20.190.160.64 20.190.160.5 40.126.32.140 40.126.31.71 20.190.159.130 40.126.31.0 20.190.159.4 20.190.159.64 20.190.159.128 20.190.159.71 40.126.31.69	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
xmr-us-east1.nanopool.org	51.222.106.253 51.222.12.201 51.222.200.133 51.79.71.77	whitelisted
softwarebreakers.info	23.94.13.29	malicious

PID	Process	Class	Message
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO Observed DNS Query to Coin Mining Domain (nanopool .org)
2136	dialer.exe	Crypto Currency Mining Activity Detected	ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
2136	dialer.exe	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
2136	dialer.exe	Crypto Currency Mining Activity Detected	MINER [ANY.RUN] SilentCryptoMiner HTTP Request to UnamWebPanel
2136	dialer.exe	Crypto Currency Mining Activity Detected	ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
2136	dialer.exe	A Network Trojan was detected	ET MALWARE SilentCryptoMiner Agent Config Inbound
2136	dialer.exe	Crypto Currency Mining Activity Detected	MINER [ANY.RUN] SilentCryptoMiner HTTP Request to UnamWebPanel

General Info

loader.exe

E68E90150A7C7988436F9814416F50B4

C3074D438EE2659A35B8F5D5DE068CC311B5EC99

70A0F07A778BD5AD82FA219A7B73A94175BEC448203E1A8A162C93FCA4549668

98304:97fPLz0iAdC9b3JehbMyQHogZpazLMwOeUOBvnj11t21Qa/2dl2l9Fni17MFlres:lfTVGOciyQHppiMwOeUIp+2bcLd7A9sx

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes Windows Defender settings

Adds extension to the Windows Defender exclusion list

Uninstalls Malicious Software Removal Tool (MRT)

Vulnerable driver has been detected

MINER has been detected (SURICATA)

XMRIG has been detected (YARA)

Connects to the CnC server

SILENTCRYPTOMINER has been detected (SURICATA)

XORed URL has been found (YARA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Manipulates environment variables

Script adds exclusion path to Windows Defender

Script adds exclusion extension to Windows Defender

Starts CMD.EXE for commands execution

Stops a currently running service

Process uninstalls Windows update

Executable content was dropped or overwritten

Starts SC.EXE for service management

Uses powercfg.exe to modify the power settings

Creates a new Windows service

Windows service management via SC.EXE

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Potential Corporate Privacy Violation

Connects to unusual port

Crypto Currency Mining Activity Detected

INFO

Checks supported languages

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Creates files in the program directory

The sample compiled with japanese language support

UPX packer has been detected

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules