File name:	loader.exe
Full analysis:	https://app.any.run/tasks/502699d1-53fc-4f17-bd8b-34f74c5c7912
Verdict:	Malicious activity
Analysis date:	May 17, 2025, 11:31:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-sch auto generic crypto-regex
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 20 sections
MD5:	A9A67BC3C3B3B1D85F2C6F126B7604A5
SHA1:	A9E922E78403466F9B3C1D3C176CDA22AE433190
SHA256:	81997543956E55BE841EB355689D94756B835A44ED083D57C8B61DF05D762974
SSDEEP:	98304:RBObFJfAFxipQm+dqogLNLyDkehnbSyfcLfU07rk4mOzO0cfXujZKhL6ncXq7b8U:LQ2eV3McQmCG

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:04:30 22:39:34+00:00
ImageFileCharacteristics:	Executable, No line numbers, Large address aware
PEType:	PE32+
LinkerVersion:	2.41
CodeSize:	762880
InitializedDataSize:	10038272
UninitializedDataSize:	3584
EntryPoint:	0x10ed
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e73-85a9-11eb-90a8-9a9b76358421}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e72-85a9-11eb-90a8-9a9b76358421}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2f5c5e71-85a9-11eb-90a8-9a9b76358421}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5492) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4944) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${c6a388c9-afd3-47e2-a46b-29cb43ad4323}$start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current
Operation:	write	Name:	Data
Value: 02000000B9E91C421FC7DB0100000000434201000A0A00D0140CCA3200CB8C0A0212267B00410039003400310034003200440039002D0032003100350030002D0034003600380037002D0038003600390033002D003100450036003200320036003500390039003900430031007D000012267B00390033004600380044003900390046002D0036003500300041002D0034003100330035002D0038004200340043002D003200460046004100410041003300450046004600340039007D0000E22C01010000
(PID) Process:	(4944) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{34b3eefc-b775-e6f0-facf-1bebee810f98}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 01000000CC8AD4411FC7DB01
(PID) Process:	(4944) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(4944) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_AppUsageData
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(4944) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_TargetedContentTiles
Operation:	write	Name:	Completed
Value: 1

PID	Process	Filename		Type
5176	vlc.exe	C:\Users\admin\AppData\Roaming\vlcapp\libwinpthread-1.dll		executable
		MD5:808A2BA82312143CDCF7A42CBFA3E13D	SHA256:D1E9581D6464427D0A15EBD5AE9199328AAB33CB119D122B57809659C065CDCA
5176	vlc.exe	C:\Users\admin\AppData\Roaming\vlcapp\vlc.exe		executable
		MD5:F9538485432D3EC640F89096BA2D4D00	SHA256:5D695D8A0BB1D919CC77A2AA2488A61797BFA065238160278EE458120630AAF9
5124	loader.exe	C:\ProgramData\XyleShield\libvlccore.dll		executable
		MD5:1F76B1DF2D1F1B0C02C864A3ACAF04AB	SHA256:4FE971455D80831056DB2363354EA252113BDCB42C64F5E9E9602FD067DA214F
5124	loader.exe	C:\ProgramData\XyleShield\libstdc++-6.dll		executable
		MD5:5D9253EEAC70FCF559278B4BC8286E04	SHA256:975B3727A607C8B06157537FF80C08BC9640891DDEA6510D368CF807B3339345
5124	loader.exe	C:\ProgramData\XyleShield\libcrypto-3-x64.dll		executable
		MD5:13C723D5668B0FAF2039238FA04D9634	SHA256:0761F0D83514334E9278D9BADDF06239F8E780DA3A28E35880C050EABEC87CD2
5124	loader.exe	C:\ProgramData\XyleShield\libwinpthread-1.dll		executable
		MD5:808A2BA82312143CDCF7A42CBFA3E13D	SHA256:D1E9581D6464427D0A15EBD5AE9199328AAB33CB119D122B57809659C065CDCA
5176	vlc.exe	C:\Users\admin\AppData\Roaming\vlcapp\libstdc++-6.dll		executable
		MD5:5D9253EEAC70FCF559278B4BC8286E04	SHA256:975B3727A607C8B06157537FF80C08BC9640891DDEA6510D368CF807B3339345
5176	vlc.exe	C:\Users\admin\AppData\Roaming\vlcapp\libvlccore.dll		executable
		MD5:1F76B1DF2D1F1B0C02C864A3ACAF04AB	SHA256:4FE971455D80831056DB2363354EA252113BDCB42C64F5E9E9602FD067DA214F
4976	TiWorker.exe	C:\Windows\Logs\CBS\CBS.log		text
		MD5:1EF58544373E5FE2E67DBDC51024884F	SHA256:AE7E09CFC1227828708047021E03A505598BFEEE33EFAC14C33DEE6FA332FE9E
5176	vlc.exe	C:\Users\admin\AppData\Roaming\vlcapp\libcrypto-3-x64.dll		executable
		MD5:13C723D5668B0FAF2039238FA04D9634	SHA256:0761F0D83514334E9278D9BADDF06239F8E780DA3A28E35880C050EABEC87CD2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6332	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6332	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6332	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6332	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
6332	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6332	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6332	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
6332	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.66:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6796	SearchApp.exe	2.23.227.215:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
6332	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
6332	SIHClient.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
6332	SIHClient.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.142	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.160.66 40.126.32.68 40.126.32.138 20.190.160.14 40.126.32.72 20.190.160.64 20.190.160.132 40.126.32.140 20.190.159.0 40.126.31.71 40.126.31.1 20.190.159.4 20.190.159.64 40.126.31.73 20.190.159.131 20.190.159.130	whitelisted
www.bing.com	2.23.227.215 2.23.227.208	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

loader.exe

A9A67BC3C3B3B1D85F2C6F126B7604A5

A9E922E78403466F9B3C1D3C176CDA22AE433190

81997543956E55BE841EB355689D94756B835A44ED083D57C8B61DF05D762974

98304:RBObFJfAFxipQm+dqogLNLyDkehnbSyfcLfU07rk4mOzO0cfXujZKhL6ncXq7b8U:LQ2eV3McQmCG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

Uses Task Scheduler to autorun other applications

Runs injected code in another process

Application was injected by another process

SUSPICIOUS

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Found regular expressions for crypto-addresses (YARA)

INFO

Creates files in the program directory

Reads the computer name

Checks supported languages

Process checks computer location settings

The sample compiled with english language support

Creates files or folders in the user directory

Uses Task Scheduler to autorun other applications (AUTOMATE)

Manual execution by a user

Reads the software policy settings

Checks proxy server information

Reads the machine GUID from the registry

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings