File name:

Loader.exe

Full analysis: https://app.any.run/tasks/ed662388-85c8-40ed-b82a-97464e1511af
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 03, 2024, 14:47:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

A21FBA3705B1379C2F87C731C5E41E19

SHA1:

6410AC722DB0DB576EDA9BDBBA3113DA8DD7DACC

SHA256:

8A3E71F32E9A9CF25217C6E6A9B200CA2735D55E13884E4D78BFBB1B313F2411

SSDEEP:

98304:F1UA7qGRplv9iAv7Q3B2dPMDSfBBmfNTs/SlR3iLlycfNyoB4agFxjE68t+6b:/c8t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses TASKKILL.EXE to kill security tools

      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 5888)
      • cmd.exe (PID: 2368)

    • Starts NET.EXE for service management

      • net.exe (PID: 6356)
      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 3376)
      • net.exe (PID: 6476)

  • SUSPICIOUS

    • Hides command output

      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 3376)
      • cmd.exe (PID: 6428)
      • cmd.exe (PID: 6824)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 1064)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 568)
      • cmd.exe (PID: 5888)
      • cmd.exe (PID: 1840)
      • cmd.exe (PID: 3112)
      • cmd.exe (PID: 6508)
      • cmd.exe (PID: 3316)
      • cmd.exe (PID: 6268)
      • cmd.exe (PID: 6356)
      • cmd.exe (PID: 6164)
      • cmd.exe (PID: 2368)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 5140)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 5796)
      • cmd.exe (PID: 4440)
      • cmd.exe (PID: 6112)
      • cmd.exe (PID: 6912)
      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 3028)

    • Starts CMD.EXE for commands execution

      • Loader.exe (PID: 6884)

    • Reads security settings of Internet Explorer

      • Loader.exe (PID: 6884)

    • Checks Windows Trust Settings

      • Loader.exe (PID: 6884)

    • Executable content was dropped or overwritten

      • Loader.exe (PID: 6884)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6824)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 1064)
      • cmd.exe (PID: 568)
      • cmd.exe (PID: 6428)
      • cmd.exe (PID: 5140)
      • cmd.exe (PID: 1840)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3316)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 3112)
      • cmd.exe (PID: 6356)
      • cmd.exe (PID: 6268)
      • cmd.exe (PID: 6508)
      • cmd.exe (PID: 5796)
      • cmd.exe (PID: 4440)
      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 6164)
      • cmd.exe (PID: 6112)
      • cmd.exe (PID: 6912)

  • INFO

    • Checks supported languages

      • Loader.exe (PID: 6884)
      • mode.com (PID: 2628)

    • Reads the computer name

      • Loader.exe (PID: 6884)

    • Checks proxy server information

      • Loader.exe (PID: 6884)

    • Reads the machine GUID from the registry

      • Loader.exe (PID: 6884)

    • Reads the software policy settings

      • Loader.exe (PID: 6884)

    • Creates files or folders in the user directory

      • Loader.exe (PID: 6884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:27 08:22:09+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 2471936
InitializedDataSize: 1005568
UninitializedDataSize: -
EntryPoint: 0x21a314
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
64
Malicious processes
1
Suspicious processes
6

Behavior graph

Click at the process to see the details
start loader.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs net.exe no specs mode.com no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs sc.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs svchost.exe sc.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
568C:\WINDOWS\system32\cmd.exe /c sc stop npf >nul 2>&1C:\Windows\System32\cmd.exeLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
568taskkill /FI "IMAGENAME eq ProcessHacker*" /IM * /F /T C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
876C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1064C:\WINDOWS\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1C:\Windows\System32\cmd.exeLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1064taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1116C:\WINDOWS\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1C:\Windows\System32\cmd.exeLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1840C:\WINDOWS\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1C:\Windows\System32\cmd.exeLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1944taskkill /FI "IMAGENAME eq HTTPDebuggerUI*" /IM * /F /T C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2068\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
7 803
Read events
7 792
Write events
11
Delete events
0

Modification events

(PID) Process:(6884) Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6884) Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6884) Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6884) Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6884) Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6884) Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6884) Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6884Loader.exeC:\Users\admin\Desktop\Loader.exeexecutable
MD5:A21FBA3705B1379C2F87C731C5E41E19
SHA256:8A3E71F32E9A9CF25217C6E6A9B200CA2735D55E13884E4D78BFBB1B313F2411
6884Loader.exeC:\Users\admin\Desktop\Sirius.exeexecutable
MD5:A21FBA3705B1379C2F87C731C5E41E19
SHA256:8A3E71F32E9A9CF25217C6E6A9B200CA2735D55E13884E4D78BFBB1B313F2411
6884Loader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\vgtdep[1].dllexecutable
MD5:73670CC8FDD253AD6461380A0BB4CC23
SHA256:E1F971B175F8B39ACB2F52B188F5D352884489868428D8F0E5FB5A7A5EEB5B99
6884Loader.exeC:\Windows\System32\downlevel\api-ms-win-code-com-2-4-3.dllexecutable
MD5:73670CC8FDD253AD6461380A0BB4CC23
SHA256:E1F971B175F8B39ACB2F52B188F5D352884489868428D8F0E5FB5A7A5EEB5B99
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
6
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
108.181.20.37:443
https://files.catbox.moe/vgtdep.dll
unknown
executable
16.0 Kb
POST
200
104.26.0.5:443
https://keyauth.win/api/1.0/
unknown
text
864 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
1356
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6192
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6884
Loader.exe
108.181.20.37:443
files.catbox.moe
TELUS Communications
CA
malicious
6884
Loader.exe
104.26.1.5:443
keyauth.win
CLOUDFLARENET
US
malicious
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
1356
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.74.206
whitelisted
files.catbox.moe
  • 108.181.20.37
malicious
keyauth.win
  • 104.26.1.5
  • 172.67.72.57
  • 104.26.0.5
malicious

Threats

PID
Process
Class
Message
6884
Loader.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
2256
svchost.exe
Potentially Bad Traffic
ET INFO Fake Game Cheat Related Domain in DNS Lookup (keyauth .win)
6884
Loader.exe
Potentially Bad Traffic
ET INFO Fake Game Cheat Related Domain (keyauth .win) in TLS SNI
Misc activity
ET INFO Packed Executable Download
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
1 ETPRO signatures available at the full report
Process
Message
Loader.exe
Security
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Loader.exe