File name:	asdasdsadasdsadasdsad.exe
Full analysis:	https://app.any.run/tasks/56fc04b2-3275-4e89-af25-889e0cdeceb3
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 27, 2025, 00:58:35
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	github arch-exec loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 8 sections
MD5:	0827AFB3895B5D15A56921FAED4E514E
SHA1:	A63219862FC051FB97D6AE2E7C8C42A9ED9CD866
SHA256:	9A42FF00294BCA618D76DC7DC79CE3BE2BE6E0ED65459280663F9047B5694657
SSDEEP:	49152:hmKm0EzJjugNclApph5OYz5nPymo+Uyz3YQakvsYnwVdvkMj+ye5PPw67ZFrPROD:hmKDEVCYyARzYSvsYgfO/NnpEW1

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:05:27 00:54:48+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	1225728
InitializedDataSize:	838656
UninitializedDataSize:	386560
EntryPoint:	0x60f78
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	asdasdsadasdsadasdsad
FileDescription:	asdasdsadasdsadasdsad
FileVersion:	1.0.0.0
InternalName:	asdasdsadasdsadasdsad.dll
LegalCopyright:
OriginalFileName:	asdasdsadasdsadasdsad.dll
ProductName:	asdasdsadasdsadasdsad
ProductVersion:	1.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7640) ExampleFile.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ExampleFile_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
7416	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c267.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7416	powershell.exe	C:\Users\admin\AppData\Local\Temp\ExampleFile.zip		compressed
		MD5:45E5F7AB1360EC404A6FA7BDDBF951A6	SHA256:D93EDA47E2B25200E48123001F13EB1A838AC4DE5A3A19423546DF63522E5CCA
7640	ExampleFile.exe	C:\Users\admin\AppData\Local\Temp\NordInstallerLauncher-20250527.log		text
		MD5:1E0F1D76940FBA7F7F983A2518693A4A	SHA256:0C0C1C723DF18BB9476C4809A4D65F6109A0A59EFD0A2D388BE77693CC61B12C
7640	ExampleFile.exe	C:\Users\admin\AppData\Local\Temp\0a316e9b-7860-46e9-b019-c52acb7b05f2\NordInstaller.exe		executable
		MD5:FBC7FB9DF225DDFFC75057103BA378D6	SHA256:8D7ED45041EEB9078C7EF0DFA13F55A4B57462C8C49B791B38F89DEE11501D5C
7416	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cgzooydo.2gs.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7640	ExampleFile.exe	C:\Users\admin\AppData\Local\Temp\0a316e9b-7860-46e9-b019-c52acb7b05f2\1.3.3.0\NordSecurity.LibMoose.Core.dll		executable
		MD5:F70C9A8D94CE716CA78B4A9FFECA338D	SHA256:982C47E848DE88C97D231B42B6EC8DCCA3B7C4F77E5AC1EB68490278318FF811
7640	ExampleFile.exe	C:\Users\admin\AppData\Local\Temp\0a316e9b-7860-46e9-b019-c52acb7b05f2\1.3.3.0\Microsoft.Bcl.AsyncInterfaces.dll		executable
		MD5:5F017844C92A4251D979BBF2B753420D	SHA256:66D8CB4B472F053ED89BDB4CEA6DE87318D1AF1360A905DB8F6812AC0C48E20F
7640	ExampleFile.exe	C:\Users\admin\AppData\Local\Temp\0a316e9b-7860-46e9-b019-c52acb7b05f2\1.3.3.0\Bugsnag.dll		executable
		MD5:BC6EB5971A9E56BECAC195AF9802DA83	SHA256:9E0A89690E81DFE6EB4305BBF36B42A352E8BE0C1B188C3EA503E62BBBC58841
7640	ExampleFile.exe	C:\Users\admin\AppData\Local\Temp\0a316e9b-7860-46e9-b019-c52acb7b05f2\Nord.Common.dll		executable
		MD5:110B2B5B0653014965F03FA653E69B09	SHA256:29425BF8FC92F38E1871A13F44C4D5B8D02889A38D4DCDB683626F4D51C07DFF
7640	ExampleFile.exe	C:\Users\admin\AppData\Local\Temp\0a316e9b-7860-46e9-b019-c52acb7b05f2\1.3.3.0\nudler.dll		executable
		MD5:F983FFB3C1D6B9A391AC8BE91F6A49DD	SHA256:C01826268CC2A7C2B1F475CF5F42BAD6E8BBCF492196D8AA2194492B578211DF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	302	140.82.121.4:443	https://github.com/Phnxss/example/raw/refs/heads/main/ExampleFile.zip	unknown	—	—	—
2104	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.2:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	GET	200	140.82.121.4:443	https://raw.githubusercontent.com/Phnxss/example/refs/heads/main/ExampleFile.zip	unknown	compressed	5.91 Mb	whitelisted
—	—	POST	400	20.190.159.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.159.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.31.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.31.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	200	172.67.180.146:443	https://applytics.nordvpn.com/app-events	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7416	powershell.exe	140.82.121.4:443	github.com	GITHUB	US	whitelisted
6544	svchost.exe	20.190.159.129:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7416	powershell.exe	185.199.110.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 20.73.194.208	whitelisted
google.com	172.217.18.14	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178 2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
github.com	140.82.121.4	whitelisted
login.live.com	20.190.159.129 40.126.31.69 40.126.31.131 40.126.31.128 40.126.31.1 20.190.159.4 40.126.31.73 20.190.159.131	whitelisted
raw.githubusercontent.com	185.199.110.133 185.199.108.133 185.199.111.133 185.199.109.133	whitelisted
applytics.nordvpn.com	104.21.67.201 172.67.180.146	unknown
ocsp.globalsign.com	104.18.20.226 104.18.21.226	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

asdasdsadasdsadasdsad.exe

0827AFB3895B5D15A56921FAED4E514E

A63219862FC051FB97D6AE2E7C8C42A9ED9CD866

9A42FF00294BCA618D76DC7DC79CE3BE2BE6E0ED65459280663F9047B5694657

49152:hmKm0EzJjugNclApph5OYz5nPymo+Uyz3YQakvsYnwVdvkMj+ye5PPw67ZFrPROD:hmKDEVCYyARzYSvsYgfO/NnpEW1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Run PowerShell with an invisible window

SUSPICIOUS

Reads security settings of Internet Explorer

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Reads the date of Windows installation

The process bypasses the loading of PowerShell profile settings

Executable content was dropped or overwritten

Gets file extension (POWERSHELL)

The process creates files with name similar to system file names

Process drops legitimate windows executable

Adds/modifies Windows certificates

Command gets lists installed versions of .NET Runtime on the system

Starts CMD.EXE for commands execution

Reads the Windows owner or organization settings

Searches for installed software

INFO

Reads the computer name

Process checks computer location settings

Checks supported languages

Disables trace logs

Checks proxy server information

Checks if a key exists in the options dictionary (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

The executable file from the user directory is run by the Powershell process

Create files in a temporary directory

Reads Environment values

Creates files in the program directory

Manual execution by a user

Reads the machine GUID from the registry

The sample compiled with english language support

Reads the software policy settings

Creates files or folders in the user directory

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity