File name:

loader.exe

Full analysis: https://app.any.run/tasks/90735ac4-a3ac-4113-af54-ded480788f55
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 09, 2025, 09:55:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sinkhole
m0yv
stealer
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 12 sections
MD5:

89E72E7B505E4B2DFCEC1399BB670762

SHA1:

BB8FF890DE75F6FE98EC37005F5A6666CEBF2EBD

SHA256:

CC6BE9BE83C5125545564B606915E2FDC71F870975340DC7181800A4E59C0326

SSDEEP:

98304:BoMQNDF3vVN2k71AHzFTI+h6a+fP0aIzuzN7b9O+eZHoAZjoZwnKUdO7zz5avxzb:I3xzDrREujBExmS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • loader.exe (PID: 904)
      • FlashPlayerUpdateService.exe (PID: 6644)
      • AppVClient.exe (PID: 3096)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 1660)
      • elevation_service.exe (PID: 7184)
      • elevation_service.exe (PID: 7436)
      • maintenanceservice.exe (PID: 7588)
      • PerceptionSimulationService.exe (PID: 7772)
      • perfhost.exe (PID: 7852)
      • PSEXESVC.exe (PID: 7936)
      • Spectrum.exe (PID: 8084)
      • ssh-agent.exe (PID: 8144)

    • M0YV has been detected (YARA)

      • DiagnosticsHub.StandardCollector.Service.exe (PID: 1660)
      • loader.exe (PID: 904)
      • armsvc.exe (PID: 4784)
      • alg.exe (PID: 6480)

    • Request for a sinkholed resource

      • loader.exe (PID: 904)

    • Actions looks like stealing of personal data

      • DiagnosticsHub.StandardCollector.Service.exe (PID: 1660)

  • SUSPICIOUS

    • Executes as Windows Service

      • armsvc.exe (PID: 4784)
      • FlashPlayerUpdateService.exe (PID: 6644)
      • alg.exe (PID: 6480)
      • AppVClient.exe (PID: 3096)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 1660)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • FXSSVC.exe (PID: 6456)
      • GameInputSvc.exe (PID: 5892)
      • GoogleUpdate.exe (PID: 7240)
      • maintenanceservice.exe (PID: 7588)
      • msdtc.exe (PID: 7688)
      • PSEXESVC.exe (PID: 7936)
      • perfhost.exe (PID: 7852)
      • Locator.exe (PID: 7976)
      • snmptrap.exe (PID: 8048)
      • SensorDataService.exe (PID: 8008)
      • Spectrum.exe (PID: 8084)
      • PerceptionSimulationService.exe (PID: 7772)
      • ssh-agent.exe (PID: 8144)
      • VSSVC.exe (PID: 7244)
      • AgentService.exe (PID: 7352)
      • vds.exe (PID: 7364)
      • TieringEngineService.exe (PID: 2384)
      • wbengine.exe (PID: 7644)
      • WmiApSrv.exe (PID: 7476)
      • MicrosoftEdgeUpdate.exe (PID: 8528)
      • GoogleUpdate.exe (PID: 5360)

    • Reads the BIOS version

      • loader.exe (PID: 904)

    • Executable content was dropped or overwritten

      • loader.exe (PID: 904)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 1660)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeUpdate.exe (PID: 6272)
      • GameInputSvc.exe (PID: 5892)
      • GoogleUpdate.exe (PID: 7240)
      • GoogleUpdate.exe (PID: 7356)
      • MicrosoftEdgeUpdate.exe (PID: 8528)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5680)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7280)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7312)
      • MicrosoftEdgeUpdate.exe (PID: 6324)

    • Process drops legitimate windows executable

      • loader.exe (PID: 904)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 7616)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 7616)

  • INFO

    • Checks supported languages

      • loader.exe (PID: 904)
      • armsvc.exe (PID: 4784)
      • FlashPlayerUpdateService.exe (PID: 6644)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5680)
      • MicrosoftEdgeUpdate.exe (PID: 6272)
      • MicrosoftEdgeUpdate.exe (PID: 6324)
      • elevation_service.exe (PID: 7184)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7280)
      • GoogleUpdate.exe (PID: 7240)
      • GoogleUpdate.exe (PID: 7356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7312)
      • elevation_service.exe (PID: 7436)
      • MicrosoftEdgeUpdate.exe (PID: 7428)
      • GoogleCrashHandler.exe (PID: 7420)
      • GoogleUpdate.exe (PID: 7544)
      • GoogleCrashHandler64.exe (PID: 7476)
      • maintenanceservice.exe (PID: 7588)
      • GoogleUpdate.exe (PID: 7400)
      • PSEXESVC.exe (PID: 7936)
      • ssh-agent.exe (PID: 8144)
      • MicrosoftEdgeUpdate.exe (PID: 8528)
      • GoogleUpdate.exe (PID: 5360)
      • MicrosoftEdgeUpdate.exe (PID: 8660)

    • Reads the computer name

      • loader.exe (PID: 904)
      • armsvc.exe (PID: 4784)
      • FlashPlayerUpdateService.exe (PID: 6644)
      • MicrosoftEdgeUpdate.exe (PID: 6272)
      • MicrosoftEdgeUpdate.exe (PID: 6324)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5680)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7280)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7312)
      • GoogleUpdate.exe (PID: 7240)
      • elevation_service.exe (PID: 7184)
      • GoogleUpdate.exe (PID: 7356)
      • GoogleUpdate.exe (PID: 7400)
      • MicrosoftEdgeUpdate.exe (PID: 7428)
      • elevation_service.exe (PID: 7436)
      • GoogleCrashHandler.exe (PID: 7420)
      • GoogleCrashHandler64.exe (PID: 7476)
      • GoogleUpdate.exe (PID: 7544)
      • maintenanceservice.exe (PID: 7588)
      • PSEXESVC.exe (PID: 7936)
      • ssh-agent.exe (PID: 8144)
      • MicrosoftEdgeUpdate.exe (PID: 8528)
      • MicrosoftEdgeUpdate.exe (PID: 8660)
      • GoogleUpdate.exe (PID: 5360)

    • Creates files or folders in the user directory

      • loader.exe (PID: 904)
      • GoogleUpdate.exe (PID: 7400)

    • Process checks whether UAC notifications are on

      • loader.exe (PID: 904)

    • Checks proxy server information

      • loader.exe (PID: 904)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 6456)
      • GoogleUpdate.exe (PID: 7240)
      • GoogleUpdate.exe (PID: 7356)
      • GoogleUpdate.exe (PID: 7400)
      • maintenanceservice.exe (PID: 7588)
      • GoogleUpdate.exe (PID: 7544)
      • SearchIndexer.exe (PID: 7416)
      • GoogleUpdate.exe (PID: 5360)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 4040)
      • GoogleUpdate.exe (PID: 7400)
      • MicrosoftEdgeUpdate.exe (PID: 8660)
      • MicrosoftEdgeUpdate.exe (PID: 8528)
      • GoogleUpdate.exe (PID: 5360)

    • Executes as Windows Service

      • elevation_service.exe (PID: 7184)
      • elevation_service.exe (PID: 7436)
      • SearchIndexer.exe (PID: 7416)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 7688)

    • The sample compiled with english language support

      • loader.exe (PID: 904)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 1660)

    • Reads the time zone

      • TieringEngineService.exe (PID: 2384)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 8660)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 1240)

    • Create files in a temporary directory

      • svchost.exe (PID: 7616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:08 17:30:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 2444800
InitializedDataSize: 296960
UninitializedDataSize: -
EntryPoint: 0x8e4058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
53
Malicious processes
15
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #M0YV loader.exe conhost.exe no specs #M0YV armsvc.exe no specs #M0YV flashplayerupdateservice.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs fxssvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs gameinputsvc.exe no specs gameinputsvc.exe no specs #M0YV elevation_service.exe no specs googleupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs googleupdate.exe no specs googleupdate.exe googlecrashhandler.exe no specs microsoftedgeupdate.exe no specs #M0YV elevation_service.exe no specs googlecrashhandler64.exe no specs googleupdate.exe no specs #M0YV maintenanceservice.exe no specs msdtc.exe no specs #M0YV perceptionsimulationservice.exe no specs #M0YV perfhost.exe no specs #M0YV psexesvc.exe no specs locator.exe no specs sensordataservice.exe no specs snmptrap.exe no specs #M0YV spectrum.exe no specs #M0YV ssh-agent.exe no specs svchost.exe tieringengineservice.exe no specs agentservice.exe no specs vds.exe no specs vssvc.exe no specs wbengine.exe no specs wmiapsrv.exe no specs searchindexer.exe no specs sppextcomobj.exe no specs slui.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe Delivery Optimization User no specs googleupdate.exe svchost.exe searchprotocolhost.exe no specs searchfilterhost.exe no specs loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\WINDOWS\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896 C:\Windows\System32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904"C:\Users\admin\AppData\Local\Temp\loader.exe" C:\Users\admin\AppData\Local\Temp\loader.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1240"C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\tquery.dll
c:\windows\system32\combase.dll
1660C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft (R) Diagnostics Hub Standard Collector
Version:
11.00.19041.3930 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2384C:\WINDOWS\system32\TieringEngineService.exeC:\Windows\System32\TieringEngineService.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Storage Tiers Management
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tieringengineservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3096C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\appvclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp_win.dll
4040"C:\WINDOWS\System32\GameInputSvc.exe" Global\GameInputSession_5C:\Windows\System32\GameInputSvc.exeGameInputSvc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
GameInput Host Service
Version:
0.2309.19041.4046
Modules
Images
c:\windows\system32\gameinputsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
4120"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svcC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.147.37
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4784"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Acrobat Update Service
Version:
1.824.460.1042
Modules
Images
c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
16 717
Read events
14 809
Write events
1 852
Delete events
56

Modification events

(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25D72A6A-8A84-4E25-886B-02FD23A7A104}\InprocHandler32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{491B3F26-48E7-4BF4-9079-EEAC5D81371F}\InProcServer32
Operation:writeName:ThreadingModel
Value:
Both
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25D72A6A-8A84-4E25-886B-02FD23A7A104}\InprocHandler32
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25D72A6A-8A84-4E25-886B-02FD23A7A104}
Operation:delete keyName:(default)
Value:
Executable files
146
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
904loader.exeC:\Windows\System32\FXSSVC.exeexecutable
MD5:DAD479FB33229D795709031D98875CB8
SHA256:1BDCD531DBDAA01C16A4D38E017974F8FF2649216465E9794F1CB4F63929997F
904loader.exeC:\Windows\System32\GameInputSvc.exeexecutable
MD5:D90D7E7E4458B9B2A0ECD70D3FCB3303
SHA256:7BE2755668E7CB1A140949A2EF7EF990B8D72CD7BCDC9C023F9C34932C22AD4E
904loader.exeC:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeexecutable
MD5:52D6EBACC8AA07D02FA0C5A1407BD3AA
SHA256:18396641AFD30D31949DB8EDD10E23B6DAA52560AB963C77C027C91CE3CEDB8C
904loader.exeC:\Program Files\Google\Chrome\Application\122.0.6261.70\elevation_service.exeexecutable
MD5:E9CABF6AE3553EDC067FBB686017F717
SHA256:48788F88D5620B439F59ED00F6FBD345AE92AC0A2F41159DCA3A05067C9BB0FD
4120MicrosoftEdgeUpdate.exeC:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logbinary
MD5:97B55B812DFB5E9BF926522873A647D4
SHA256:3C17893DB8E4E354407174BA0F88D54081745F91B5872CB62E9DF307004582A2
904loader.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeexecutable
MD5:B904AD10CB1CACDF32FCE10173ED081B
SHA256:ABD809DE149DDA9157C0EDECAFE28D4F87276E2967A6400428A66A224B0658FD
6644FlashPlayerUpdateService.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:669DB7069BCD46E2D1985207949A4D23
SHA256:C93AAB39FF73EE7BCED1F0FC562074853F028497F2C36170B38C367A0B25A626
904loader.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:DCA9A6FF31FF1EB558AA6378EFCC3FFC
SHA256:6D750F8F6E41730A2F86DA643DE3EAB0467FA89074900FF591B8462510894DFE
3096AppVClient.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:0CCB2EE792B7C15D90DA9EFCF062589D
SHA256:6A48DB8FF4774C0CC7E71EA5B0B490F24D7C34B8127BF8D09CA8F903251F079D
904loader.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:6B6135AF6830574B1C2F52321AE2EEB2
SHA256:4AAB30E8AF419F08C20472932F0983E55936CF6E68856DF5118087DFBF6B0364
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
214
TCP/UDP connections
49
DNS requests
41
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
904
loader.exe
POST
200
52.11.240.239:80
http://pywolwnvd.biz/xbnaul
unknown
malicious
1660
DiagnosticsHub.StandardCollector.Service.exe
POST
200
52.11.240.239:80
http://pywolwnvd.biz/iflfpdyfwvt
unknown
malicious
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1660
DiagnosticsHub.StandardCollector.Service.exe
POST
200
13.213.51.196:80
http://ssbzmoy.biz/pwa
unknown
unknown
904
loader.exe
POST
200
52.11.240.239:80
http://cvgrf.biz/wnrdp
unknown
malicious
904
loader.exe
POST
200
13.213.51.196:80
http://ssbzmoy.biz/iflfpdyfwvt
unknown
malicious
904
loader.exe
GET
200
199.59.243.228:80
http://ww7.przvgke.biz/lyppxoq?usid=17&utid=38057269446
unknown
malicious
904
loader.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/hu
unknown
malicious
904
loader.exe
POST
302
72.52.178.23:80
http://przvgke.biz/lyppxoq
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
904
loader.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
904
loader.exe
13.213.51.196:80
ssbzmoy.biz
AMAZON-02
SG
malicious
1660
DiagnosticsHub.StandardCollector.Service.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
1660
DiagnosticsHub.StandardCollector.Service.exe
13.213.51.196:80
ssbzmoy.biz
AMAZON-02
SG
malicious
3812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
pywolwnvd.biz
  • 52.11.240.239
malicious
ssbzmoy.biz
  • 13.213.51.196
malicious
cvgrf.biz
  • 52.11.240.239
malicious
npukfztj.biz
  • 3.229.117.57
malicious
przvgke.biz
  • 72.52.178.23
unknown
ww7.przvgke.biz
  • 199.59.243.228
malicious
clients2.google.com
  • 142.250.184.206
whitelisted

Threats

PID
Process
Class
Message
904
loader.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
904
loader.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
904
loader.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
904
loader.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
904
loader.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
904
loader.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
7616
svchost.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7616
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.exe