File name:

winloader.exe

Full analysis: https://app.any.run/tasks/097cedf6-aebb-4840-b1de-4597276e6137
Verdict: Malicious activity
Analysis date: April 16, 2025, 15:22:48
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

8A51F8A35A1A36351BC2D0969CA67198

SHA1:

B33692F6F33E7F1BDC7078C388ADDFB07FE0CC6A

SHA256:

D5AE000E067BE55E9F27597A0F2C97C75480D5AC05E7A4701937EE777FB7DD79

SSDEEP:

196608:ZgK8l2TaMk2TyYpNUfkGrCKvr493VhDCsS7ub:SK97TyYNUfkGOKj4lVdCT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • winloader.exe (PID: 1616)

    • Process drops python dynamic module

      • winloader.exe (PID: 1616)

    • The process drops C-runtime libraries

      • winloader.exe (PID: 1616)

    • Application launched itself

      • winloader.exe (PID: 1616)

    • Executable content was dropped or overwritten

      • winloader.exe (PID: 1616)
      • winloader.exe (PID: 3412)

    • Loads Python modules

      • winloader.exe (PID: 3412)

    • There is functionality for taking screenshot (YARA)

      • winloader.exe (PID: 1616)

  • INFO

    • The sample compiled with english language support

      • winloader.exe (PID: 1616)

    • Reads the computer name

      • winloader.exe (PID: 1616)
      • winloader.exe (PID: 3412)

    • Checks supported languages

      • winloader.exe (PID: 1616)
      • winloader.exe (PID: 3412)

    • Create files in a temporary directory

      • winloader.exe (PID: 1616)

    • PyInstaller has been detected (YARA)

      • winloader.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:16 11:50:27+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
105
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winloader.exe winloader.exe winloader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\Users\admin\Desktop\winloader.exe" C:\Users\admin\Desktop\winloader.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\winloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3412"C:\Users\admin\Desktop\winloader.exe" C:\Users\admin\Desktop\winloader.exe
winloader.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\winloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4376"C:\Users\admin\Desktop\winloader.exe" C:\Users\admin\Desktop\winloader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\winloader.exe
c:\windows\system32\ntdll.dll
Total events
489
Read events
489
Write events
0
Delete events
0

Modification events

No data
Executable files
251
Suspicious files
3
Text files
924
Unknown types
0

Dropped files

PID
Process
Filename
Type
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_socket.pydexecutable
MD5:69C4A9A654CF6D1684B73A431949B333
SHA256:8DAEFAFF53E6956F5AEA5279A7C71F17D8C63E2B0D54031C3B9E82FCB0FB84DB
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_asyncio.pydexecutable
MD5:70DEC3CE00E5CAF45246736B53EA3AD0
SHA256:8CEF0CD8333F88A9F9E52FA0D151B5F661D452EFBCFC507DC28A46259B82596C
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_multiprocessing.pydexecutable
MD5:24AEE7D83525CB43AD02FD3116B28274
SHA256:3262EC7496D397C0B6BFB2F745516E9E225BD9246F78518852C61D559AA89485
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_queue.pydexecutable
MD5:59C05030E47BDE800AD937CCB98802D8
SHA256:E4956834DF819C1758D17C1C42A152306F7C0EA7B457CA24CE2F6466A6CB1CAA
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_tcl_data\encoding\big5.enctext
MD5:41A874778111CC218BD421CF9C795EC2
SHA256:AD1ED201B69855BFD353BF969DFC55576DA35A963ABF1BF7FC6D8B5142A61A61
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\VCRUNTIME140_1.dllexecutable
MD5:68156F41AE9A04D89BB6625A5CD222D4
SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_decimal.pydexecutable
MD5:F465C15E7BACEAC920DC58A5FB922C1C
SHA256:F4A486A0CA6A53659159A404614C7E7EDCCB6BFBCDEB844F6CEE544436A826CB
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_ctypes.pydexecutable
MD5:2185849BC0423F6641EE30804F475478
SHA256:199CD8D7DB743C316771EF7BBF414BA9A9CDAE1F974E90DA6103563B2023538D
1616winloader.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_bz2.pydexecutable
MD5:057325E89B4DB46E6B18A52D1A691CAA
SHA256:5BA872CAA7FCEE0F4FB81C6E0201CEED9BD92A3624F16828DD316144D292A869
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
18
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1352
svchost.exe
GET
200
23.53.40.146:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
1072
smartscreen.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ecc20a4edd2e69b
unknown
whitelisted
HEAD
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2768
svchost.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a373b5c2c52739f9
unknown
whitelisted
2768
svchost.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cd93d97035913c62
unknown
whitelisted
2768
svchost.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9a78fd978e6e7371
unknown
whitelisted
2768
svchost.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?b05648a3364df18d
unknown
whitelisted
POST
200
4.231.66.184:443
https://checkappexec.microsoft.com/windows/shell/actions
unknown
binary
182 b
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
23.53.40.146:80
Akamai International B.V.
DE
unknown
1072
smartscreen.exe
20.93.72.182:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1072
smartscreen.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
2356
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2776
svchost.exe
52.168.117.168:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
5312
svchost.exe
23.197.142.186:443
fs.microsoft.com
Akamai International B.V.
US
whitelisted
2768
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
2988
OfficeClickToRun.exe
51.116.253.168:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
checkappexec.microsoft.com
  • 20.93.72.182
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.216
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.1
  • 20.190.159.23
  • 20.190.159.130
  • 20.190.159.68
  • 40.126.31.130
  • 40.126.31.2
whitelisted
v10.events.data.microsoft.com
  • 52.168.117.168
whitelisted
fs.microsoft.com
  • 23.197.142.186
whitelisted
self.events.data.microsoft.com
  • 51.116.253.168
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winloader.exe