File name:

NewLoader.exe

Full analysis: https://app.any.run/tasks/28db971f-0aa2-453a-9e6a-9335c9544fba
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: March 09, 2025, 17:23:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
stealer
evasion
exela
discord
screenshot
pyinstaller
susp-powershell
discordgrabber
generic
ims-api
growtopia
upx
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

20D337BC0AD31F6784F790ECB791F0DD

SHA1:

A92B6B99B85D133E11601258868C5EFA5245C72C

SHA256:

E24FA4839AB85A00292E8E422220565A19A4D2AEA246CE40288B67319776243A

SSDEEP:

98304:u1T2Q6lX9O4zNM//n1WaxV5U60oNek9JKd+gEKQfOeW/OKeJqQKHH7bmY90GpJNF:HWDEmZxth+XyY6YWoq45+e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 7724)

    • Actions looks like stealing of personal data

      • NewLoader.exe (PID: 6036)

    • Steals credentials from Web Browsers

      • NewLoader.exe (PID: 6036)

    • ExelaStealer has been detected

      • NewLoader.exe (PID: 6036)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 3888)
      • net.exe (PID: 7196)
      • net.exe (PID: 7552)
      • cmd.exe (PID: 7264)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 7264)
      • net.exe (PID: 4408)
      • net.exe (PID: 660)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7204)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 632)

    • DISCORDGRABBER has been detected (YARA)

      • NewLoader.exe (PID: 6036)

    • GROWTOPIA has been detected (YARA)

      • NewLoader.exe (PID: 6036)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)

    • Process drops legitimate windows executable

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)

    • Process drops python dynamic module

      • NewLoader.exe (PID: 4776)

    • Application launched itself

      • NewLoader.exe (PID: 4776)
      • cmd.exe (PID: 6040)
      • cmd.exe (PID: 6540)

    • The process drops C-runtime libraries

      • NewLoader.exe (PID: 4776)

    • Get information on the list of running processes

      • cmd.exe (PID: 4452)
      • NewLoader.exe (PID: 6036)
      • cmd.exe (PID: 7364)
      • cmd.exe (PID: 7752)
      • cmd.exe (PID: 1760)
      • cmd.exe (PID: 7264)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 5392)

    • Loads Python modules

      • NewLoader.exe (PID: 6036)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 5332)
      • cmd.exe (PID: 7216)

    • Starts CMD.EXE for commands execution

      • NewLoader.exe (PID: 6036)
      • cmd.exe (PID: 6040)
      • cmd.exe (PID: 6540)

    • Executable content was dropped or overwritten

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)
      • csc.exe (PID: 4756)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7484)
      • WMIC.exe (PID: 7364)
      • WMIC.exe (PID: 7688)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6564)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 1676)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7652)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7568)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 7968)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 6872)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7264)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7204)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7392)

    • Checks for external IP

      • NewLoader.exe (PID: 6036)
      • svchost.exe (PID: 2196)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 7264)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 6564)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 7264)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 7264)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8096)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 7264)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7264)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 7264)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 7264)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7204)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7204)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7204)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • NewLoader.exe (PID: 6036)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 632)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4756)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 7212)

  • INFO

    • Checks supported languages

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)
      • chcp.com (PID: 3140)
      • chcp.com (PID: 7212)
      • csc.exe (PID: 4756)
      • cvtres.exe (PID: 8064)
      • ShellExperienceHost.exe (PID: 7212)

    • The sample compiled with english language support

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)

    • Reads the computer name

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)
      • ShellExperienceHost.exe (PID: 7212)

    • Create files in a temporary directory

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)
      • csc.exe (PID: 4756)
      • cvtres.exe (PID: 8064)

    • Checks operating system version

      • NewLoader.exe (PID: 6036)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5800)
      • WMIC.exe (PID: 7272)
      • WMIC.exe (PID: 7484)
      • WMIC.exe (PID: 6564)
      • BackgroundTransferHost.exe (PID: 7996)
      • WMIC.exe (PID: 8120)
      • WMIC.exe (PID: 7508)
      • BackgroundTransferHost.exe (PID: 7560)
      • BackgroundTransferHost.exe (PID: 8004)
      • WMIC.exe (PID: 7364)
      • BackgroundTransferHost.exe (PID: 6752)
      • WMIC.exe (PID: 7688)
      • BackgroundTransferHost.exe (PID: 7584)

    • Creates files or folders in the user directory

      • NewLoader.exe (PID: 6036)
      • BackgroundTransferHost.exe (PID: 7560)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 6872)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7232)

    • Reads the time zone

      • net1.exe (PID: 6540)
      • net1.exe (PID: 7408)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 8136)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 7560)
      • slui.exe (PID: 5756)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7560)
      • slui.exe (PID: 3020)
      • slui.exe (PID: 5756)

    • PyInstaller has been detected (YARA)

      • NewLoader.exe (PID: 4776)
      • NewLoader.exe (PID: 6036)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • NewLoader.exe (PID: 6036)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4756)

    • Application based on Rust

      • NewLoader.exe (PID: 6036)

    • UPX packer has been detected

      • NewLoader.exe (PID: 6036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6036) NewLoader.exe
Discord-Webhook-Tokens (1)1344026663607996531/sw5LhmFAHZrwJu8Rh5m9JTZYPUPgVJSUQFUt5MOU66vK1ilf4CKlz0sNB-V2iJ1u1edK
Discord-Info-Links
1344026663607996531/sw5LhmFAHZrwJu8Rh5m9JTZYPUPgVJSUQFUt5MOU66vK1ilf4CKlz0sNB-V2iJ1u1edK
Get Webhook Infohttps://discord.com/api/webhooks/1344026663607996531/sw5LhmFAHZrwJu8Rh5m9JTZYPUPgVJSUQFUt5MOU66vK1ilf4CKlz0sNB-V2iJ1u1edK
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:02:25 19:31:17+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Exela Services
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
InternalName: Exela.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Exela.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.746
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
240
Monitored processes
104
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start newloader.exe #DISCORDGRABBER newloader.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs wmic.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs chcp.com no specs chcp.com no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs systeminfo.exe no specs netsh.exe no specs svchost.exe tiworker.exe no specs backgroundtransferhost.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs backgroundtransferhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs backgroundtransferhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs shellexperiencehost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
632powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
660net localgroup administrators C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exeNewLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1276C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeNewLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1348netsh firewall show configC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1676C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exeNewLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1760C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeNewLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
28 533
Read events
28 513
Write events
20
Delete events
0

Modification events

(PID) Process:(7724) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Exela Update Service
Value:
C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe
(PID) Process:(7948) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31166743
(PID) Process:(7948) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(7996) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7996) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7996) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7560) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7560) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7560) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8004) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
35
Suspicious files
39
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\VCRUNTIME140.dllexecutable
MD5:F12681A472B9DD04A812E16096514974
SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_ssl.pydexecutable
MD5:FD0F4AED22736098DC146936CBF0AD1D
SHA256:50404A6A3DE89497E9A1A03FF3DF65C6028125586DCED1A006D2ABB9009A9892
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_overlapped.pydexecutable
MD5:97A40F53A81C39469CC7C8DD00F51B5D
SHA256:11879A429C996FEE8BE891AF2BEC7D00F966593F1E01CA0A60BD2005FEB4176F
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_sqlite3.pydexecutable
MD5:D9EEEEACC3A586CF2DBF6DF366F6029E
SHA256:67649E1E8ACD348834EFB2C927AB6A7599CF76B2C0C0A50B137B3BE89C482E29
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_bz2.pydexecutable
MD5:80C69A1D87F0C82D6C4268E5A8213B78
SHA256:307359F1B2552B60839385EB63D74CBFE75CD5EFDB4E7CD0BB7D296FA67D8A87
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_decimal.pydexecutable
MD5:E9501519A447B13DCCA19E09140C9E84
SHA256:6B5FE2DEA13B84E40B0278D1702AA29E9E2091F9DC09B64BBFF5FD419A604C3C
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_hashlib.pydexecutable
MD5:0629BDB5FF24CE5E88A2DDCEDE608AEE
SHA256:F404BB8371618BBD782201F092A3BCD7A96D3C143787EBEA1D8D86DED1F4B3B8
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_asyncio.pydexecutable
MD5:1B8CE772A230A5DA8CBDCCD8914080A5
SHA256:FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_cffi_backend.cp311-win_amd64.pydexecutable
MD5:0F0F1C4E1D043F212B00473A81C012A3
SHA256:FDA255664CBF627CB6A9CD327DAF4E3EB06F4F0707ED2615E86E2E99B422AD0B
4776NewLoader.exeC:\Users\admin\AppData\Local\Temp\_MEI47762\_lzma.pydexecutable
MD5:BFCA96ED7647B31DD2919BEDEBB856B8
SHA256:032B1A139ADCFF84426B6E156F9987B501AD42ECFB18170B10FB54DA0157392E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
35
DNS requests
19
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6036
NewLoader.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8072
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7324
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7560
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
8072
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6036
NewLoader.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7324
backgroundTaskHost.exe
20.74.47.205:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7324
backgroundTaskHost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.128
  • 40.126.31.0
  • 20.190.159.75
  • 40.126.31.1
  • 40.126.31.131
  • 20.190.159.131
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
www.bing.com
  • 92.123.104.28
  • 92.123.104.38
  • 92.123.104.59
  • 92.123.104.52
  • 92.123.104.67
  • 92.123.104.32
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.137.232
whitelisted
api.gofile.io
  • 45.112.123.126
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6036
NewLoader.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6036
NewLoader.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
6036
NewLoader.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6036
NewLoader.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
6036
NewLoader.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NewLoader.exe