home

Windows Loader.exe

The application Windows Loader.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from doc-0k-6o-docs.googleusercontent.com and multiple other hosts.
Version:
2.2.1.0

MD5:
3976bd5fcbb7cd13f0c12bb69afc2adc

SHA-1:
3b6bdca414a53df7c8c5096b953c4df87a1091c7

SHA-256:
bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40

Scanner detections:
21 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 8:20:20 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
HackTool.WinActivator
7.1.1

avast!
Win32:PUP-gen [PUP]
2014.9-131224

AVG
Generic9_c
2014.0.3616

Bkav FE
W32.Cloda6f.Trojan
1.3.0.4613

Clam AntiVirus
Win.Tool.Winactivator-1
0.98/22466

Comodo Security
ApplicUnwnt.Win32.HackTool.WinActivator.~A
17490

Emsisoft Anti-Malware
Riskware.Win32.WinLoad
10.0.0.5366

ESET NOD32
Win32/HackTool.WinActivator.I potentially unsafe application
6.3.12010.0

Fortinet FortiGate
W32/AutoRun.BSY
12/24/2013

IKARUS anti.virus
HackTool.Win32.Gendows
t3scan.2.2.29

K7 AntiVirus
Hacktool
13.174.10609

Malwarebytes
Trojan.Winload
v2013.12.24.04

McAfee
Artemis!3976BD5FCBB7
5600.7272

Microsoft Security Essentials
HackTool:Win32/Gendows
1.231.977.0

Norman
Suspicious_Gen4.DEDBN
11.20131224

Quick Heal
HackTool.Gendows (Not a Virus)
12.13.12.00

Sophos
PUA 'Windows 7 Loader' (of type Hacktool)
5.22

Trend Micro House Call
TROJ_GEN.R0C1H08I513
7.2.358

Trend Micro
CRCK_ACTIVATOR
10.465.24

VIPRE Antivirus
Trojan.Win32.Generic
24692

ViRobot
Trojan.Win32.A.ShipUp.3945501
2011.4.7.4223

File size:
3.8 MB (3,945,501 bytes)

Original file name:
Windows Loader.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\windows loader\windows loader.exe

File PE Metadata
Compilation timestamp:
10/31/2007 5:53:19 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
49152:wEYCFEfn+4NWcNKg/ngk4mY0bI1Wymfgvn81yJffTpuWV355FXw/+cuWV355FXwm:wEYz38cgg/ngk4mYfA7fgvn812nv

Entry address:
0x21A9A0

Entry point:
60, BE, 00, B0, 58, 00, 8D, BE, 00, 60, E7, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, 77, 80, 21, 00, 57, 83, C3, 04, 53, 68, 95, F9, 08, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
580 KB (593,920 bytes)

The file Windows Loader.exe has been seen being distributed by the following 21 URLs.

https://doc-0k-6o-docs.googleusercontent.com/docs/securesc/8jrfiq0bjggbqc78je6kjch5i6tgtu1r/4e62v8sbcl2el564kqd1astp4nb35jsr/1481745600000/.../04932824434792784042/0BwM3OMBEUbGxcFFOSWY2cWw3OXc?e=download

https://mega.nz/persistent/.../IUxg3TJI

https://doc-04-3s-docsviewer.googleusercontent.com/viewer/securedownload/btsmaf35cjijiu51oci8cdhl8k6esijl/7pbcucji20njji5du29fgh0r5m33i13d/1391250600000/ZXhwbG9yZXI=/.../MEJ4NjNvNzliTUM3bGFXbE5ORWxITlhwTmNFVQ==?a=dl&filename=Windows_Loader_v2.2.1.zip&sec=AHSqidZxK7j4SQv6t-tJYl_jZ_Ea1rTnoZpdkeN6bX85i9IkfJhC3lNNkYNGK9uhuZVWfQ9P7P4B&rel=zip;z5;Windows Loader.exe

https://doc-0c-b0-docs.googleusercontent.com/docs/securesc/92pbc59gjdsi21caue5re3t36hdst39l/f02vgmi1ggcgh1ebuvpea5ikaq6470rt/1479938400000/.../03545614940883989817/0B0yetPqe4DpjYndkZk95UUpYWFU?e=download

https://mega.nz/temporary/.../OFNnBLbb

http://dox.abv.bg/.../DownloadFile?eid=133437084&sha=0&m=

blob:0451455F-094F-49F5-9162-42765D35FF4B

https://doc-0g-3o-docs.googleusercontent.com/docs/securesc/0pvktvvv50bkaa91ijlnl7e83mdm8sg5/4gfmo5kkmm5pv14n3grcl2o7eva74k8s/1472284800000/.../01639261044747803772/0B5k9ZwqQ1mpIcWVXNVpnRmpqWFk?e=download

http://wyslijto.pl/.../zbkzrysecu

http://freenet.lg.ua/~kesha/files/install/win7/Activ_Win7_Ultimate/.../Windows Loader.exe

ftp://jtee.dvrdns.org/upload/.../Windows Loader.exe

C:\Users\user\Downloads\Windows Loader v2.2.1-Windows Loader.exe

https://doc-10-c0-docs.googleusercontent.com/docs/securesc/g4cqns6b8hgo8k8rpi3040ekdsj74593/t5i7h1926vh7o1daitqejbti1cvjqdt8/1460008800000/.../03596226168358958226/0B9iux4kGXkzTZ2JSSmRsZVQ2OUU?e=download

https://mega.nz/temporary/.../IUxg3TJI

https://e.mail.ru/.../getattach?file=Windows Loader.exe&id=14391349470000000510;0;4&mode=attachment&notype=1&x-email=akberov_48@mail.ru

https://e.mail.ru/cgi-bin/.../octet-stream&cn=Windows Loader 2.2.1 by Daz.exe&cte=binary&notype=1&file=Windows Loader 2.2.1 by Daz.exe&mode=attachment&channel

https://poczta.o2.pl/login.html?cmd=getpart&link=00gsSgxkksBxTRqdZSAtPzbaPjM6M2OtLTPwaTO6hWaZjSMeP3OxPTPodDMReDO2hnYwjTM2MjNRczNJ83bwjjMwPDO2cjNJ8jNZjTMJ8DbadiMs8CMslz02Z6CGi00RDMyAGlSWafA3b3PBAMkGTj7GZUOmLUeQZkQGABKGZUeBA6kQNkQhC6kTMRbTMkkQGiRDAwfDNVbDMokRGkRDAocDOAcDMkkTGRRDAsMTMwJDMoJjMBVTMwgzMwgDMkkRGoRxNAXAGlZGbpFlbYBHeZkTGsRDAocTNoMBAAPAGkNjN6fjNkMBAAWDGZkyJkLgPknwDkk2VBKGZjdyclw2bpAXZsKXZ7BAA

https://doc-00-30-docs.googleusercontent.com/docs/securesc/t3a495bbgbqnlpf0rq44elapddoednu9/l3r1b78r7tva8r4bbvk99j8qo79p239p/1424736000000/.../09872077139375554297/0B0AcLSs3jv9NYi1xb0xrQVczTFE?e=download

temp:Windows Loader.exe

about:internet

http://f.sync.hamicloud.net/.../@download?14d7ee162d3801d1bb2638b2ac521cd5&e2459aabfc52325697b68a5e9b9e4dba

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to a23-53-91-27.deploy.static.akamaitechnologies.com  (23.53.91.27:80)

Remove Windows Loader.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.