File name:

exploer.exe

Full analysis: https://app.any.run/tasks/53a51aeb-2396-4c85-96e0-c697cbb679f9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 18:15:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
stealer
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

B2206D39954327573BD8E542BE16D09A

SHA1:

2F8DD4299B23141B6B793B6B7E4B2B824A11B831

SHA256:

425EA228A552ACF055B857CC129123480496B5E0BF2C8635C1787E90DCF57632

SSDEEP:

98304:51T2Q6boaoMC2xumzy72mlYEDTDXfPpQ/BUhWnXZLvbN+pl89blvtVlsSihbIa4x:kADQEEHtrVf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • exploer.exe (PID: 6032)
      • exploer.exe (PID: 6768)

    • Deletes shadow copies

      • cmd.exe (PID: 6944)
      • cmd.exe (PID: 6268)

    • Actions looks like stealing of personal data

      • exploer.exe (PID: 6032)
      • exploer.exe (PID: 6768)

    • Renames files like ransomware

      • exploer.exe (PID: 6032)
      • exploer.exe (PID: 6768)

  • SUSPICIOUS

    • Process drops python dynamic module

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)

    • Executable content was dropped or overwritten

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)

    • The process drops C-runtime libraries

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)

    • Process drops legitimate windows executable

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)

    • Application launched itself

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)

    • Loads Python modules

      • exploer.exe (PID: 6032)
      • exploer.exe (PID: 6768)

    • Starts CMD.EXE for commands execution

      • exploer.exe (PID: 6032)
      • exploer.exe (PID: 6768)

    • There is functionality for taking screenshot (YARA)

      • exploer.exe (PID: 4756)

  • INFO

    • Checks supported languages

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6032)
      • exploer.exe (PID: 6768)
      • exploer.exe (PID: 6488)

    • Reads the computer name

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)

    • The sample compiled with english language support

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)

    • Create files in a temporary directory

      • exploer.exe (PID: 4756)
      • exploer.exe (PID: 6488)
      • exploer.exe (PID: 6032)
      • exploer.exe (PID: 6768)

    • PyInstaller has been detected (YARA)

      • exploer.exe (PID: 4756)

    • Manual execution by a user

      • exploer.exe (PID: 6488)

    • Creates files or folders in the user directory

      • exploer.exe (PID: 6768)
      • exploer.exe (PID: 6032)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 1272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:15 18:14:42+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exploer.exe exploer.exe cmd.exe no specs conhost.exe no specs vssadmin.exe no specs sppextcomobj.exe no specs slui.exe no specs exploer.exe exploer.exe cmd.exe no specs conhost.exe no specs vssadmin.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1532C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4608"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4756"C:\Users\admin\Desktop\exploer.exe" C:\Users\admin\Desktop\exploer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\exploer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5380vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6032"C:\Users\admin\Desktop\exploer.exe" C:\Users\admin\Desktop\exploer.exe
exploer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\exploer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6268C:\WINDOWS\system32\cmd.exe /c "vssadmin delete shadows /all /quiet"C:\Windows\System32\cmd.exeexploer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
926
Read events
924
Write events
2
Delete events
0

Modification events

(PID) Process:(6032) exploer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsExplr
Value:
C:\Users\admin\Desktop\exploer.exe
(PID) Process:(6768) exploer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsExplr
Value:
C:\Users\admin\Desktop\exploer.exe
Executable files
24
Suspicious files
553
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\_socket.pydexecutable
MD5:B77017BAA2004833EF3847A3A3141280
SHA256:A19E3C7C03EF1B5625790B1C9C42594909311AB6DF540FBF43C6AA93300AB166
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\_decimal.pydexecutable
MD5:C88282908BA54510EDA3887C488198EB
SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\libffi-8.dllexecutable
MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
SHA256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\_hashlib.pydexecutable
MD5:B4FF25B1ACA23D48897FC616E102E9B6
SHA256:87DD0C858620287454FD6D31D52B6A48EDDBB2A08E09E8B2D9FDB0B92200D766
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\_ctypes.pydexecutable
MD5:565D011CE1CEE4D48E722C7421300090
SHA256:C148292328F0AAB7863AF82F54F613961E7CB95B7215F7A81CAFAF45BD4C42B7
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\_bz2.pydexecutable
MD5:AA1083BDE6D21CABFC630A18F51B1926
SHA256:00B8CA9A338D2B47285C9E56D6D893DB2A999B47216756F18439997FB80A56E3
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\base_library.zipcompressed
MD5:237EFA42FF081A4FA17F148F105DB25A
SHA256:9328E6CA576E3E999ABE554799D5C8B9024EBB936B31EF76C147223B03622132
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\python311.dllexecutable
MD5:387BB2C1E40BDE1517F06B46313766BE
SHA256:0817A2A657A24C0D5FBB60DF56960F42FC66B3039D522EC952DAB83E2D869364
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\libcrypto-3.dllexecutable
MD5:E547CF6D296A88F5B1C352C116DF7C0C
SHA256:05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
4756exploer.exeC:\Users\admin\AppData\Local\Temp\_MEI47562\select.pydexecutable
MD5:E4AB524F78A4CF31099B43B35D2FAEC3
SHA256:BAE0974390945520EB99AB32486C6A964691F8F4A028AC408D98FA8FB0DB7D90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.129
  • 40.126.31.67
  • 40.126.31.129
  • 40.126.31.1
  • 40.126.31.3
  • 40.126.31.130
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
exploer.exe