File name:

ExLoader_Installer.exe

Full analysis: https://app.any.run/tasks/c29e28bc-3cab-487d-86bc-7096dbcdf7f7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 29, 2025, 19:23:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
evasion
auto
generic
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

52EAE747EFB0F59EF8F6D9E3E1F1E409

SHA1:

21BD2C778A1EEE7F8C3111F8C2068F4A88EC278B

SHA256:

5DF1F0FFD0E5B810D8C712ED37A6847AF4819CDDF56F7B0A46A898F47C2B82B6

SSDEEP:

393216:xbHpVnhewKA4vwBoR3mo00PveSkTk1wOnW:xbrA7A4vuoR2o00Pv2GW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • ExLoader_Installer.exe (PID: 7964)

    • GENERIC has been found (auto)

      • ExLoader_Installer.exe (PID: 7964)

    • Actions looks like stealing browser data

      • ExLoader_Installer.exe (PID: 7964)

    • Changes Windows Defender settings

      • ExLoader_Installer.exe (PID: 7964)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Process drops legitimate windows executable

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Reads security settings of Internet Explorer

      • ExLoader_Installer.exe (PID: 7736)

    • Executable content was dropped or overwritten

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Reads the date of Windows installation

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Reads the Windows owner or organization settings

      • ExLoader_Installer.exe (PID: 7964)

    • Starts POWERSHELL.EXE for commands execution

      • ExLoader_Installer.exe (PID: 7964)

    • There is functionality for taking screenshot (YARA)

      • ExLoader_Installer.exe (PID: 7964)
      • ExLoader_Installer.exe (PID: 7736)

    • Checks for external IP

      • svchost.exe (PID: 2276)
      • ExLoader_Installer.exe (PID: 7964)

    • Connects to unusual port

      • ExLoader_Installer.exe (PID: 7964)

    • Script adds exclusion path to Windows Defender

      • ExLoader_Installer.exe (PID: 7964)

  • INFO

    • Checks supported languages

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Reads the computer name

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Create files in a temporary directory

      • ExLoader_Installer.exe (PID: 7736)
      • powershell.exe (PID: 7204)

    • The sample compiled with english language support

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Process checks computer location settings

      • ExLoader_Installer.exe (PID: 7736)
      • ExLoader_Installer.exe (PID: 7964)

    • Reads Environment values

      • ExLoader_Installer.exe (PID: 7964)

    • Reads Windows Product ID

      • ExLoader_Installer.exe (PID: 7964)

    • Reads product name

      • ExLoader_Installer.exe (PID: 7964)

    • Creates files or folders in the user directory

      • ExLoader_Installer.exe (PID: 7964)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 7204)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2220)

    • Checks proxy server information

      • slui.exe (PID: 5320)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2220)

    • Creates files in the program directory

      • ExLoader_Installer.exe (PID: 7964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2009:08:16 11:05:47+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 9
CodeSize: 59904
InitializedDataSize: 128000
UninitializedDataSize: -
EntryPoint: 0xa9ec
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exloader_installer.exe exloader_installer.exe no specs #GENERIC exloader_installer.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1376"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x102c460,0x102c46c,0x102c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2220C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath "\"C:\Program Files\ExLoader\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5320C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7204C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"c:\users\admin\desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
7212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7724"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7736"C:\Users\admin\Desktop\ExLoader_Installer.exe" C:\Users\admin\Desktop\ExLoader_Installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\exloader_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7820"C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exeExLoader_Installer.exe
User:
admin
Company:
com.swiftsoft
Integrity Level:
MEDIUM
Description:
Installer for unified library of in-game modifications.
Exit code:
3221226540
Version:
2.0.18+2305
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\exloader_installer.exe
c:\windows\system32\ntdll.dll
Total events
40 026
Read events
40 025
Write events
1
Delete events
0

Modification events

(PID) Process:(7736) ExLoader_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX
Operation:writeName:C%%Users%admin%AppData%Local%Temp
Value:
C:\Users\admin\AppData\Local\Temp\RarSFX0
Executable files
22
Suspicious files
66
Text files
217
Unknown types
1

Dropped files

PID
Process
Filename
Type
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\app.so
MD5:
SHA256:
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\flutter_inappwebview_windows_plugin.dllexecutable
MD5:59ADB565BF24CB70AE79DBD7EA0A8CF8
SHA256:8790BC2922F377A591D30FEC13875EBEEE0FB9018A6EE01FD271F72DD9ADFAFF
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\permission_handler_windows_plugin.dllexecutable
MD5:78B019FF7E7C501DCA787BF3F21CE077
SHA256:3E2C11DC3FEA525461AB7A6561DDC7BDF384BB70D694A9F386796C63F1E688AF
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dllexecutable
MD5:EB49C1D33B41EB49DFED58AAFA9B9A8F
SHA256:6D3A6CDE6FC4D3C79AABF785C04D2736A3E2FD9B0366C9B741F054A13ECD939E
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\WebView2Loader.dllexecutable
MD5:0AD9319FA14D39C0812583337546CA20
SHA256:1D963A02D8A7FA3E7EAC2E936DAD5559C4D63327F35B0A09787FFC1D58F9C18D
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\NativeAssetsManifest.jsonbinary
MD5:F3A664E105B4F792C6C7FE4E4D22C398
SHA256:9548A31E4A048135C1D94F919328BFB62AE2C7BB3CAB96557C7941DAA97776CB
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\url_launcher_windows_plugin.dllexecutable
MD5:937AC348894F0044419777BE6AB6E33A
SHA256:66751A8777343ABAA78428E8AE0D9346A6325D26C2B7979A19C323F5C578E659
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.binbinary
MD5:972F77F9C6216A589F87C9AF2BE241A0
SHA256:6AE503BE8EDF6E151D93A7716C89ABC58368719859B1BEEF719431E544BF0B34
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.jsontext
MD5:ABFB6C8E4501348BBD701D03698E9B3E
SHA256:9E0903A9CEB64E32F7A139A143324252AAE77DC58DBEFB1F211FE03AA33460DB
7736ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\packages\flutter_inappwebview_web\assets\web\web_support.jsbinary
MD5:509AE636CFDD93E49B5A6EAF0F06D79F
SHA256:2F9CCEF9DB4DA6B73D3C678FFE570AAD402791B00DFA520730FDB66D0DC209FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
67
DNS requests
44
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
212.82.100.137:443
https://search.yahoo.com/search?p=weather&fr=yfp-t&&ei=UTF-8&fp=1
CH
binary
195 Kb
unknown
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
unknown
POST
200
40.126.32.140:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
GET
200
104.20.28.184:443
https://data.exloader.net/ExLoader.zip
US
compressed
22.6 Mb
unknown
2268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
GET
301
213.180.193.146:443
https://meteum.ai/weather/en-US
RU
text
11 b
unknown
2268
SIHClient.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
GET
200
213.180.193.146:443
https://meteum.ai/weather/en
RU
html
858 Kb
unknown
2268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
401 b
whitelisted
2268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6492
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
104.126.37.185:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6492
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2972
svchost.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5596
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.64
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.132
  • 20.190.160.20
  • 20.190.160.22
  • 20.190.160.4
  • 40.126.32.140
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.129
  • 104.126.37.130
  • 104.126.37.154
  • 104.126.37.123
  • 104.126.37.131
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.128
whitelisted
google.com
  • 142.250.185.206
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.21
  • 23.53.41.90
  • 23.53.40.178
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
search.yahoo.com
  • 212.82.100.137
  • 2a00:1288:110:c104::2000
whitelisted
meteum.ai
  • 213.180.193.146
  • 2a02:6b8::17f
whitelisted
www.msn.com
  • 23.212.88.19
whitelisted

Threats

PID
Process
Class
Message
2276
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7964
ExLoader_Installer.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2276
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
2276
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
2276
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2276
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ExLoader_Installer.exe