download:

/LavaGang/MelonLoader/releases/download/v0.6.1/MelonLoader.Installer.exe

Full analysis: https://app.any.run/tasks/b38affac-541a-452f-aad0-c8115583456b
Verdict: Malicious activity
Analysis date: December 05, 2023, 01:49:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

54DFF09CC998ADAC8E2B325FD2714230

SHA1:

31592045226B7546CEBC871B13941DCE602DCE3B

SHA256:

AD3015FCF72AF7FA32386E2D584DDC00BA10FEF82E84B4F57ADAFB6183177542

SSDEEP:

12288:LL2odKsoH3msuTmlOIq76xb35zdtKTKKpKKMpg:lO5gEMWx35pg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MelonLoader.Installer.exe (PID: 3476)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • MelonLoader.Installer.exe (PID: 3476)

    • Reads the Internet Settings

      • MelonLoader.Installer.exe (PID: 3476)

    • Process drops legitimate windows executable

      • MelonLoader.Installer.exe (PID: 3476)

    • The process creates files with name similar to system file names

      • MelonLoader.Installer.exe (PID: 3476)

  • INFO

    • Reads Environment values

      • MelonLoader.Installer.exe (PID: 3476)

    • Reads the computer name

      • MelonLoader.Installer.exe (PID: 3476)
      • wmpnscfg.exe (PID: 1640)

    • Checks supported languages

      • MelonLoader.Installer.exe (PID: 3476)
      • wmpnscfg.exe (PID: 1640)

    • Reads the machine GUID from the registry

      • MelonLoader.Installer.exe (PID: 3476)

    • Creates files or folders in the user directory

      • MelonLoader.Installer.exe (PID: 3476)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1640)

    • Create files in a temporary directory

      • MelonLoader.Installer.exe (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2049:05:06 19:08:35+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 696832
InitializedDataSize: 40960
UninitializedDataSize: -
EntryPoint: 0xac18e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.8.0
ProductVersionNumber: 3.0.8.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: MelonLoader Installer
CompanyName: discord.gg/2Wn3N2P
FileDescription: MelonLoader Installer
FileVersion: 3.0.8
InternalName: MelonLoader.Installer.exe
LegalCopyright: Created by Lava Gang
LegalTrademarks: discord.gg/2Wn3N2P
OriginalFileName: MelonLoader.Installer.exe
ProductName: MelonLoader Installer
ProductVersion: 3.0.8
AssemblyVersion: 3.0.8.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start melonloader.installer.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1640"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3476"C:\Users\admin\AppData\Local\Temp\MelonLoader.Installer.exe" C:\Users\admin\AppData\Local\Temp\MelonLoader.Installer.exe
explorer.exe
User:
admin
Company:
discord.gg/2Wn3N2P
Integrity Level:
MEDIUM
Description:
MelonLoader Installer
Exit code:
4294967295
Version:
3.0.8
Modules
Images
c:\users\admin\appdata\local\temp\melonloader.installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
9 524
Read events
9 379
Write events
144
Delete events
1

Modification events

(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
07000000020000000100000000000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
02000000070000000100000000000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewVersion
Value:
0
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000020000000700000000000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:Mode
Value:
4
(PID) Process:(3476) MelonLoader.Installer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:LogicalViewMode
Value:
1
Executable files
198
Suspicious files
7
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
3476MelonLoader.Installer.exeC:\Users\admin\AppData\Roaming\MelonLoader.Installer.cfgtext
MD5:16A15BEF290CA75EE0C5D0F0BE2FA46B
SHA256:06ADFF1A326FCC4641A455319CC847D8CAAA55BE072A6DAF303CA47807AF0493
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\dobby.dllexecutable
MD5:C37027B9A39C205A9627C1EBEF2C5B4D
SHA256:61456FA9EA8400266335C081CD6995C912F6AB9EF3B798493CB0F17E203052A4
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\NOTICE.txttext
MD5:1D147069683FEDE444A8B01B52024898
SHA256:081981B2760E887CD845AC478BEF503B3B61269B0F3C42007800FA6E00078258
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\MelonLoader\MelonLoader.xmlxml
MD5:1DBDCB8CB53DC7DCDAA0F65AE49ED124
SHA256:009549BAF726A2B5DA251123EEEC374F6EF89E51179C71A100635688C9B02E33
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\MelonLoader\Dependencies\CompatibilityLayers\0Harmony.dllexecutable
MD5:E6EB51B5F3562915B2596E0A627A2727
SHA256:4A5CA12CD7BEFF7D4404D3E20627C378F36127F0E96E160B007601F19A6D1F8C
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\MelonLoader\Dependencies\Bootstrap.dllexecutable
MD5:5CC57CCBD2BB7842D52B1AF317C18950
SHA256:ADB15413F0B4B5E80E86E30828EDFFA5BCA3436D805E53310A5FFB485C2A1F06
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\MelonLoader\Dependencies\CompatibilityLayers\Mono.Cecil.dllexecutable
MD5:DE69BB29D6A9DFB615A90DF3580D63B1
SHA256:F66F97866433E688ACC3E4CD1E6EF14505F81DF6B26DD6215E376767F6F954BC
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\MelonLoader\Dependencies\CompatibilityLayers\Demeo.dllexecutable
MD5:3E8312D1884E3AFAD88C7EF66B07DF72
SHA256:3BEEC065D4D442521D1D9E93F6C4EF144B38D4ADA3F020D1236BB03C9CF4D70D
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\MelonLoader\Dependencies\CompatibilityLayers\Mono.Cecil.Rocks.dllexecutable
MD5:6E7F0F4FFF6C49E3F66127C23B7F1A53
SHA256:2E2623319BDC362974A78EA4A43F4893011EC257884D24267F4594142FCD436E
3476MelonLoader.Installer.exeC:\Users\admin\Desktop\test\MelonLoader\Dependencies\CompatibilityLayers\Mono.Cecil.Pdb.dllexecutable
MD5:6D5EB860C2BE5DBEB470E7D3F3E7DDA4
SHA256:447EDE1984BB4ACD73BD97C0EC57A11C079CEE8301C91FB199CA98C1906D3CC4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
2588
svchost.exe
239.255.255.250:1900
unknown
3476
MelonLoader.Installer.exe
140.82.121.6:443
api.github.com
GITHUB
US
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3476
MelonLoader.Installer.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
3476
MelonLoader.Installer.exe
185.199.109.133:443
objects.githubusercontent.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
api.github.com
  • 140.82.121.6
unknown
github.com
  • 140.82.121.3
unknown
objects.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/LavaGang/MelonLoader/releases/download/v0.6.1/MelonLoader.Installer.exe