File name:

ExLoader_Installer.exe

Full analysis: https://app.any.run/tasks/8a6c61b8-5ec1-47b3-8e66-f1713e852c98
Verdict: Malicious activity
Analysis date: October 27, 2024, 15:38:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

51D5E87AE7BC99D3ACC39DAA20B03431

SHA1:

7320A8CD779BD18F572422AA53B241FADEAE6A34

SHA256:

07F61F7C87BDEACFE34388001489136C563F55891D1A7E4481048B0E26E888A4

SSDEEP:

393216:teNo204poUswQ/1XMaen2YYJLB/AuYpuVo48r4YI:te/nsTpB/AjYhkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • ExLoader_Installer.exe (PID: 6240)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ExLoader_Installer.exe (PID: 3648)

    • Executable content was dropped or overwritten

      • ExLoader_Installer.exe (PID: 3648)

    • The process drops C-runtime libraries

      • ExLoader_Installer.exe (PID: 3648)

    • Process drops legitimate windows executable

      • ExLoader_Installer.exe (PID: 3648)

    • Reads the date of Windows installation

      • ExLoader_Installer.exe (PID: 3648)

    • Starts POWERSHELL.EXE for commands execution

      • ExLoader_Installer.exe (PID: 6240)

    • Uses WMIC.EXE to obtain Windows Installer data

      • powershell.exe (PID: 5444)

    • Script adds exclusion path to Windows Defender

      • ExLoader_Installer.exe (PID: 6240)

  • INFO

    • Reads the computer name

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)

    • Checks supported languages

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)

    • Create files in a temporary directory

      • ExLoader_Installer.exe (PID: 3648)

    • The process uses the downloaded file

      • ExLoader_Installer.exe (PID: 3648)

    • Creates files in the program directory

      • ExLoader_Installer.exe (PID: 6240)

    • Process checks computer location settings

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2009:08:16 11:05:47+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 9
CodeSize: 59904
InitializedDataSize: 128512
UninitializedDataSize: -
EntryPoint: 0xa9ec
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exloader_installer.exe exloader_installer.exe no specs exloader_installer.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\Windows\System32\wbem\wmic.exe" /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProductC:\Windows\System32\wbem\WMIC.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1700C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath "\"C:\Program Files\ExLoader\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcp_win.dll
3620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3648"C:\Users\admin\Desktop\ExLoader_Installer.exe" C:\Users\admin\Desktop\ExLoader_Installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\exloader_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5444C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command C:\Windows\System32\wbem\wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProductC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
6240"C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
ExLoader_Installer.exe
User:
admin
Company:
com.swiftsoft
Integrity Level:
HIGH
Description:
Installer for unified library of game modifications.
Version:
3.5.101+1419
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\exloader_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6792"C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exeExLoader_Installer.exe
User:
admin
Company:
com.swiftsoft
Integrity Level:
MEDIUM
Description:
Installer for unified library of game modifications.
Exit code:
3221226540
Version:
3.5.101+1419
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\exloader_installer.exe
c:\windows\system32\ntdll.dll
6952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7120C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath "\"C:\Program Files\ExLoader\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
18 333
Read events
18 332
Write events
1
Delete events
0

Modification events

(PID) Process:(3648) ExLoader_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX
Operation:writeName:C%%Users%admin%AppData%Local%Temp
Value:
C:\Users\admin\AppData\Local\Temp\RarSFX0
Executable files
8
Suspicious files
23
Text files
183
Unknown types
1

Dropped files

PID
Process
Filename
Type
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\app.so
MD5:
SHA256:
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\msvcp140.dllexecutable
MD5:C3D497B0AFEF4BD7E09C7559E1C75B05
SHA256:1E57A6DF9E3742E31A1C6D9BFF81EBEEAE8A7DE3B45A26E5079D5E1CCE54CD98
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140.dllexecutable
MD5:E9B690FBE5C4B96871214379659DD928
SHA256:A06C9EA4F815DAC75D2C99684D433FBFC782010FAE887837A03F085A29A217E8
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.jsontext
MD5:FB1230BB41C3C1290008B9E44059DD39
SHA256:2429B610BA9010211D18626D311D3DEA7274473C2DD50FAE833ED739B67B1292
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dllexecutable
MD5:EB49C1D33B41EB49DFED58AAFA9B9A8F
SHA256:6D3A6CDE6FC4D3C79AABF785C04D2736A3E2FD9B0366C9B741F054A13ECD939E
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\AbominationPissed_RU.wavbinary
MD5:5C4C79FF61BC28F30FC6B2A221975B98
SHA256:D5F7EA66BB3BC77DE30B0B450B37DBAC1DFA2F30B8108FCE9AC2752CE9AD2838
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.binbinary
MD5:E6EE07A908803B70DCDF31271BBC05BC
SHA256:5BC7D9A70129040CB1A99067D26A8A74F1679B345AE7E7FBD6C71D26A97E2688
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\AbominationPissed_DE.wavwav
MD5:B287FCC8278972FF72B8E46B481C4AB7
SHA256:C87CB5C9C64B5798769AF14563E268080ED82C7C8A1958F6FA1C1B5E7F10D2E2
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\Standard_press.wavbinary
MD5:F9A86F1DA07C3DEA7445F34AE4F793F3
SHA256:FE7E148D5B80EAF49EB7564233B87679E53FA4E68371AA347F18C1886A99BFF9
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\AbominationPissed_EN.wavbinary
MD5:04DE7B1FD5D0FCE157B378EBEDE59DF1
SHA256:3939FCAA3B0EFD6D601DA475ABEA862D9F7C078643F1063DF51C83609CF47A6F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
35
DNS requests
18
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
213.180.193.146:443
https://meteum.ai/weather/en-US
unknown
html
580 Kb
unknown
GET
200
104.21.3.81:443
https://exloader.app/ExLoader.zip
unknown
compressed
45.1 Mb
unknown
GET
200
104.21.16.53:443
https://data.exloader.net/ExLoader.zip
unknown
compressed
45.1 Mb
unknown
GET
200
212.82.100.137:443
https://search.yahoo.com/search?p=weather&fr=yfp-t&&ei=UTF-8&fp=1
unknown
binary
200 Kb
whitelisted
GET
200
142.250.185.100:443
https://www.google.com/search?q=weather&hl=en&sclient=gws-wiz&uact=5
unknown
html
157 Kb
whitelisted
GET
200
204.79.197.203:443
https://www.msn.com/en-us/weather/forecast
unknown
html
350 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.161:443
www.bing.com
Akamai International B.V.
GB
whitelisted
6944
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.161
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.189
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.177
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
  • 2.16.164.51
  • 2.16.164.18
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
meteum.ai
  • 213.180.193.146
  • 2a02:6b8::17f
unknown
www.google.com
  • 216.58.206.36
  • 2a00:1450:4001:813::2004
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
search.yahoo.com
  • 212.82.100.137
  • 2a00:1288:110:c104::2000
whitelisted
data.exloader.net
  • 104.21.16.53
  • 172.67.210.30
  • 2606:4700:3031::6815:1035
  • 2606:4700:3030::ac43:d21e
unknown

Threats

Found threats are available for the paid subscriptions
14 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ExLoader_Installer.exe