File name:

ExLoader_Installer.exe

Full analysis: https://app.any.run/tasks/8a6c61b8-5ec1-47b3-8e66-f1713e852c98
Verdict: Malicious activity
Analysis date: October 27, 2024, 15:38:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

51D5E87AE7BC99D3ACC39DAA20B03431

SHA1:

7320A8CD779BD18F572422AA53B241FADEAE6A34

SHA256:

07F61F7C87BDEACFE34388001489136C563F55891D1A7E4481048B0E26E888A4

SSDEEP:

393216:teNo204poUswQ/1XMaen2YYJLB/AuYpuVo48r4YI:te/nsTpB/AjYhkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • ExLoader_Installer.exe (PID: 6240)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ExLoader_Installer.exe (PID: 3648)

    • The process drops C-runtime libraries

      • ExLoader_Installer.exe (PID: 3648)

    • Reads security settings of Internet Explorer

      • ExLoader_Installer.exe (PID: 3648)

    • Executable content was dropped or overwritten

      • ExLoader_Installer.exe (PID: 3648)

    • Reads the date of Windows installation

      • ExLoader_Installer.exe (PID: 3648)

    • Starts POWERSHELL.EXE for commands execution

      • ExLoader_Installer.exe (PID: 6240)

    • Script adds exclusion path to Windows Defender

      • ExLoader_Installer.exe (PID: 6240)

    • Uses WMIC.EXE to obtain Windows Installer data

      • powershell.exe (PID: 5444)

  • INFO

    • Checks supported languages

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)

    • Reads the computer name

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)

    • Create files in a temporary directory

      • ExLoader_Installer.exe (PID: 3648)

    • The process uses the downloaded file

      • ExLoader_Installer.exe (PID: 3648)

    • Process checks computer location settings

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)

    • Creates files in the program directory

      • ExLoader_Installer.exe (PID: 6240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2009:08:16 11:05:47+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 9
CodeSize: 59904
InitializedDataSize: 128512
UninitializedDataSize: -
EntryPoint: 0xa9ec
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exloader_installer.exe exloader_installer.exe no specs exloader_installer.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\Windows\System32\wbem\wmic.exe" /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProductC:\Windows\System32\wbem\WMIC.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1700C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath "\"C:\Program Files\ExLoader\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcp_win.dll
3620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3648"C:\Users\admin\Desktop\ExLoader_Installer.exe" C:\Users\admin\Desktop\ExLoader_Installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\exloader_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5444C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command C:\Windows\System32\wbem\wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProductC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
6240"C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
ExLoader_Installer.exe
User:
admin
Company:
com.swiftsoft
Integrity Level:
HIGH
Description:
Installer for unified library of game modifications.
Version:
3.5.101+1419
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\exloader_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6792"C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exeExLoader_Installer.exe
User:
admin
Company:
com.swiftsoft
Integrity Level:
MEDIUM
Description:
Installer for unified library of game modifications.
Exit code:
3221226540
Version:
3.5.101+1419
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\exloader_installer.exe
c:\windows\system32\ntdll.dll
6952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7120C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath "\"C:\Program Files\ExLoader\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
18 333
Read events
18 332
Write events
1
Delete events
0

Modification events

(PID) Process:(3648) ExLoader_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX
Operation:writeName:C%%Users%admin%AppData%Local%Temp
Value:
C:\Users\admin\AppData\Local\Temp\RarSFX0
Executable files
8
Suspicious files
23
Text files
183
Unknown types
1

Dropped files

PID
Process
Filename
Type
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\app.so
MD5:
SHA256:
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\Fortnite_press.wavbinary
MD5:17112A672B04374113400B1C3C6A014E
SHA256:E0ECB5E92F1E13DE05850D1F3894A54988E5F2C7EEDED390F9040D2845AA4404
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\fonts\MaterialIcons-Regular.otfbinary
MD5:E7069DFD19B331BE16BED984668FE080
SHA256:D9865B671A09D683D13A863089D8825E0F61A37696CE5D7D448BC8023AA62453
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.binbinary
MD5:E6EE07A908803B70DCDF31271BBC05BC
SHA256:5BC7D9A70129040CB1A99067D26A8A74F1679B345AE7E7FBD6C71D26A97E2688
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\CSGO_press.wavbinary
MD5:5CF6F422F37B61B16F732E177C4A67CE
SHA256:880CC2BE6F458BF853DBA78CAF06BD2B97BC4B06FEA141599DB74E95BBD59528
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.jsonbinary
MD5:8DAB30C01916D845D7082D8581BA1F7C
SHA256:8F6EE8C6AEE1D574D5C0BBB03E1F3287E8D940514DDA839C80F6C8B124E9494B
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\AbominationPissed_EN.wavbinary
MD5:04DE7B1FD5D0FCE157B378EBEDE59DF1
SHA256:3939FCAA3B0EFD6D601DA475ABEA862D9F7C078643F1063DF51C83609CF47A6F
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\msvcp140.dllexecutable
MD5:C3D497B0AFEF4BD7E09C7559E1C75B05
SHA256:1E57A6DF9E3742E31A1C6D9BFF81EBEEAE8A7DE3B45A26E5079D5E1CCE54CD98
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.jsontext
MD5:FB1230BB41C3C1290008B9E44059DD39
SHA256:2429B610BA9010211D18626D311D3DEA7274473C2DD50FAE833ED739B67B1292
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\AbominationPissed_DE.wavwav
MD5:B287FCC8278972FF72B8E46B481C4AB7
SHA256:C87CB5C9C64B5798769AF14563E268080ED82C7C8A1958F6FA1C1B5E7F10D2E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
35
DNS requests
18
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
212.82.100.137:443
https://search.yahoo.com/search?p=weather&fr=yfp-t&&ei=UTF-8&fp=1
unknown
binary
200 Kb
whitelisted
GET
200
142.250.185.100:443
https://www.google.com/search?q=weather&hl=en&sclient=gws-wiz&uact=5
unknown
html
157 Kb
whitelisted
GET
302
213.180.193.146:443
https://meteum.ai/
unknown
text
14 b
GET
200
204.79.197.203:443
https://www.msn.com/en-us/weather/forecast
unknown
html
350 Kb
whitelisted
GET
200
104.21.3.81:443
https://exloader.app/ExLoader.zip
unknown
compressed
45.1 Mb
GET
200
213.180.193.146:443
https://meteum.ai/weather/en-US
unknown
html
580 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.161:443
www.bing.com
Akamai International B.V.
GB
whitelisted
6944
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.161
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.189
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.177
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
  • 2.16.164.51
  • 2.16.164.18
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
meteum.ai
  • 213.180.193.146
  • 2a02:6b8::17f
unknown
www.google.com
  • 216.58.206.36
  • 2a00:1450:4001:813::2004
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
search.yahoo.com
  • 212.82.100.137
  • 2a00:1288:110:c104::2000
whitelisted
data.exloader.net
  • 104.21.16.53
  • 172.67.210.30
  • 2606:4700:3031::6815:1035
  • 2606:4700:3030::ac43:d21e
unknown

Threats

Found threats are available for the paid subscriptions
14 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ExLoader_Installer.exe