File name:

ExLoader_Installer.exe

Full analysis: https://app.any.run/tasks/8a6c61b8-5ec1-47b3-8e66-f1713e852c98
Verdict: Malicious activity
Analysis date: October 27, 2024, 15:38:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

51D5E87AE7BC99D3ACC39DAA20B03431

SHA1:

7320A8CD779BD18F572422AA53B241FADEAE6A34

SHA256:

07F61F7C87BDEACFE34388001489136C563F55891D1A7E4481048B0E26E888A4

SSDEEP:

393216:teNo204poUswQ/1XMaen2YYJLB/AuYpuVo48r4YI:te/nsTpB/AjYhkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • ExLoader_Installer.exe (PID: 6240)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • ExLoader_Installer.exe (PID: 3648)

    • Executable content was dropped or overwritten

      • ExLoader_Installer.exe (PID: 3648)

    • Reads security settings of Internet Explorer

      • ExLoader_Installer.exe (PID: 3648)

    • Process drops legitimate windows executable

      • ExLoader_Installer.exe (PID: 3648)

    • Reads the date of Windows installation

      • ExLoader_Installer.exe (PID: 3648)

    • Starts POWERSHELL.EXE for commands execution

      • ExLoader_Installer.exe (PID: 6240)

    • Script adds exclusion path to Windows Defender

      • ExLoader_Installer.exe (PID: 6240)

    • Uses WMIC.EXE to obtain Windows Installer data

      • powershell.exe (PID: 5444)

  • INFO

    • Create files in a temporary directory

      • ExLoader_Installer.exe (PID: 3648)

    • Reads the computer name

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)

    • Checks supported languages

      • ExLoader_Installer.exe (PID: 3648)
      • ExLoader_Installer.exe (PID: 6240)

    • The process uses the downloaded file

      • ExLoader_Installer.exe (PID: 3648)

    • Process checks computer location settings

      • ExLoader_Installer.exe (PID: 6240)
      • ExLoader_Installer.exe (PID: 3648)

    • Creates files in the program directory

      • ExLoader_Installer.exe (PID: 6240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2009:08:16 11:05:47+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 9
CodeSize: 59904
InitializedDataSize: 128512
UninitializedDataSize: -
EntryPoint: 0xa9ec
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exloader_installer.exe exloader_installer.exe no specs exloader_installer.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\Windows\System32\wbem\wmic.exe" /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProductC:\Windows\System32\wbem\WMIC.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1700C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath "\"C:\Program Files\ExLoader\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcp_win.dll
3620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3648"C:\Users\admin\Desktop\ExLoader_Installer.exe" C:\Users\admin\Desktop\ExLoader_Installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\exloader_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5444C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command C:\Windows\System32\wbem\wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProductC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
6240"C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
ExLoader_Installer.exe
User:
admin
Company:
com.swiftsoft
Integrity Level:
HIGH
Description:
Installer for unified library of game modifications.
Version:
3.5.101+1419
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\exloader_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6792"C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exeExLoader_Installer.exe
User:
admin
Company:
com.swiftsoft
Integrity Level:
MEDIUM
Description:
Installer for unified library of game modifications.
Exit code:
3221226540
Version:
3.5.101+1419
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\exloader_installer.exe
c:\windows\system32\ntdll.dll
6952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7120C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath "\"C:\Program Files\ExLoader\""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExLoader_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
18 333
Read events
18 332
Write events
1
Delete events
0

Modification events

(PID) Process:(3648) ExLoader_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX
Operation:writeName:C%%Users%admin%AppData%Local%Temp
Value:
C:\Users\admin\AppData\Local\Temp\RarSFX0
Executable files
8
Suspicious files
23
Text files
183
Unknown types
1

Dropped files

PID
Process
Filename
Type
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\app.so
MD5:
SHA256:
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140.dllexecutable
MD5:E9B690FBE5C4B96871214379659DD928
SHA256:A06C9EA4F815DAC75D2C99684D433FBFC782010FAE887837A03F085A29A217E8
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\NOTICES.Zcompressed
MD5:CC8E60C916BE3DA7094842AB562C72AD
SHA256:D091FD114AADC99D4391D279ABC5AC2FABB184AB8BA945E1317551F252C64C50
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dllexecutable
MD5:EB49C1D33B41EB49DFED58AAFA9B9A8F
SHA256:6D3A6CDE6FC4D3C79AABF785C04D2736A3E2FD9B0366C9B741F054A13ECD939E
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\Fortnite_hover.wavbinary
MD5:B66B7D55B6EEB2FF344A1AF41E42A27F
SHA256:3E3ABB7E29D38FA4B0261AC78427633E8BF6DDF3708DE5A45BBDDDC2A9F4AA6B
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\flutter_windows.dllexecutable
MD5:D663C9EB379F0DFA6115DD1E669B761F
SHA256:4BD4BAB764EADAA9DA230407BE3FA9C0522B2BBC3DAE60593BEB9A0984F35138
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\Standard_hover.wavbinary
MD5:BE6CC8AFDD2CA2870982A0933CD9C8B6
SHA256:46D6CCFFF99264AAC49BF4545B0CEB9CCA2A9EE5A60D13B7017161E481440189
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\Standard_press.wavbinary
MD5:F9A86F1DA07C3DEA7445F34AE4F793F3
SHA256:FE7E148D5B80EAF49EB7564233B87679E53FA4E68371AA347F18C1886A99BFF9
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\audio\CSGO_hover.wavbinary
MD5:8D6E22BDE35607FE3801E02FDB12B022
SHA256:AAA3F0F824D04CE5E93D1DA17873D3AEB3C4D3A8FEE25B7006851E4089BFADFC
3648ExLoader_Installer.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.jsonbinary
MD5:8DAB30C01916D845D7082D8581BA1F7C
SHA256:8F6EE8C6AEE1D574D5C0BBB03E1F3287E8D940514DDA839C80F6C8B124E9494B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
35
DNS requests
18
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
213.180.193.146:443
https://meteum.ai/weather/en-US
unknown
html
580 Kb
unknown
GET
200
212.82.100.137:443
https://search.yahoo.com/search?p=weather&fr=yfp-t&&ei=UTF-8&fp=1
unknown
binary
200 Kb
whitelisted
GET
200
142.250.185.100:443
https://www.google.com/search?q=weather&hl=en&sclient=gws-wiz&uact=5
unknown
html
157 Kb
whitelisted
GET
200
204.79.197.203:443
https://www.msn.com/en-us/weather/forecast
unknown
html
350 Kb
whitelisted
GET
200
104.21.16.53:443
https://data.exloader.net/ExLoader.zip
unknown
compressed
45.1 Mb
unknown
GET
200
104.21.3.81:443
https://exloader.app/ExLoader.zip
unknown
compressed
45.1 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.161:443
www.bing.com
Akamai International B.V.
GB
whitelisted
6944
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.161
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.189
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.177
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
  • 2.16.164.51
  • 2.16.164.18
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
meteum.ai
  • 213.180.193.146
  • 2a02:6b8::17f
unknown
www.google.com
  • 216.58.206.36
  • 2a00:1450:4001:813::2004
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
search.yahoo.com
  • 212.82.100.137
  • 2a00:1288:110:c104::2000
whitelisted
data.exloader.net
  • 104.21.16.53
  • 172.67.210.30
  • 2606:4700:3031::6815:1035
  • 2606:4700:3030::ac43:d21e
unknown

Threats

Found threats are available for the paid subscriptions
14 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ExLoader_Installer.exe