File name:

BooststrapperV1.18.exe

Full analysis: https://app.any.run/tasks/5ac89388-ddd0-4edc-a347-bc18a058fe33
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: September 10, 2024, 15:06:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
evasion
exela
stealer
pyinstaller
discord
python
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

115A4A8D78E7CA322E6649011CA539E0

SHA1:

E9311329982D1E60DDAD8EAE9A6B5EE1C1A510F9

SHA256:

14F3D65D5855EEDD82B0B826B537E9E975E209C529E00C9FD90265C833B2BDAA

SSDEEP:

98304:CFa0X/CoTvvqYM0EKTmFd1lGTCstpnr/dV21AGS1eSKJQHSf+Ni3fsW61B0ORT5Q:S34Ephyh+PlXaTDuC2akS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 5104)

    • Actions looks like stealing of personal data

      • Exela.exe (PID: 608)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 5092)
      • cmd.exe (PID: 6980)
      • net.exe (PID: 4440)
      • net.exe (PID: 5900)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 6980)
      • net.exe (PID: 2092)
      • net.exe (PID: 1280)

    • ExelaStealer has been detected

      • Exela.exe (PID: 608)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5732)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3844)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • BooststrapperV1.18.exe (PID: 3104)
      • Exela.exe (PID: 6472)
      • Exela.exe (PID: 608)

    • Reads security settings of Internet Explorer

      • BooststrapperV1.18.exe (PID: 3104)

    • Starts a Microsoft application from unusual location

      • Exela.exe (PID: 6472)
      • Exela.exe (PID: 608)

    • The process drops C-runtime libraries

      • Exela.exe (PID: 6472)

    • Executable content was dropped or overwritten

      • BooststrapperV1.18.exe (PID: 3104)
      • Exela.exe (PID: 6472)
      • Exela.exe (PID: 608)
      • csc.exe (PID: 6288)

    • Process drops python dynamic module

      • Exela.exe (PID: 6472)

    • Application launched itself

      • Exela.exe (PID: 6472)
      • cmd.exe (PID: 6396)
      • cmd.exe (PID: 5164)

    • Starts CMD.EXE for commands execution

      • Exela.exe (PID: 608)
      • cmd.exe (PID: 6396)
      • cmd.exe (PID: 5164)

    • Loads Python modules

      • Exela.exe (PID: 608)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 5284)
      • cmd.exe (PID: 2520)

    • Get information on the list of running processes

      • Exela.exe (PID: 608)
      • cmd.exe (PID: 780)
      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 3660)
      • cmd.exe (PID: 5096)
      • cmd.exe (PID: 6980)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 4092)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 2384)
      • cmd.exe (PID: 6596)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1156)
      • WMIC.exe (PID: 6172)
      • WMIC.exe (PID: 5264)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3812)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1492)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 4252)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7012)
      • cmd.exe (PID: 3844)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 1224)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 876)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 6980)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7080)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 6980)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 6980)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 6980)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 6980)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 6980)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6980)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 6980)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3844)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3844)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3844)

    • Checks for external IP

      • Exela.exe (PID: 608)
      • svchost.exe (PID: 2256)

  • INFO

    • Reads the computer name

      • BooststrapperV1.18.exe (PID: 3104)
      • Exela.exe (PID: 6472)
      • BootstrapperV1.18.exe (PID: 1608)
      • Exela.exe (PID: 608)

    • Checks supported languages

      • BooststrapperV1.18.exe (PID: 3104)
      • Exela.exe (PID: 6472)
      • BootstrapperV1.18.exe (PID: 1608)
      • Exela.exe (PID: 608)
      • chcp.com (PID: 2684)
      • chcp.com (PID: 6992)
      • csc.exe (PID: 6288)
      • cvtres.exe (PID: 5172)

    • Create files in a temporary directory

      • BooststrapperV1.18.exe (PID: 3104)
      • Exela.exe (PID: 6472)
      • BootstrapperV1.18.exe (PID: 1608)
      • Exela.exe (PID: 608)
      • csc.exe (PID: 6288)
      • cvtres.exe (PID: 5172)

    • The process uses the downloaded file

      • BooststrapperV1.18.exe (PID: 3104)

    • Process checks computer location settings

      • BooststrapperV1.18.exe (PID: 3104)

    • Reads the machine GUID from the registry

      • BootstrapperV1.18.exe (PID: 1608)
      • Exela.exe (PID: 608)
      • csc.exe (PID: 6288)

    • Disables trace logs

      • BootstrapperV1.18.exe (PID: 1608)

    • Reads Environment values

      • BootstrapperV1.18.exe (PID: 1608)

    • Checks proxy server information

      • BootstrapperV1.18.exe (PID: 1608)

    • Reads the software policy settings

      • BootstrapperV1.18.exe (PID: 1608)

    • Checks operating system version

      • Exela.exe (PID: 608)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4252)
      • WMIC.exe (PID: 1156)
      • WMIC.exe (PID: 1332)
      • WMIC.exe (PID: 2492)
      • WMIC.exe (PID: 876)
      • WMIC.exe (PID: 488)
      • WMIC.exe (PID: 6172)
      • WMIC.exe (PID: 5264)

    • Creates files or folders in the user directory

      • Exela.exe (PID: 608)

    • Changes the display of characters in the console

      • cmd.exe (PID: 876)
      • cmd.exe (PID: 4080)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 2628)

    • Reads the time zone

      • net1.exe (PID: 1356)
      • net1.exe (PID: 2008)

    • PyInstaller has been detected (YARA)

      • Exela.exe (PID: 6472)

    • Attempting to use instant messaging service

      • Exela.exe (PID: 608)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 11776512
UninitializedDataSize: -
EntryPoint: 0x1475
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
95
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start booststrapperv1.18.exe THREAT exela.exe bootstrapperv1.18.exe no specs bootstrapperv1.18.exe conhost.exe no specs #EXELASTEALER exela.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs systeminfo.exe no specs netsh.exe no specs svchost.exe sppextcomobj.exe no specs slui.exe no specs tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
448tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
488wmic startup get caption,command C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
608"C:\Users\admin\AppData\Local\Temp\Exela.exe" C:\Users\admin\AppData\Local\Temp\Exela.exe
Exela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exela Services
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\exela.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
780C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exeExela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
876cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
876wmic logicaldisk get caption,description,providername C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1044C:\WINDOWS\system32\net1 localgroup administrators C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dsrole.dll
1156wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1156hostname C:\Windows\System32\HOSTNAME.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\hostname.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
Total events
25 844
Read events
25 827
Write events
17
Delete events
0

Modification events

(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1608) BootstrapperV1.18.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BootstrapperV1_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
76
Suspicious files
10
Text files
47
Unknown types
11

Dropped files

PID
Process
Filename
Type
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_asyncio.pydexecutable
MD5:40C987A3F2048FE7BE8F485ABC25D690
SHA256:38B15921F4F273731A6BC2C04AB21CA95E589D9D3B6A3B8C4833BE912CC4FC11
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_decimal.pydexecutable
MD5:1AB50CB41F8B408E7BC7A27A243FDC21
SHA256:AEAFDA6A769603EE39D03E77677B4FE177506C8E37D95655249DB111702B31EC
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_bz2.pydexecutable
MD5:04624A02B17FCBE6CAD81BEF5AB3120D
SHA256:B34ADF4CF08F5987F8F96DD709446C1871F0C95BD43CA1ABBF01FEBBED286761
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_cffi_backend.cp310-win_amd64.pydexecutable
MD5:0D43A42CB44ECB9785CCC090A3DE3D8F
SHA256:FDAA50A83947EC292E1773043F077CDDFEFBB52E53D5575B175EAB5987DE3242
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_ctypes.pydexecutable
MD5:3FE65D28FE096F64360B5440CF394032
SHA256:75A2487D8879FD40347C616C920BEBCD24C48483BC40D3113FCF76EE52CB3897
3104BooststrapperV1.18.exeC:\Users\admin\AppData\Local\Temp\Exela.exeexecutable
MD5:FECB82AD4B551D3902B675DAF654A342
SHA256:8849AD81F079B23D51C5819DA5543A16C15159D1E7B8C133ACD3B8F72A867127
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_lzma.pydexecutable
MD5:2E185AC31F220C582527316B7CD7D129
SHA256:BDF6E53FA9638B96035B039CF4AE199FBFC0181BDF68892C67D5989A4C707459
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_hashlib.pydexecutable
MD5:AC7D085EA6017C3FA86334EE06DB9742
SHA256:C9AF2DB3297D5B2D9B4AFB7CEA861069FD6202DC07A98F97146C991A7973A48F
6472Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI64722\_queue.pydexecutable
MD5:17012E2D57D391F531252F48EC84ADDA
SHA256:B3EE9DB030F87C0E1C7C68DAC0DD2DEB722BC67C368B756F115A6B8A5ED63F6D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
36
DNS requests
22
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2684
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
608
Exela.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
shared
2684
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6364
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3832
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2032
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 88.221.169.152
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.69
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
getsolara.dev
  • 172.67.203.125
  • 104.21.93.27
malicious
pastebin.com
  • 104.20.3.235
  • 104.20.4.235
  • 172.67.19.24
shared
clientsettings.roblox.com
  • 128.116.21.4
whitelisted
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
608
Exela.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
608
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
608
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
608
Exela.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BooststrapperV1.18.exe