File name:

Matheus.exe

Full analysis: https://app.any.run/tasks/0ddf7add-301b-4053-acbe-896199f1e760
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: May 03, 2025, 21:43:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
evasion
stealer
exela
discord
screenshot
pyinstaller
growtopia
susp-powershell
ims-api
generic
discordgrabber
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

3C33E37D43E1FAF2380FE96C862BC598

SHA1:

A1F0B4FDFCC70DFEB87E50962F89702DBF542177

SHA256:

34C319EF95E9BF30D07242335AB16BA1826A85A21781C762B588DD1B1FAB46BA

SSDEEP:

98304:kCYzB0h6vldk7RZxQp93T9B4TfdULGH+oPwu8M3YLlUM5yP6waH9sKWAiP8ZqpGp:lExBrxQSqXOvBAvOLuBN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 6032)

    • Actions looks like stealing of personal data

      • Matheus.exe (PID: 5324)

    • Steals credentials from Web Browsers

      • Matheus.exe (PID: 5324)

    • GROWTOPIA has been detected (YARA)

      • Matheus.exe (PID: 5324)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 7748)
      • cmd.exe (PID: 6156)
      • net.exe (PID: 7940)
      • net.exe (PID: 7988)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 7844)
      • cmd.exe (PID: 6156)
      • net.exe (PID: 7892)

    • ExelaStealer has been detected

      • Matheus.exe (PID: 5324)

    • DISCORDGRABBER has been detected (YARA)

      • Matheus.exe (PID: 5324)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7276)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6068)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Matheus.exe (PID: 1616)
      • Matheus.exe (PID: 5324)

    • Process drops python dynamic module

      • Matheus.exe (PID: 1616)

    • Executable content was dropped or overwritten

      • Matheus.exe (PID: 1616)
      • Matheus.exe (PID: 5324)
      • csc.exe (PID: 7380)

    • Starts a Microsoft application from unusual location

      • Matheus.exe (PID: 1616)
      • Matheus.exe (PID: 5324)

    • The process drops C-runtime libraries

      • Matheus.exe (PID: 1616)

    • Application launched itself

      • Matheus.exe (PID: 1616)
      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 5800)

    • Loads Python modules

      • Matheus.exe (PID: 5324)

    • Starts CMD.EXE for commands execution

      • Matheus.exe (PID: 5324)
      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 5800)

    • Get information on the list of running processes

      • cmd.exe (PID: 616)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 1180)
      • Matheus.exe (PID: 5324)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 6156)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 6036)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2152)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6004)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 1228)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4488)
      • cmd.exe (PID: 7264)
      • cmd.exe (PID: 7308)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4408)
      • WMIC.exe (PID: 6592)
      • WMIC.exe (PID: 7020)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6192)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4892)
      • cmd.exe (PID: 7276)

    • Starts application with an unusual extension

      • cmd.exe (PID: 720)
      • cmd.exe (PID: 6032)

    • Executes JavaScript directly as a command

      • cmd.exe (PID: 5720)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 1660)

    • Checks for external IP

      • Matheus.exe (PID: 5324)
      • svchost.exe (PID: 2196)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 6156)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 7796)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 6156)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 6156)

    • Multiple wallet extension IDs have been found

      • Matheus.exe (PID: 5324)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 6156)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 6156)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 6156)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6156)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5008)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Matheus.exe (PID: 5324)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 6156)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7276)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7380)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7276)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7276)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 6068)

  • INFO

    • The sample compiled with english language support

      • Matheus.exe (PID: 1616)
      • Matheus.exe (PID: 5324)

    • Checks supported languages

      • Matheus.exe (PID: 1616)
      • Matheus.exe (PID: 5324)
      • chcp.com (PID: 6564)
      • chcp.com (PID: 3884)
      • cvtres.exe (PID: 7376)
      • csc.exe (PID: 7380)

    • Create files in a temporary directory

      • Matheus.exe (PID: 1616)
      • Matheus.exe (PID: 5324)
      • csc.exe (PID: 7380)
      • cvtres.exe (PID: 7376)

    • Reads the computer name

      • Matheus.exe (PID: 1616)

    • Reads the machine GUID from the registry

      • Matheus.exe (PID: 5324)
      • csc.exe (PID: 7380)

    • Checks operating system version

      • Matheus.exe (PID: 5324)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4224)
      • WMIC.exe (PID: 6156)
      • WMIC.exe (PID: 1228)
      • WMIC.exe (PID: 4408)
      • WMIC.exe (PID: 7708)
      • WMIC.exe (PID: 8036)
      • WMIC.exe (PID: 6592)
      • WMIC.exe (PID: 7020)

    • Creates files or folders in the user directory

      • Matheus.exe (PID: 5324)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 720)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5640)

    • PyInstaller has been detected (YARA)

      • Matheus.exe (PID: 1616)
      • Matheus.exe (PID: 5324)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 5408)

    • Reads the time zone

      • net1.exe (PID: 8008)
      • net1.exe (PID: 7960)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Matheus.exe (PID: 5324)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 8148)

    • Application based on Rust

      • Matheus.exe (PID: 5324)

    • UPX packer has been detected

      • Matheus.exe (PID: 5324)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
      • Matheus.exe (PID: 5324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(5324) Matheus.exe
Discord-Webhook-Tokens (1)1367999230693867641/34FKeNwI9cAieznq1x41KNsZGCyyNJEA4EnUznJNsioHIoeFUu1caTX4QfsRTCaIiMTh
Discord-Info-Links
1367999230693867641/34FKeNwI9cAieznq1x41KNsZGCyyNJEA4EnUznJNsioHIoeFUu1caTX4QfsRTCaIiMTh
Get Webhook Infohttps://discord.com/api/webhooks/1367999230693867641/34FKeNwI9cAieznq1x41KNsZGCyyNJEA4EnUznJNsioHIoeFUu1caTX4QfsRTCaIiMTh
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:02 23:22:06+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Exela Services
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
InternalName: Exela.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Exela.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.746
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
223
Monitored processes
96
Malicious processes
3
Suspicious processes
5

Behavior graph

Click at the process to see the details
start matheus.exe #GROWTOPIA matheus.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs mshta.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs sppextcomobj.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs slui.exe no specs netsh.exe no specs systeminfo.exe no specs svchost.exe tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
616C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exeMatheus.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
672"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
720cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1056tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exeMatheus.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1180C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exeMatheus.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1188tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
24 969
Read events
24 966
Write events
3
Delete events
0

Modification events

(PID) Process:(6032) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Exela Update Service
Value:
C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe
(PID) Process:(7552) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31177844
(PID) Process:(7552) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
74
Suspicious files
41
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_asyncio.pydexecutable
MD5:E7F550E558B8BDAF58703342DF99C546
SHA256:1EBC9D947287FF6754436630AB7D106CCF1F600C7A96F2FCFE75DF5F8967DFF4
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_ctypes.pydexecutable
MD5:81313D2CE8FC6244113F81E69019C4C5
SHA256:F3500C6201277B711123C5D82E58EA9002EEF4A4F3E3781460C744B74796CEBE
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_hashlib.pydexecutable
MD5:B9764D54210E87924B53CCD59D4D3F26
SHA256:C804BE258C3F1A677B8A32681EBBF9B9D8FE43172FDFCFAF6666501093C0C934
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_decimal.pydexecutable
MD5:6E008E41F8ECB064CE24111FAC710BFF
SHA256:08F8ACA4D96823941C9437B0CB52E14D37E785B01F33D701A238C1E92E89CBC3
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_sqlite3.pydexecutable
MD5:6954A9DDDE7304A13CFBB00490C46EF4
SHA256:3D60C602DB3D32D7142C091C622C495969C330F2CBD01695105D4695446C1F06
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_multiprocessing.pydexecutable
MD5:DC14BFEB7F48AE49F534C6B6333EC7B5
SHA256:FED67A2FA7C14D03B70D5DFA6A2FFE61A718BADCAA4B394674646FCD2E181321
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_overlapped.pydexecutable
MD5:6CB62DF83B6FA05F7DB40458ECF61BE9
SHA256:4510811BA999FB305DA874DABF0864798F3CB09ECD256C43820E6606C777C816
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_queue.pydexecutable
MD5:86E57CB7237D33D354EE3A89153AD831
SHA256:B2233409E7F9DC2A82278E2DAFAC1FA57BB5F92BEBED25515F12F1A25CD99859
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
1616Matheus.exeC:\Users\admin\AppData\Local\Temp\_MEI16162\_bz2.pydexecutable
MD5:ABE536347EEB1308E17B6CF4DAACEF7B
SHA256:D7B84A1E07853E8B80C88371C3EDCA409EAB807340F552C3C209CE13B20A0C2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
17
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5324
Matheus.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7648
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7648
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5324
Matheus.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
6544
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5324
Matheus.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.132
  • 20.190.160.128
  • 20.190.160.22
  • 20.190.160.130
  • 20.190.160.67
  • 20.190.160.5
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.138.232
whitelisted
api.gofile.io
  • 45.112.123.126
  • 51.91.7.6
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
5324
Matheus.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
5324
Matheus.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5324
Matheus.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5324
Matheus.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
5324
Matheus.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Matheus.exe