File name:

Exela.exe

Full analysis: https://app.any.run/tasks/80a2ace9-a768-485d-84b3-25c192db0906
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: September 20, 2024, 19:42:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
exela
stealer
pyinstaller
susp-powershell
ims-api
generic
discord
growtopia
discordgrabber
upx
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

57A2DC05065B6C5BD7A16287574B44DD

SHA1:

D0D6EA49375492259A5C7B00E1D52B37D9DCD704

SHA256:

548B6D77905BFB2217782A2EA99E8E55DC2DEDDB94AF1C43E79A33161328DB26

SSDEEP:

98304:t6CRRm8ziKqhBYukWPK8YutPrCpEJg4ESq/NCz0kKBWGJMDV+ly+/9F8BZ6GHgBP:PwaX44a1I8aqVjF6v/2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Exela.exe (PID: 3376)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 3352)
      • net.exe (PID: 5532)
      • net.exe (PID: 1644)
      • net.exe (PID: 6252)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 3352)
      • net.exe (PID: 2608)
      • net.exe (PID: 5540)

    • ExelaStealer has been detected

      • Exela.exe (PID: 3376)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6632)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6804)

    • DISCORDGRABBER has been detected (YARA)

      • Exela.exe (PID: 3376)

    • GROWTOPIA has been detected (YARA)

      • Exela.exe (PID: 3376)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Exela.exe (PID: 6616)
      • csc.exe (PID: 2576)

    • Starts a Microsoft application from unusual location

      • Exela.exe (PID: 6616)
      • Exela.exe (PID: 3376)

    • Process drops legitimate windows executable

      • Exela.exe (PID: 6616)

    • Process drops python dynamic module

      • Exela.exe (PID: 6616)

    • Application launched itself

      • Exela.exe (PID: 6616)
      • cmd.exe (PID: 6528)
      • cmd.exe (PID: 1236)

    • Get information on the list of running processes

      • Exela.exe (PID: 3376)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 1448)
      • cmd.exe (PID: 2580)
      • cmd.exe (PID: 3352)

    • Starts CMD.EXE for commands execution

      • Exela.exe (PID: 3376)
      • cmd.exe (PID: 1236)
      • cmd.exe (PID: 6528)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4128)
      • cmd.exe (PID: 5180)
      • cmd.exe (PID: 644)

    • Loads Python modules

      • Exela.exe (PID: 3376)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7056)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2268)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2932)
      • cmd.exe (PID: 5376)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 6632)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 3352)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 3352)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 2804)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 3352)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 3352)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 2892)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 3352)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3352)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 3352)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6632)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 6632)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6632)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Exela.exe (PID: 3376)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 3352)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • Exela.exe (PID: 3376)

  • INFO

    • Checks supported languages

      • Exela.exe (PID: 6616)
      • Exela.exe (PID: 3376)
      • chcp.com (PID: 6820)
      • chcp.com (PID: 6900)

    • Reads the computer name

      • Exela.exe (PID: 6616)
      • Exela.exe (PID: 3376)

    • Create files in a temporary directory

      • Exela.exe (PID: 6616)
      • Exela.exe (PID: 3376)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7056)
      • WMIC.exe (PID: 236)
      • WMIC.exe (PID: 4128)

    • Creates files or folders in the user directory

      • Exela.exe (PID: 3376)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5364)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5376)
      • cmd.exe (PID: 2932)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 6804)

    • Reads the time zone

      • net1.exe (PID: 6536)
      • net1.exe (PID: 1568)

    • Checks operating system version

      • Exela.exe (PID: 3376)

    • PyInstaller has been detected (YARA)

      • Exela.exe (PID: 6616)
      • Exela.exe (PID: 3376)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Exela.exe (PID: 3376)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2256)
      • Exela.exe (PID: 3376)

    • UPX packer has been detected

      • Exela.exe (PID: 3376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:20 15:48:24+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Exela Services
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
InternalName: Exela.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Exela.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.746
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
73
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT exela.exe #EXELASTEALER exela.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs mshta.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs svchost.exe tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236wmic startup get caption,command C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
644attrib +h +s "C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe"C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
644C:\WINDOWS\system32\net1 user C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
644C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exeExela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
888C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exeExela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
888wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1236C:\WINDOWS\system32\cmd.exe /c "cmd.exe /c chcp"C:\Windows\System32\cmd.exeExela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1280ipconfig /all C:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
Total events
23 797
Read events
23 795
Write events
2
Delete events
0

Modification events

(PID) Process:(7004) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31132565
(PID) Process:(7004) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
36
Suspicious files
6
Text files
158
Unknown types
14

Dropped files

PID
Process
Filename
Type
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\VCRUNTIME140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_ctypes.pydexecutable
MD5:DFD13A29D4871D14AEB3EF6E0AAFAE71
SHA256:D74B1C5B0B14E2379AAD50CA5AF0B1CD5979FD2F065B1BEEE47514E6F11DEB2F
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_decimal.pydexecutable
MD5:423186E586039FA189A65E843ACF87E0
SHA256:302BD83BC48CA64CD9FE82465B5DB16724F171EE7E91F28AA60B9074E9F92A7A
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_cffi_backend.cp312-win_amd64.pydexecutable
MD5:27004B1F01511FD6743EE5535DE8F570
SHA256:D2D3E9D9E5855A003E3D8C7502A9814191CF2B77B99BA67777AC170440DFDCCF
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_multiprocessing.pydexecutable
MD5:7016551A054FE5E51B83E71242CB4662
SHA256:5FB8194F04E0F05AB8EDE8A68F906984C7F6770F19A76C0FCA30DBBDAA069135
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_hashlib.pydexecutable
MD5:2E27D0A121F60B37C72AC44B210E0F4F
SHA256:CEBC38091BD20B4E74BCB1F0B1920E2422EED044AA8D1FD4E1E3ADC55DCF3501
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_bz2.pydexecutable
MD5:C9F84CBFFF18BF88923802116A013AA0
SHA256:5F33CD309AE6F049A4D8C2B6B2A8CD5ADE5E8886408ED2B81719E686B68B7D13
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_lzma.pydexecutable
MD5:96E99C539E2CB0683B148DA367CE4389
SHA256:72A7D452B3A164195B4A09B85A8E33AD4E6B658C10396B1A313E61DA8F814304
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_asyncio.pydexecutable
MD5:07FB4D6D21CE007476A53655659F69AE
SHA256:D4D85776C7BAB9726D27B1FC5FB92AE7D38657CC18960F72ACDFB51276D7AC67
6616Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI66162\_overlapped.pydexecutable
MD5:A849BFCEF664851201326A739E1DBA41
SHA256:7E23125519F4C79B0651A36DD7820E278C0B124395D7F1FB0BC7DCA78D14834B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
8
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3376
Exela.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
shared
POST
200
45.112.123.227:443
https://store1.gofile.io/uploadFile
unknown
binary
439 b
unknown
POST
404
162.159.128.233:443
https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L
unknown
binary
45 b
unknown
GET
404
51.38.43.18:443
https://api.gofile.io/getServer
unknown
text
14 b
unknown
POST
404
162.159.136.232:443
https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L
unknown
binary
45 b
unknown
POST
404
162.159.138.232:443
https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L
unknown
binary
45 b
unknown
POST
404
162.159.136.232:443
https://discord.com/api/webhooks/1286417780064915477/iSKqnXNsS38Mp3xmzImXOMuFotY4uZqvZoroyArxqZPb-kaPg4Fc2I3cBwbv2FCbCB7L
unknown
binary
45 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
3888
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
20.189.173.10:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3376
Exela.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
3376
Exela.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
unknown
google.com
  • 142.250.185.142
unknown
www.microsoft.com
  • 184.30.21.171
unknown
ip-api.com
  • 208.95.112.1
unknown
discord.com
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.136.232
  • 162.159.138.232
unknown
api.gofile.io
  • 51.38.43.18
  • 45.112.123.126
unknown
store1.gofile.io
  • 45.112.123.227
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3376
Exela.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3376
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
3376
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
3376
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
3376
Exela.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Exela.exe