File name:

WEEB6_SystemUpdate.exe

Full analysis: https://app.any.run/tasks/b57e1026-7717-414c-a46d-237f747f25da
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 02:28:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
evasion
discord
stealer
exela
screenshot
github
growtopia
ims-api
generic
susp-powershell
discordgrabber
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

812FB887E9DBA4A5484FEF3E0AFFE368

SHA1:

A96A4132B8F03810D0C3862FA90108DA8CC0BCE6

SHA256:

5D99F5BF54C9D7728BBFD50F75B462D453130FFF7DF37A039CB8CFD490B2E397

SSDEEP:

393216:U2F5/YFLta9ZlbOaiTerOSQBq0vOe9fxfffoSQ/:UMQpavlSTRT9fJffoT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Hellion.exe (PID: 6228)

    • Create files in the Startup directory

      • Stub.exe (PID: 7864)

    • ExelaStealer has been detected

      • Stub.exe (PID: 7864)

    • Actions looks like stealing of personal data

      • Stub.exe (PID: 7864)

    • Steals credentials from Web Browsers

      • Stub.exe (PID: 7864)

    • GROWTOPIA has been detected (YARA)

      • Stub.exe (PID: 7864)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 8048)
      • cmd.exe (PID: 1676)
      • net.exe (PID: 1052)
      • net.exe (PID: 1228)

    • DISCORDGRABBER has been detected (YARA)

      • Stub.exe (PID: 7864)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 5956)
      • cmd.exe (PID: 1676)
      • net.exe (PID: 7472)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7684)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7520)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Hellion.exe (PID: 6228)
      • csc.exe (PID: 2616)

    • Process drops python dynamic module

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Hellion.exe (PID: 6228)

    • Process drops legitimate windows executable

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Hellion.exe (PID: 6228)

    • The process drops C-runtime libraries

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Hellion.exe (PID: 6228)

    • Loads Python modules

      • Stub.exe (PID: 7864)
      • Stub.exe (PID: 864)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Stub.exe (PID: 7864)

    • Get information on the list of running processes

      • Stub.exe (PID: 7864)
      • cmd.exe (PID: 8056)
      • cmd.exe (PID: 2108)
      • cmd.exe (PID: 7180)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1676)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 8008)

    • Starts CMD.EXE for commands execution

      • Stub.exe (PID: 7864)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 6068)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7324)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6372)
      • cmd.exe (PID: 7660)
      • cmd.exe (PID: 7900)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7312)
      • cmd.exe (PID: 8016)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5204)
      • WMIC.exe (PID: 7788)
      • WMIC.exe (PID: 7896)

    • Application launched itself

      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 6068)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7500)
      • cmd.exe (PID: 7684)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2096)
      • cmd.exe (PID: 4920)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6436)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 1676)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2088)

    • Multiple wallet extension IDs have been found

      • Stub.exe (PID: 7864)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 1676)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 7476)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Stub.exe (PID: 7864)

    • Reads security settings of Internet Explorer

      • Hellion.exe (PID: 6228)
      • WEEB6_SystemUpdate.exe (PID: 7844)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 1676)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 1676)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 1676)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 1676)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1676)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7684)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7284)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 1676)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2616)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7684)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7684)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7520)

  • INFO

    • Create files in a temporary directory

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Stub.exe (PID: 7864)
      • Hellion.exe (PID: 6228)
      • csc.exe (PID: 2616)
      • cvtres.exe (PID: 664)

    • Checks supported languages

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Stub.exe (PID: 7864)
      • chcp.com (PID: 7772)
      • chcp.com (PID: 7792)
      • Hellion.exe (PID: 6228)
      • Stub.exe (PID: 864)
      • csc.exe (PID: 2616)
      • cvtres.exe (PID: 664)

    • Reads the machine GUID from the registry

      • Stub.exe (PID: 7864)
      • Stub.exe (PID: 864)
      • csc.exe (PID: 2616)

    • Checks proxy server information

      • Stub.exe (PID: 7864)
      • slui.exe (PID: 7436)

    • The sample compiled with english language support

      • WEEB6_SystemUpdate.exe (PID: 7844)
      • Hellion.exe (PID: 6228)

    • Reads the computer name

      • Stub.exe (PID: 7864)
      • Hellion.exe (PID: 6228)
      • WEEB6_SystemUpdate.exe (PID: 7844)

    • Checks operating system version

      • Stub.exe (PID: 7864)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7332)
      • WMIC.exe (PID: 7324)
      • WMIC.exe (PID: 5048)
      • WMIC.exe (PID: 5204)
      • WMIC.exe (PID: 7332)
      • WMIC.exe (PID: 4272)
      • WMIC.exe (PID: 7788)
      • WMIC.exe (PID: 7896)

    • Creates files or folders in the user directory

      • Stub.exe (PID: 7864)

    • Autorun file from Startup directory

      • Stub.exe (PID: 7864)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2340)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 5548)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2096)
      • cmd.exe (PID: 4920)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Stub.exe (PID: 7864)

    • Manual execution by a user

      • Hellion.exe (PID: 6228)

    • Reads the time zone

      • net1.exe (PID: 5864)
      • net1.exe (PID: 6388)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 5116)

    • Application based on Rust

      • Stub.exe (PID: 7864)

    • Reads the software policy settings

      • slui.exe (PID: 7436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7864) Stub.exe
Discord-Webhook-Tokens (1)1298586615320543243/VX51eyP8SGKQmHPpvz997KjtFumP9Gs9Na-0Fqci3i4_-t-FuRYtn5sqtZRqqdUVusVS
Discord-Info-Links
1298586615320543243/VX51eyP8SGKQmHPpvz997KjtFumP9Gs9Na-0Fqci3i4_-t-FuRYtn5sqtZRqqdUVusVS
Get Webhook Infohttps://discord.com/api/webhooks/1298586615320543243/VX51eyP8SGKQmHPpvz997KjtFumP9Gs9Na-0Fqci3i4_-t-FuRYtn5sqtZRqqdUVusVS
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:23 10:04:47+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.41
CodeSize: 111104
InitializedDataSize: 40387584
UninitializedDataSize: 146944
EntryPoint: 0x10f6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
211
Monitored processes
92
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #TROX weeb6_systemupdate.exe #GROWTOPIA stub.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs mshta.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs #TROX hellion.exe tiworker.exe no specs stub.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3209.tmp" "c:\Users\admin\AppData\Local\Temp\CSC611227B37D6F4D2883C2558D5541202F.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
864"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hellion.exe"C:\Users\admin\AppData\Local\Temp\onefile_6228_133873433679307961\Stub.exeHellion.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\onefile_6228_133873433679307961\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1052net user guest C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1228net user administrator C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660tasklist /svc C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1676C:\WINDOWS\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"C:\Windows\System32\cmd.exeStub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2088C:\WINDOWS\system32\cmd.exe /c "attrib +h +s "C:\Users\admin\AppData\Local\HellionUpdate\Hellion.exe""C:\Windows\System32\cmd.exeStub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
31 970
Read events
31 965
Write events
5
Delete events
0

Modification events

(PID) Process:(7380) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31169837
(PID) Process:(7380) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(2340) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2340) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2340) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
57
Suspicious files
19
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\Stub.exe
MD5:
SHA256:
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_bz2.pydexecutable
MD5:56203038756826A0A683D5750EE04093
SHA256:31C2F21ADF27CA77FA746C0FDA9C7D7734587AB123B95F2310725AAF4BF4FF3C
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_multiprocessing.pydexecutable
MD5:B3C8414BBCAE9BCC3377A4DF72A4AED7
SHA256:65413D49D81E5B939226A211FD40C9B7C6D61366651639446273988930F4A6FD
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_ctypes.pydexecutable
MD5:462FD515CA586048459B9D90A660CB93
SHA256:BF017767AC650420487CA3225B3077445D24260BF1A33E75F7361B0C6D3E96B4
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_cffi_backend.pydexecutable
MD5:2BAAA98B744915339AE6C016B17C3763
SHA256:4F1CE205C2BE986C9D38B951B6BCB6045EB363E06DACC069A41941F80BE9068C
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_lzma.pydexecutable
MD5:14EA9D8BA0C2379FB1A9F6F3E9BBD63B
SHA256:C414A5A418C41A7A8316687047ED816CAD576741BD09A268928E381A03E1EB39
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_queue.pydexecutable
MD5:60DEC90862B996E56AEDAFB2774C3475
SHA256:9568EF8BAE36EDAE7347B6573407C312CE3B19BBD899713551A1819D6632DA46
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_decimal.pydexecutable
MD5:709613D7D7BC30ABDAEE015C331664B6
SHA256:8600CAE4F34CC64C406198E19539D0D4F5A574FC60B32B8AA8F32FD64C981DA5
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\_hashlib.pydexecutable
MD5:7A74284813386818ADA7BF55C8D8ACF9
SHA256:21A1819013DE423BB3B9B682D0B3506C6EF57EE88C61EDF4BA12D8D5F589C9C2
7844WEEB6_SystemUpdate.exeC:\Users\admin\AppData\Local\Temp\onefile_7844_133873433562276466\libcrypto-1_1.dllexecutable
MD5:80B72C24C74D59AE32BA2B0EA5E7DAD2
SHA256:EB975C94E5F4292EDD9A8207E356FE4EA0C66E802C1E9305323D37185F85AD6D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
32
DNS requests
12
Threats
28

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7864
Stub.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
GET
200
34.117.59.81:443
https://ipinfo.io/json
unknown
binary
270 b
whitelisted
POST
204
162.159.128.233:443
https://discord.com/api/webhooks/1298586615320543243/VX51eyP8SGKQmHPpvz997KjtFumP9Gs9Na-0Fqci3i4_-t-FuRYtn5sqtZRqqdUVusVS
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
200
45.112.123.227:443
https://store1.gofile.io/uploadFile
unknown
binary
432 b
whitelisted
GET
404
51.91.7.6:443
https://api.gofile.io/getServer
unknown
text
14 b
whitelisted
POST
204
162.159.137.232:443
https://discord.com/api/webhooks/1298586615320543243/VX51eyP8SGKQmHPpvz997KjtFumP9Gs9Na-0Fqci3i4_-t-FuRYtn5sqtZRqqdUVusVS
unknown
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/justforExela/injection/main/injection.js
unknown
binary
28.6 Kb
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7864
Stub.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted
7864
Stub.exe
162.159.128.233:443
discord.com
CLOUDFLARENET
whitelisted
7864
Stub.exe
162.159.135.232:443
discord.com
CLOUDFLARENET
whitelisted
7864
Stub.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
7864
Stub.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
discord.com
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.137.232
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
api.gofile.io
  • 51.91.7.6
  • 45.112.123.126
whitelisted
store1.gofile.io
  • 45.112.123.227
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7864
Stub.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Attempted Information Leak
ET INFO Python-urllib/ Suspicious User Agent
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7864
Stub.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7864
Stub.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
Misc activity
ET HUNTING Discord WebHook Activity M1 (Contains Key, content)
7864
Stub.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WEEB6_SystemUpdate.exe