File name:

Exela.exe

Full analysis: https://app.any.run/tasks/56f465c9-9f55-40d5-8255-dcc895084eb5
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: November 18, 2024, 22:20:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
exela
stealer
discord
arch-doc
pyinstaller
susp-powershell
ims-api
generic
discordgrabber
growtopia
upx
rust
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

6258157BFF96CAF2B7BCB50E809DD571

SHA1:

E39F2842E37A6A9A6107484BF99BE4C057D99100

SHA256:

7DDAA908394489B78F31BE5F297290709B0FAE604686C6E8EBC81A631D5BD1A0

SSDEEP:

196608:aqcweCZrHomyF44aGzAdqRsg7PvyILScc:aqcoZrkF44aGzYqRTrz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 6328)

    • Steals credentials from Web Browsers

      • Exela.exe (PID: 5980)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 4684)
      • cmd.exe (PID: 5624)
      • net.exe (PID: 5700)
      • net.exe (PID: 6244)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 5624)
      • net.exe (PID: 4548)
      • net.exe (PID: 6768)

    • ExelaStealer has been detected

      • Exela.exe (PID: 5980)

    • GROWTOPIA has been detected (YARA)

      • Exela.exe (PID: 5980)

    • DISCORDGRABBER has been detected (YARA)

      • Exela.exe (PID: 5980)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6304)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3864)

    • Actions looks like stealing of personal data

      • Exela.exe (PID: 5980)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Exela.exe (PID: 4164)

    • Starts a Microsoft application from unusual location

      • Exela.exe (PID: 4164)
      • Exela.exe (PID: 5980)

    • Process drops legitimate windows executable

      • Exela.exe (PID: 4164)
      • Exela.exe (PID: 5980)

    • Application launched itself

      • Exela.exe (PID: 4164)
      • cmd.exe (PID: 2464)
      • cmd.exe (PID: 864)

    • Process drops python dynamic module

      • Exela.exe (PID: 4164)

    • Executable content was dropped or overwritten

      • Exela.exe (PID: 4164)
      • Exela.exe (PID: 5980)
      • csc.exe (PID: 5564)

    • Get information on the list of running processes

      • Exela.exe (PID: 5980)
      • cmd.exe (PID: 2376)
      • cmd.exe (PID: 4548)
      • cmd.exe (PID: 6936)
      • cmd.exe (PID: 5624)

    • Loads Python modules

      • Exela.exe (PID: 5980)

    • Starts CMD.EXE for commands execution

      • Exela.exe (PID: 5980)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 2464)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4680)
      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 5604)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 3972)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4304)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6128)

    • Starts application with an unusual extension

      • cmd.exe (PID: 944)
      • cmd.exe (PID: 6252)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4128)
      • cmd.exe (PID: 3864)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 5624)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6760)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 5624)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 6268)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 5624)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 5624)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 5624)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 5624)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3864)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5624)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 5624)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Exela.exe (PID: 5980)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3864)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3864)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5564)

    • Checks for external IP

      • Exela.exe (PID: 5980)
      • svchost.exe (PID: 2172)

  • INFO

    • Checks supported languages

      • Exela.exe (PID: 4164)
      • Exela.exe (PID: 5980)

    • Reads the computer name

      • Exela.exe (PID: 4164)
      • Exela.exe (PID: 5980)

    • Create files in a temporary directory

      • Exela.exe (PID: 5980)
      • Exela.exe (PID: 4164)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 3972)

    • Creates files or folders in the user directory

      • Exela.exe (PID: 5980)

    • Changes the display of characters in the console

      • cmd.exe (PID: 944)
      • cmd.exe (PID: 6252)

    • Checks operating system version

      • Exela.exe (PID: 5980)

    • PyInstaller has been detected (YARA)

      • Exela.exe (PID: 4164)
      • Exela.exe (PID: 5980)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 3864)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Exela.exe (PID: 5980)

    • UPX packer has been detected

      • Exela.exe (PID: 5980)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 1008)

    • Manual execution by a user

      • notepad.exe (PID: 1748)
      • notepad.exe (PID: 7040)
      • notepad.exe (PID: 6680)
      • notepad.exe (PID: 1372)
      • notepad.exe (PID: 4828)
      • notepad.exe (PID: 6332)
      • rundll32.exe (PID: 5940)

    • Attempting to use instant messaging service

      • Exela.exe (PID: 5980)
      • svchost.exe (PID: 2172)

    • Application based on Rust

      • Exela.exe (PID: 5980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(5980) Exela.exe
Discord-Webhook-Tokens (1)1308193050845118544/z3VBsw-AoHtB9C6LsSIuSAUz7kU5KMLfDuaAuw5I931vf4-3TIMBN9FH1jQn2iDXeomD
Discord-Info-Links
1308193050845118544/z3VBsw-AoHtB9C6LsSIuSAUz7kU5KMLfDuaAuw5I931vf4-3TIMBN9FH1jQn2iDXeomD
Get Webhook Infohttps://discord.com/api/webhooks/1308193050845118544/z3VBsw-AoHtB9C6LsSIuSAUz7kU5KMLfDuaAuw5I931vf4-3TIMBN9FH1jQn2iDXeomD
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:18 22:14:09+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Exela Services
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
InternalName: Exela.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Exela.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.746
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
193
Monitored processes
80
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start exela.exe #EXELASTEALER exela.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs chcp.com no specs chcp.com no specs powershell.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs systeminfo.exe no specs netsh.exe no specs tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300wmic startup get caption,command C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
824tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
864C:\WINDOWS\system32\cmd.exe /c "cmd.exe /c chcp"C:\Windows\System32\cmd.exeExela.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
944cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1008route print C:\Windows\System32\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\route.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
1112C:\WINDOWS\system32\net1 user administrator C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
1176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176C:\WINDOWS\system32\net1 localgroup C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
Total events
25 460
Read events
25 452
Write events
8
Delete events
0

Modification events

(PID) Process:(6328) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Exela Update Service
Value:
C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe
(PID) Process:(4312) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31144456
(PID) Process:(4312) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
751109527
(PID) Process:(5940) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids
Operation:writeName:pngfile
Value:
(PID) Process:(5940) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-1693682860-607145093-2874071422-1001-MergedResources-0.pri\1d8b7afeb5c569c\55e3c056
Operation:writeName:@{microsoft.screensketch_10.1907.2471.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.screensketch/files/assets/screensketchsquare44x44logo.png}
Value:
C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png
Executable files
76
Suspicious files
19
Text files
142
Unknown types
0

Dropped files

PID
Process
Filename
Type
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_bz2.pydexecutable
MD5:76DDA2F9E6796B85D4C80B7A49585BD0
SHA256:1DDC1386F8BEC84B4C7D17E75A84FD2B7ABEF20BD3D5CDC648B3884252E78CA3
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_cffi_backend.cp313-win_amd64.pydexecutable
MD5:FEB838919A9CBC39FA2F7E47B2CF2FA0
SHA256:85508735F87AB59AF7343101B96337A12D51D6E54227ABC3FC139156565C5D8B
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_asyncio.pydexecutable
MD5:FE4F2E32ED0EA1EF93188939ED5B9564
SHA256:7319CA620123E4664D6A6AFF95EBB43A7A5B0B3CC0DF0ACB665BE1330ED1D6ED
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_ctypes.pydexecutable
MD5:83F2A420D3A54DC73DC553FAEAD3BBD4
SHA256:B50B87720095FE7ED8DFAD73F7A6A0BBEB408A24B561A2CFD7E3B333F87BED90
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_decimal.pydexecutable
MD5:2BBE0345BBA0CEB1DFEAD3BD326E32F7
SHA256:79E9CF484191193A12126625BF8F8A929C51DE8C0DD743F52EAB49F86B313818
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_lzma.pydexecutable
MD5:4C91D0D2BD873740D3B835CD29BA4806
SHA256:95578954B3282A5ED9C2DB1E214CF3B4459AFD955EABC898A896344B02908ABA
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_overlapped.pydexecutable
MD5:FF936AD394F51E00CFA20B497820DC24
SHA256:C7A497D8BB056B55B7E8882C34E250AFE3E3BF76F8691D6A90B3F24361FF672D
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_queue.pydexecutable
MD5:C7FDADCA43547314C311FD077520000E
SHA256:6A984BA75337E4487A97646227A14A559EB752E76C831FF413165B5938B6FC69
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_socket.pydexecutable
MD5:574C2FEE96EFA2D63952A6042EE3272F
SHA256:66A745D27D7FDBE039F3BA2B82273EDDCDCB8613CD17588682153FAFD4B93384
4164Exela.exeC:\Users\admin\AppData\Local\Temp\_MEI41642\_sqlite3.pydexecutable
MD5:D8A9C98FAE2B577C8CB4246E9875DE10
SHA256:CCF4C7A8EFCE2A995A91548EFC894859922BE003AE1C2A00C75123C3453C711B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
27
DNS requests
8
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5980
Exela.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
shared
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ip-api.com
  • 208.95.112.1
shared
discord.com
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.128.233
  • 162.159.135.232
whitelisted
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2172
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
5980
Exela.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2172
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5980
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5980
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5980
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5980
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5980
Exela.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Exela.exe