File name:

Hellion.exe

Full analysis: https://app.any.run/tasks/68429134-d8b2-4cd8-9af0-fb29c30760d9
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: August 02, 2024, 20:55:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
pyinstaller
python
susp-powershell
growtopia
stealer
discordgrabber
generic
exela
discord
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

820C6965214ACD43B76E4E3284C0B20B

SHA1:

610720CB6B74A5607572FBE0D5C7DDFECDCBA425

SHA256:

F2F8D895BF14040BEA035EEE3949106730DF11D5EB525DD543E988B40483389F

SSDEEP:

98304:JEWp6QnevMMsbAdpb5UP10H3CWtD/lu8MBjxA6haSzv1nxeq57NoRGvHbKKKFkBH:sOFXTrHEVQazNKKLkeYpR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)
      • csc.exe (PID: 5400)

    • GROWTOPIA has been detected (YARA)

      • Hellion.exe (PID: 6440)

    • DISCORDGRABBER has been detected (YARA)

      • Hellion.exe (PID: 6440)

    • Create files in the Startup directory

      • Hellion.exe (PID: 6440)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 6360)
      • net.exe (PID: 2580)
      • net.exe (PID: 6488)
      • net.exe (PID: 2804)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 1644)
      • net.exe (PID: 6772)
      • cmd.exe (PID: 6360)

    • ExelaStealer has been detected

      • Hellion.exe (PID: 6440)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2680)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2400)

    • Actions looks like stealing of personal data

      • Hellion.exe (PID: 6440)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)

    • Process drops legitimate windows executable

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)

    • Application launched itself

      • Hellion.exe (PID: 6408)
      • cmd.exe (PID: 4644)
      • cmd.exe (PID: 4236)

    • Process drops python dynamic module

      • Hellion.exe (PID: 6408)

    • The process drops C-runtime libraries

      • Hellion.exe (PID: 6408)

    • Executable content was dropped or overwritten

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)
      • csc.exe (PID: 5400)

    • Checks for external IP

      • Hellion.exe (PID: 6440)
      • svchost.exe (PID: 2256)

    • Loads Python modules

      • Hellion.exe (PID: 6440)

    • Starts CMD.EXE for commands execution

      • Hellion.exe (PID: 6440)
      • cmd.exe (PID: 4644)
      • cmd.exe (PID: 4236)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 1688)
      • cmd.exe (PID: 232)
      • cmd.exe (PID: 4824)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7044)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7052)
      • cmd.exe (PID: 3136)

    • Get information on the list of running processes

      • Hellion.exe (PID: 6440)
      • cmd.exe (PID: 6340)
      • cmd.exe (PID: 2580)
      • cmd.exe (PID: 6788)
      • cmd.exe (PID: 2700)
      • cmd.exe (PID: 6360)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6192)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5980)
      • WMIC.exe (PID: 1964)
      • WMIC.exe (PID: 4924)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6404)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1452)
      • cmd.exe (PID: 2680)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6016)
      • cmd.exe (PID: 2388)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 6360)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6364)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 6360)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 6164)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 6360)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 6360)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 6360)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 6360)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6360)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 6360)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 2680)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 2680)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2680)

  • INFO

    • Reads the computer name

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)

    • Checks supported languages

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)
      • chcp.com (PID: 7088)
      • chcp.com (PID: 7080)
      • csc.exe (PID: 5400)
      • cvtres.exe (PID: 7072)

    • Create files in a temporary directory

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)
      • csc.exe (PID: 5400)
      • cvtres.exe (PID: 7072)

    • Reads the machine GUID from the registry

      • Hellion.exe (PID: 6440)
      • csc.exe (PID: 5400)

    • Checks proxy server information

      • Hellion.exe (PID: 6440)

    • PyInstaller has been detected (YARA)

      • Hellion.exe (PID: 6408)
      • Hellion.exe (PID: 6440)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Hellion.exe (PID: 6440)

    • Checks operating system version

      • Hellion.exe (PID: 6440)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6336)
      • WMIC.exe (PID: 1640)
      • WMIC.exe (PID: 5980)
      • WMIC.exe (PID: 6192)
      • WMIC.exe (PID: 4192)
      • WMIC.exe (PID: 6848)
      • WMIC.exe (PID: 1964)
      • WMIC.exe (PID: 4924)

    • Creates files or folders in the user directory

      • Hellion.exe (PID: 6440)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5400)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 6916)

    • Reads the time zone

      • net1.exe (PID: 6752)
      • net1.exe (PID: 2064)

    • Attempting to use instant messaging service

      • Hellion.exe (PID: 6440)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:31 17:53:05+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 168960
InitializedDataSize: 93184
UninitializedDataSize: -
EntryPoint: 0xc0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Edge
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
InternalName: Hellion.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Hellion.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.746
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
208
Monitored processes
89
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start THREAT hellion.exe THREAT hellion.exe svchost.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs mshta.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exeHellion.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
360tasklist /svc C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1048\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1048C:\WINDOWS\system32\net1 user C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ucrtbase.dll
1104\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1168tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1452C:\WINDOWS\system32\cmd.exe /c "powershell.exe Get-Clipboard"C:\Windows\System32\cmd.exeHellion.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1488"C:\WINDOWS\system32\quser.exe"C:\Windows\System32\quser.exequery.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Query User Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\quser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\winsta.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32full.dll
Total events
32 234
Read events
32 223
Write events
11
Delete events
0

Modification events

(PID) Process:(5400) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5400) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5400) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5400) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6328) systeminfo.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\system32\mlang.dll,-4386
Value:
English (United States)
(PID) Process:(1640) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31122718
(PID) Process:(1640) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
30
Suspicious files
20
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_asyncio.pydexecutable
MD5:686262283BA69CCE7F3EABA7CDEB0372
SHA256:02EC5CD22543C0CA298C598B7E13949A4E8247CEC288D0BCA0A1269059B548EF
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\attrs-23.2.0.dist-info\RECORDcsv
MD5:6C52AEDCEA3E17F16FECF785B40569BC
SHA256:18DF33CD1686D0A82CAF42C65F8070D8AF90D7B77452D7B3926AA69DDD0AD028
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_queue.pydexecutable
MD5:60DEC90862B996E56AEDAFB2774C3475
SHA256:9568EF8BAE36EDAE7347B6573407C312CE3B19BBD899713551A1819D6632DA46
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_lzma.pydexecutable
MD5:14EA9D8BA0C2379FB1A9F6F3E9BBD63B
SHA256:C414A5A418C41A7A8316687047ED816CAD576741BD09A268928E381A03E1EB39
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_cffi_backend.cp310-win_amd64.pydexecutable
MD5:EBB660902937073EC9695CE08900B13D
SHA256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_ctypes.pydexecutable
MD5:462FD515CA586048459B9D90A660CB93
SHA256:BF017767AC650420487CA3225B3077445D24260BF1A33E75F7361B0C6D3E96B4
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_overlapped.pydexecutable
MD5:A5BD529290006EF1EBC8D32FFE501CA5
SHA256:EEAA26ADDF211B37E689D46CFAC6B7FAD0D5421ADC4C0113872DAC1347AFF130
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_bz2.pydexecutable
MD5:56203038756826A0A683D5750EE04093
SHA256:31C2F21ADF27CA77FA746C0FDA9C7D7734587AB123B95F2310725AAF4BF4FF3C
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\_decimal.pydexecutable
MD5:709613D7D7BC30ABDAEE015C331664B6
SHA256:8600CAE4F34CC64C406198E19539D0D4F5A574FC60B32B8AA8F32FD64C981DA5
6408Hellion.exeC:\Users\admin\AppData\Local\Temp\_MEI64082\attrs-23.2.0.dist-info\licenses\LICENSEtext
MD5:5E55731824CF9205CFABEAB9A0600887
SHA256:882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
10
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
null:443
https://geolocation-db.com/json
unknown
6440
Hellion.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
shared
POST
204
162.159.128.233:443
https://discord.com/api/webhooks/1268262877433823253/fYRZXff3uNXplu1w0qmquUIqH4iLLr__Nrt8dUFEUacEn--Vmlh4CFS7H0dieQmDyi_a
unknown
GET
404
45.112.123.126:443
https://api.gofile.io/getServer
unknown
html
148 b
POST
200
162.159.136.232:443
https://discord.com/api/webhooks/1268262877433823253/fYRZXff3uNXplu1w0qmquUIqH4iLLr__Nrt8dUFEUacEn--Vmlh4CFS7H0dieQmDyi_a
unknown
binary
1.08 Kb
POST
204
162.159.128.233:443
https://discord.com/api/webhooks/1268262877433823253/fYRZXff3uNXplu1w0qmquUIqH4iLLr__Nrt8dUFEUacEn--Vmlh4CFS7H0dieQmDyi_a
unknown
POST
200
45.112.123.227:443
https://store1.gofile.io/uploadFile
unknown
binary
432 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4080
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4100
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6440
Hellion.exe
159.89.102.253:443
geolocation-db.com
DIGITALOCEAN-ASN
DE
unknown
4080
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6440
Hellion.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
geolocation-db.com
  • 159.89.102.253
whitelisted
ip-api.com
  • 208.95.112.1
shared
discord.com
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.138.232
  • 162.159.137.232
  • 162.159.135.232
whitelisted
api.gofile.io
  • 51.91.7.6
  • 45.112.123.126
whitelisted
store1.gofile.io
  • 45.112.123.227
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
6440
Hellion.exe
Misc activity
ET INFO External IP Lookup Domain (geolocation-db .com) in TLS SNI
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6440
Hellion.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6440
Hellion.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
6440
Hellion.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Hellion.exe