Malware analysis Exela-V2.0-main.zip Malicious activity

Add for printing

File name:	Exela-V2.0-main.zip
Full analysis:	https://app.any.run/tasks/3ccaaf5c-76a6-4833-82cf-26af23f4877c
Verdict:	Malicious activity
Analysis date:	July 27, 2024, 08:47:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	1284123A329839E8C0F2DB4687AB0DE4
SHA1:	F02E5610C7038857D1BE6DFB2CA85DAEB7A90F79
SHA256:	F918A13DC2C83DF5DA9E9243A4F39420A40314C39982AF4B4D402001E0968E39
SSDEEP:	24576:+/Vo9kvYZ630mAga5KCEGmk+gZk3D2z0KBBLBqoQ7:+/C9kvYZ630mAga5KCEGmk+gZ2D2z0KW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 2072)
  - python-3.12.4-amd64.exe (PID: 6940)
  - python-3.12.4-amd64.exe (PID: 4656)
  - python-3.12.4-amd64.exe (PID: 2616)
  - msiexec.exe (PID: 6624)
- Changes the autorun value in the registry
  - python-3.12.4-amd64.exe (PID: 4656)
SUSPICIOUS
- Executable content was dropped or overwritten
  - python-3.12.4-amd64.exe (PID: 6940)
  - python-3.12.4-amd64.exe (PID: 4656)
  - python-3.12.4-amd64.exe (PID: 2616)
- The process drops C-runtime libraries
  - python-3.12.4-amd64.exe (PID: 4656)
  - msiexec.exe (PID: 6624)
- Starts itself from another location
  - python-3.12.4-amd64.exe (PID: 4656)
- Searches for installed software
  - dllhost.exe (PID: 636)
  - python-3.12.4-amd64.exe (PID: 2616)
  - python-3.12.4-amd64.exe (PID: 4656)
- Executes as Windows Service
  - VSSVC.exe (PID: 6544)
- Creates a software uninstall entry
  - python-3.12.4-amd64.exe (PID: 4656)
- Process drops legitimate windows executable
  - python-3.12.4-amd64.exe (PID: 4656)
  - msiexec.exe (PID: 6624)
- Reads security settings of Internet Explorer
  - python-3.12.4-amd64.exe (PID: 4656)
- Reads the date of Windows installation
  - python-3.12.4-amd64.exe (PID: 4656)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 6624)
- Process drops python dynamic module
  - msiexec.exe (PID: 6624)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6624)
INFO
- Manual execution by a user
  - notepad.exe (PID: 5864)
  - notepad.exe (PID: 4192)
  - cmd.exe (PID: 7052)
  - cmd.exe (PID: 2884)
  - firefox.exe (PID: 3980)
  - cmd.exe (PID: 2132)
  - firefox.exe (PID: 5868)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2072)
  - firefox.exe (PID: 5732)
  - msiexec.exe (PID: 6624)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 5864)
  - notepad.exe (PID: 4192)
- Checks proxy server information
  - slui.exe (PID: 6364)
- Reads the software policy settings
  - slui.exe (PID: 6364)
  - msiexec.exe (PID: 6624)
- Application launched itself
  - firefox.exe (PID: 3980)
  - firefox.exe (PID: 6164)
  - firefox.exe (PID: 5868)
  - firefox.exe (PID: 5732)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 6164)
  - firefox.exe (PID: 5732)
- Reads the computer name
  - python-3.12.4-amd64.exe (PID: 4656)
  - python-3.12.4-amd64.exe (PID: 2616)
  - msiexec.exe (PID: 6624)
- Checks supported languages
  - python-3.12.4-amd64.exe (PID: 6940)
  - python-3.12.4-amd64.exe (PID: 4656)
  - python-3.12.4-amd64.exe (PID: 2616)
  - msiexec.exe (PID: 6624)
- The process uses the downloaded file
  - firefox.exe (PID: 5732)
- Create files in a temporary directory
  - python-3.12.4-amd64.exe (PID: 6940)
  - python-3.12.4-amd64.exe (PID: 4656)
- Drops the executable file immediately after the start
  - firefox.exe (PID: 5732)
- Creates files or folders in the user directory
  - python-3.12.4-amd64.exe (PID: 4656)
  - msiexec.exe (PID: 6624)
- Reads the machine GUID from the registry
  - python-3.12.4-amd64.exe (PID: 4656)
  - python-3.12.4-amd64.exe (PID: 2616)
  - msiexec.exe (PID: 6624)
- Creates files in the program directory
  - python-3.12.4-amd64.exe (PID: 2616)
- Process checks computer location settings
  - python-3.12.4-amd64.exe (PID: 4656)
- Creates a software uninstall entry
  - msiexec.exe (PID: 6624)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xpi	\|	Mozilla Firefox browser extension (66.6)
.zip	\|	ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:01:25 05:28:12
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Exela-V2.0-main/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

191

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2916 -prefsLen 29917 -prefMapSize 244343 -jsInitHandle 1424 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89ede026-a51e-4622-99d8-9cb51b9fca47} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" 1e49f891150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

636

C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

720

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240213221259 -prefsHandle 1836 -prefMapHandle 1816 -prefsLen 30537 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20b05512-bb7f-4bd0-9d86-907a9924685e} 6164 "\\.\pipe\gecko-crash-server-pipe.6164" 2595a0e2710 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

736

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5500 -prefMapHandle 5472 -prefsLen 34713 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf3f6994-0adf-4f87-b0a7-7a6a581afa2d} 6164 "\\.\pipe\gecko-crash-server-pipe.6164" 25964adb710 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

1000

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6848 -childID 7 -isForBrowser -prefsHandle 5948 -prefMapHandle 5332 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1436 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89dce587-9a8d-431d-b40c-36a21188afaf} 6164 "\\.\pipe\gecko-crash-server-pipe.6164" 2595db94f50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

1428

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1896 -parentBuildID 20240213221259 -prefsHandle 1836 -prefMapHandle 1816 -prefsLen 29501 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7efd250a-d766-4609-8c53-f55d3891a408} 5732 "\\.\pipe\gecko-crash-server-pipe.5732" 1e499ec8410 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

1976

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2072

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Exela-V2.0-main.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2088

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4600 -childID 2 -isForBrowser -prefsHandle 4592 -prefMapHandle 4588 -prefsLen 36263 -prefMapSize 244343 -jsInitHandle 1436 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d20c4d33-b97f-4724-8e33-cd8bbee9d252} 6164 "\\.\pipe\gecko-crash-server-pipe.6164" 25961203bd0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2132

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Exela-V2.0-main\install.bat" "

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

59 902

Read events

58 291

Write events

1 555

Delete events

Modification events


(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Exela-V2.0-main.zip
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop
(PID) Process:	(2072) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

Add for printing

Executable files

Suspicious files

323

Text files

757

Unknown types

Dropped files

PID	Process	Filename		Type
2072	WinRAR.exe	C:\Users\admin\Desktop\Exela-V2.0-main\Exela.py		text
		MD5:53D0F2EDF910D03BF6A5B2A2806ADF02	SHA256:FF0B26B330F3BDDC1A9EBA6DAE2BC4F8609FC85592F8F3C6344F2907A7A57CF9
2072	WinRAR.exe	C:\Users\admin\Desktop\Exela-V2.0-main\Obfuscator\obf.py		text
		MD5:BFBF108641C41832AC8584A6B85960CC	SHA256:2BA721B0F3311123399CFA098502AD53CFA4E8E0FE6CE0DE65ED2C84EA1C1101
2072	WinRAR.exe	C:\Users\admin\Desktop\Exela-V2.0-main\AssemblyFile\version.txt		text
		MD5:B13F73267D6A3E865A941BF7BB817D19	SHA256:5C7DA4BF53B1EBDA26683C75E5C03D1D062683D4F1AF10DB939BA334787136CF
6164	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2072	WinRAR.exe	C:\Users\admin\Desktop\Exela-V2.0-main\README.md		html
		MD5:5A9C53CAB4888A16488776DABAA8FFA0	SHA256:862C3D6DDFA842F83FC5106366C8E761EDDA554DCB6E1D8C54B7078995C49E31
2072	WinRAR.exe	C:\Users\admin\Desktop\Exela-V2.0-main\LICENSE		text
		MD5:F57BA58CDBEB92901C54411F17778ECF	SHA256:61942D31CC5C5791BF214FBAB7DE4649FB4D15D5E058B2646D9FFBF40BFFCAC5
2072	WinRAR.exe	C:\Users\admin\Desktop\Exela-V2.0-main\builder.py		text
		MD5:C334E5C6DBDC27F8E8B48D1DAC286F23	SHA256:27EBC271F47BD76B63B5F3AA36B7F0587F3BD543C9CA5E0E89719DF54EF82F73
6164	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.js		text
		MD5:7A97B8DBC4F98D175F958C00F463A52A	SHA256:92074D2ED1AA1FD621287E35DB9EF1AE3DC04777EFAE5F09E7A3B4534C201548
2072	WinRAR.exe	C:\Users\admin\Desktop\Exela-V2.0-main\UPX\upx.exe		executable
		MD5:39ECDF78CB357513D1FD565C5E9EDBDD	SHA256:1EA92DA93EEAF4D456114B847B9BDDFB47EF854E7C24143F290D5E3F44973E91
6164	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

188

DNS requests

216

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5836	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4132	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
3676	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6164	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
6164	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
6164	firefox.exe	POST	200	184.25.51.82:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6164	firefox.exe	POST	200	184.25.51.82:80	http://r10.o.lencr.org/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4340	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
5368	SearchApp.exe	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6044	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6012	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5368	SearchApp.exe	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	unknown
1800	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
settings-win.data.microsoft.com	40.127.240.158 52.185.211.133	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	2.23.209.149 2.23.209.182 2.23.209.176 2.23.209.179 2.23.209.185 2.23.209.140 2.23.209.133 2.23.209.148 2.23.209.189 92.122.215.74 92.122.215.65 2.20.142.155 92.122.215.53 2.20.142.251 2.20.142.4 2.20.142.154 92.122.215.95 92.122.215.57	whitelisted
google.com	142.250.185.110	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.45	whitelisted
login.live.com	40.126.32.140 40.126.32.76 40.126.32.74 20.190.160.22 20.190.160.14 40.126.32.133 20.190.160.20 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253 40.113.110.67	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Exela-V2.0-main.zip

1284123A329839E8C0F2DB4687AB0DE4

F02E5610C7038857D1BE6DFB2CA85DAEB7A90F79

F918A13DC2C83DF5DA9E9243A4F39420A40314C39982AF4B4D402001E0968E39

24576:+/Vo9kvYZ630mAga5KCEGmk+gZk3D2z0KBBLBqoQ7:+/C9kvYZ630mAga5KCEGmk+gZ2D2z0KW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

The process drops C-runtime libraries

Starts itself from another location

Searches for installed software

Executes as Windows Service

Creates a software uninstall entry

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the date of Windows installation

Checks Windows Trust Settings

Process drops python dynamic module

Reads the Windows owner or organization settings

INFO

Manual execution by a user

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Checks proxy server information

Reads the software policy settings

Application launched itself

Reads Microsoft Office registry keys

Reads the computer name

Checks supported languages

The process uses the downloaded file

Create files in a temporary directory

Drops the executable file immediately after the start

Creates files or folders in the user directory

Reads the machine GUID from the registry

Creates files in the program directory

Process checks computer location settings

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity