| File name: | tester24.exe |
| Full analysis: | https://app.any.run/tasks/897404d3-3848-4534-9978-a34f69ce6ef9 |
| Verdict: | Malicious activity |
| Analysis date: | June 21, 2025, 19:51:40 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 7 sections |
| MD5: | 263DEEBFB107DBA1929A4FC98A83545B |
| SHA1: | 3359C38080E2A699A9A23C20FB6DC4835EF24617 |
| SHA256: | 06155B0426C0EDFEB8D2453C53CF10A8AC879399A69D32131DE73751FB8AA798 |
| SSDEEP: | 98304:LD/lyt8bKQdLKbLylu/ZUmTv4I9XLDbenkuA83wpYp2tw8Mne8YvBc1idV8/R9CQ:Fd0n881mwmNuEM491+jg |
MALICIOUS
No malicious indicators.SUSPICIOUS
Process drops python dynamic module
- tester24.exe (PID: 6772)
Process drops legitimate windows executable
- tester24.exe (PID: 6772)
Executable content was dropped or overwritten
- tester24.exe (PID: 6772)
Application launched itself
- tester24.exe (PID: 6772)
Loads Python modules
- tester24.exe (PID: 3676)
The process drops C-runtime libraries
- tester24.exe (PID: 6772)
Reads security settings of Internet Explorer
- tester24.exe (PID: 3676)
Reads the date of Windows installation
- tester24.exe (PID: 3676)
INFO
Create files in a temporary directory
- tester24.exe (PID: 6772)
Reads the computer name
- tester24.exe (PID: 6772)
- tester24.exe (PID: 3676)
Checks supported languages
- tester24.exe (PID: 6772)
- tester24.exe (PID: 3676)
The sample compiled with english language support
- tester24.exe (PID: 6772)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 2192)
- OpenWith.exe (PID: 4320)
Process checks computer location settings
- tester24.exe (PID: 3676)
Reads the software policy settings
- slui.exe (PID: 2764)
PyInstaller has been detected (YARA)
- tester24.exe (PID: 6772)
- tester24.exe (PID: 3676)
Checks proxy server information
- slui.exe (PID: 2764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (57.6) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.9) |
| .exe | | | Generic Win/DOS Executable (2.6) |
| .exe | | | DOS Executable Generic (2.6) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:06:21 19:50:15+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 179712 |
| InitializedDataSize: | 155136 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc650 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
146
Monitored processes
12
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2128 | "C:\Windows\System32\securekernel.exe" | C:\Windows\System32\securekernel.exe | — | tester24.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: NT Secure Kernel Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\Windows\System32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Pick an app Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2764 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3608 | "C:\Windows\System32\SecurityHealthHost.exe" | C:\Windows\System32\SecurityHealthHost.exe | — | tester24.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Security Health Host Exit code: 0 Version: 4.18.1907.16384 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3676 | "C:\Users\admin\Desktop\tester24.exe" | C:\Users\admin\Desktop\tester24.exe | — | tester24.exe | |||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 3864 | "C:\Users\admin\Desktop\tester24.exe" | C:\Users\admin\Desktop\tester24.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 4320 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\Windows\System32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Pick an app Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4684 | "C:\Windows\System32\SpaceAgent.exe" | C:\Windows\System32\SpaceAgent.exe | — | tester24.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Storage Spaces Settings Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5968 | "C:\Windows\System32\dllhost.exe" | C:\Windows\System32\dllhost.exe | — | tester24.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6344 | "C:\Windows\System32\systray.exe" | C:\Windows\System32\systray.exe | — | tester24.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Systray .exe stub Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 135
Read events
5 135
Write events
0
Delete events
0
Modification events
Executable files
55
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\VCRUNTIME140.dll | executable | |
MD5:32DA96115C9D783A0769312C0482A62D | SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\_bz2.pyd | executable | |
MD5:51CA0713F8FD5F142625A44DF7ED7100 | SHA256:8768315B1E0E81CCD0D96C3D6A863803F5DD1DE6AF849285C439D61ABD32B647 | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:CC228FF8D86B608E73026B1E9960B2F8 | SHA256:4CADBC0C39DA7C6722206FDCEBD670ABE5B8D261E7B041DD94F9397A89D1990D | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:416AA8314222DB6CBB3760856BE13D46 | SHA256:39095F59C41D76EC81BB2723D646FDE4C148E7CC3402F4980D2ADE95CB9C84F9 | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5 | SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8 | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\api-ms-win-core-fibers-l1-1-1.dll | executable | |
MD5:050A30A687E7A2FA6F086A0DB89AA131 | SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429 | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\_hashlib.pyd | executable | |
MD5:692837EB1FCB73EF33A1474B18DFC7CD | SHA256:D674D53F7E2F906FBAF0D19AB871F9CFF53956D40B3CE003A2B4B44B549D4B92 | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E368A236F5676A3DA44E76870CD691C9 | SHA256:93C624B366BA16C643FC8933070A26F03B073AD0CF7F80173266D67536C61989 | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\api-ms-win-core-interlocked-l1-1-0.dll | executable | |
MD5:86023497FA48CA2C7705D3F90B76EBC5 | SHA256:53B25E753CA785BF8B695D89DDE5818A318890211DC992A89146F16658F0B606 | |||
| 6772 | tester24.exe | C:\Users\admin\AppData\Local\Temp\_MEI67722\api-ms-win-core-kernel32-legacy-l1-1-1.dll | executable | |
MD5:0C1CC0A54D4B38885E1B250B40A34A84 | SHA256:A9B13A1CD1B8C19B0C6B4AFCD5BB0DD29C0E2288231AC9E6DB8510094CE68BA6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
50
DNS requests
18
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4816 | RUXIMICS.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4816 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.66:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | POST | 400 | 40.126.32.133:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | POST | 504 | 40.126.32.134:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1268 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4816 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4816 | RUXIMICS.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |