File name:

SX-CRACKED.exe

Full analysis: https://app.any.run/tasks/da9ca350-8889-43da-9bb2-8a1c5f76cd31
Verdict: Malicious activity
Analysis date: June 19, 2025, 20:16:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

7D21051DEE046D4B529FAE2D5309769F

SHA1:

CA09418AD758A6760B1A4AE8A298A998B7A28EB0

SHA256:

081129F14CA28418B06018D480FD4D7D92144C68A73D30A8FE2A9B13CD88ED11

SSDEEP:

98304:PSxUqotpaqkPvQn5WndctkUe9odMB9/4ekqUVvlaOhTxcR1o6Wm6n+6sh+r2lwj4:GwcCzjaRf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • SX-CRACKED.exe (PID: 2528)
      • cmd.exe (PID: 4760)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4760)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • SX-CRACKED.exe (PID: 3656)

    • The process drops C-runtime libraries

      • SX-CRACKED.exe (PID: 3656)

    • Process drops python dynamic module

      • SX-CRACKED.exe (PID: 3656)

    • Loads Python modules

      • SX-CRACKED.exe (PID: 2528)

    • Application launched itself

      • SX-CRACKED.exe (PID: 3656)

    • Starts CMD.EXE for commands execution

      • SX-CRACKED.exe (PID: 2528)

    • Executable content was dropped or overwritten

      • SX-CRACKED.exe (PID: 3656)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4760)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 4760)

    • Checks for external IP

      • SX-CRACKED.exe (PID: 2528)

    • There is functionality for taking screenshot (YARA)

      • SX-CRACKED.exe (PID: 3656)
      • SX-CRACKED.exe (PID: 2528)

  • INFO

    • Reads the computer name

      • SX-CRACKED.exe (PID: 3656)
      • SX-CRACKED.exe (PID: 2528)

    • Checks supported languages

      • SX-CRACKED.exe (PID: 3656)
      • SX-CRACKED.exe (PID: 2528)

    • Create files in a temporary directory

      • SX-CRACKED.exe (PID: 3656)

    • The sample compiled with english language support

      • SX-CRACKED.exe (PID: 3656)

    • Reads the machine GUID from the registry

      • SX-CRACKED.exe (PID: 2528)

    • Checks operating system version

      • SX-CRACKED.exe (PID: 2528)

    • Checks proxy server information

      • SX-CRACKED.exe (PID: 2528)
      • slui.exe (PID: 7048)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3676)

    • PyInstaller has been detected (YARA)

      • SX-CRACKED.exe (PID: 2528)
      • SX-CRACKED.exe (PID: 3656)

    • Reads the software policy settings

      • slui.exe (PID: 7048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:17 05:04:18+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.43
CodeSize: 160256
InitializedDataSize: 131584
UninitializedDataSize: -
EntryPoint: 0xc120
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sx-cracked.exe sx-cracked.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2528"C:\Users\admin\Desktop\SX-CRACKED.exe" C:\Users\admin\Desktop\SX-CRACKED.exe
SX-CRACKED.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sx-cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3656"C:\Users\admin\Desktop\SX-CRACKED.exe" C:\Users\admin\Desktop\SX-CRACKED.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sx-cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3676powershell Add-MpPreference -ExclusionPath 'C:\Users\admin\.cache'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4760C:\WINDOWS\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\admin\.cache'"C:\Windows\SysWOW64\cmd.exeSX-CRACKED.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6612C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\SysWOW64\cmd.exeSX-CRACKED.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7048C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
11 975
Read events
11 975
Write events
0
Delete events
0

Modification events

No data
Executable files
32
Suspicious files
2
Text files
31
Unknown types
0

Dropped files

PID
Process
Filename
Type
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_multiprocessing.pydexecutable
MD5:2C34828A8EDF4C9772C712496C48AF40
SHA256:53B1BD6396493F1FEE6C83082B7E91D64D7A80191A5D8D25D155A7FFDE4CFC43
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_bz2.pydexecutable
MD5:E11F064F433B8E2975AD00F53968A077
SHA256:1F13FADBE4279C56434BC07BC3CCAB1E9A46CE4012CA810EE0D61C629D6B1F3A
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_ctypes.pydexecutable
MD5:A574D82724F61C2507B49D76938F89FD
SHA256:CC2A1708FB9D118CC3F88894AB9F202A22E6E3CD3EDB224D0872DB882038BB93
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\VCRUNTIME140.dllexecutable
MD5:5F9D90D666620944943B0D6D1CCA1945
SHA256:9EC4AFAD505E0A3DAD760FA5B59C66606AE54DD043C16914CF56D7006E46D375
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_decimal.pydexecutable
MD5:3B24DA8B6F6AB461DE28DFA827753D0A
SHA256:6D8FAF3F056C852FBB3DBB12A691D00BB480E8A05019713E5370A869E93DE900
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\Variables.pytext
MD5:A341FA4E7AC6B83F7B3137963422B587
SHA256:686C5FA5282F8AA3F0D3BA7BA9D0A5545E0CAD3346A3968056AB7F678DAF3339
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_queue.pydexecutable
MD5:4B1605DE6714CBBBEA764BF5458CF907
SHA256:1ACC5BB15EA13FC516065E1B116FD983BD0559DE0D05C8A0C534AFDA9F4013CD
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_hashlib.pydexecutable
MD5:20A2243EC6B79CE5CA95CFE515FCBE09
SHA256:4539E66BF99E80661961B864FB3B36A969118FF95AEDE4C27C1A578A6D773651
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_pytransform.dllexecutable
MD5:F6761B52AA704B451C25577FF77EE7B0
SHA256:2ABB8020C8126D4CF44FA96DBABF1A6172069EB9AED4593F7587BF9641A9391D
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_socket.pydexecutable
MD5:DF7F5E00903900666179D254D973D734
SHA256:DE9BB2188FCF3AAD2B06B437725E3041A499CB03D31CC8EEB17B498966431F51
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.160:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4808
RUXIMICS.exe
GET
200
23.48.23.160:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.160:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4808
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4808
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.48.23.160:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.160:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4808
RUXIMICS.exe
23.48.23.160:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.160
  • 23.48.23.149
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.146
  • 23.48.23.148
  • 23.48.23.158
  • 23.48.23.159
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 51.116.253.170
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2528
SX-CRACKED.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SX-CRACKED.exe