File name:

Cy.exe

Full analysis: https://app.any.run/tasks/807e44ea-b196-4f05-8890-c9d17f72655d
Verdict: Malicious activity
Analysis date: May 17, 2025, 22:10:16
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

DBD549F0C2EF8118691EBC93564E5342

SHA1:

EBE6AEA4A583E4F9D279320BB72339A030395A9A

SHA256:

34F2A930321BAAD911C7E129B394FBAC00CE9CD6C907F5EB394281DE1F4D6BA9

SSDEEP:

98304:ECYzBbltevzm0a7MC2xumzy722pACb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgqNT:g7I4zdEEZ5KAOnrR5r559

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Cy.exe (PID: 5740)

    • Executable content was dropped or overwritten

      • Cy.exe (PID: 5740)

    • Process drops python dynamic module

      • Cy.exe (PID: 5740)

    • Application launched itself

      • Cy.exe (PID: 5740)

    • The process drops C-runtime libraries

      • Cy.exe (PID: 5740)

    • There is functionality for taking screenshot (YARA)

      • Cy.exe (PID: 5740)
      • Cy.exe (PID: 2996)

    • Loads Python modules

      • Cy.exe (PID: 2996)

    • Reads the Internet Settings

      • Cy.exe (PID: 2996)

  • INFO

    • Reads the computer name

      • Cy.exe (PID: 5740)
      • Cy.exe (PID: 2996)

    • Create files in a temporary directory

      • Cy.exe (PID: 5740)

    • Checks supported languages

      • Cy.exe (PID: 5740)
      • Cy.exe (PID: 2996)

    • The sample compiled with english language support

      • Cy.exe (PID: 5740)

    • PyInstaller has been detected (YARA)

      • Cy.exe (PID: 5740)
      • Cy.exe (PID: 2996)

    • Checks proxy server information

      • Cy.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:18 11:40:20+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cy.exe cy.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1664C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2996"C:\Users\admin\Desktop\Cy.exe" C:\Users\admin\Desktop\Cy.exeCy.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5740"C:\Users\admin\Desktop\Cy.exe" C:\Users\admin\Desktop\Cy.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
873
Read events
873
Write events
0
Delete events
0

Modification events

No data
Executable files
25
Suspicious files
5
Text files
935
Unknown types
0

Dropped files

PID
Process
Filename
Type
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_tcl_data\encoding\ascii.enctext
MD5:9E3A454FA480E9A99D2D5ACDAA775233
SHA256:FB87BF197F4F485B08EA81F7534BC07D9C3A538D022424BE11011A1FE3C413FD
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_socket.pydexecutable
MD5:B77017BAA2004833EF3847A3A3141280
SHA256:A19E3C7C03EF1B5625790B1C9C42594909311AB6DF540FBF43C6AA93300AB166
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_tcl_data\encoding\cp1252.enctext
MD5:E9117326C06FEE02C478027CB625C7D8
SHA256:741859CF238C3A63BBB20EC6ED51E46451372BB221CFFF438297D261D0561C2E
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_hashlib.pydexecutable
MD5:B4FF25B1ACA23D48897FC616E102E9B6
SHA256:87DD0C858620287454FD6D31D52B6A48EDDBB2A08E09E8B2D9FDB0B92200D766
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_decimal.pydexecutable
MD5:C88282908BA54510EDA3887C488198EB
SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_ctypes.pydexecutable
MD5:565D011CE1CEE4D48E722C7421300090
SHA256:C148292328F0AAB7863AF82F54F613961E7CB95B7215F7A81CAFAF45BD4C42B7
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_lzma.pydexecutable
MD5:B86B9F292AF12006187EBE6C606A377D
SHA256:F5E01B516C2C23035F7703E23569DEC26C5616C05A929B2580AE474A5C6722C5
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_ssl.pydexecutable
MD5:0F02ECCD7933B7A7C2BDEDCA2A72AAB6
SHA256:BA5388D6A6557D431E086734A3323621DC447F63BA299B0A815E5837CF869678
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
5740Cy.exeC:\Users\admin\AppData\Local\Temp\_MEI57402\_bz2.pydexecutable
MD5:AA1083BDE6D21CABFC630A18F51B1926
SHA256:00B8CA9A338D2B47285C9E56D6D893DB2A999B47216756F18439997FB80A56E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
15
DNS requests
10
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.110.147:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e8295883656f7dad
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?15be5abb986864ed
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?4c1c53e3976db8c9
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3e4d47703098faed
unknown
whitelisted
2412
MoUsoCoreWorker.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d3763667235d4d4f
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
88.221.110.147:80
Akamai International B.V.
DE
unknown
192.168.100.255:137
whitelisted
2412
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2412
MoUsoCoreWorker.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
3640
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1396
smartscreen.exe
20.56.187.20:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
2984
svchost.exe
23.197.142.186:443
fs.microsoft.com
Akamai International B.V.
US
whitelisted
2768
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
2988
OfficeClickToRun.exe
20.42.65.85:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
  • 199.232.214.172
  • 199.232.210.172
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.4
  • 40.126.32.72
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.129
  • 20.190.159.75
  • 20.190.159.130
  • 20.190.159.0
  • 40.126.31.130
  • 20.190.159.71
whitelisted
checkappexec.microsoft.com
  • 20.56.187.20
whitelisted
cysaw.top
unknown
fs.microsoft.com
  • 23.197.142.186
whitelisted
self.events.data.microsoft.com
  • 20.42.65.85
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1664
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cy.exe