File name:

3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691

Full analysis: https://app.any.run/tasks/676a1fb1-68f3-4fde-90f9-ceaece2b88c2
Verdict: Malicious activity
Analysis date: November 30, 2024, 09:24:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
evasion
python
pyinstaller
ims-api
generic
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

BFFA318FF60FD764C100849B4DE0EA97

SHA1:

538D9B9008BA3BC68E5B3B90406CF6E581193934

SHA256:

3D03F10BD2BFF5AE7418D92BAA76212F9837159CDEED5551309CA98959525691

SSDEEP:

98304:mQWOcZPZ+KLTAHNMl/v0TqKJtT9IFLdZJULG8/Gkmu/ndyHGBMi0Ya/pNkLdANBC:BzPuGRCxLXY9QyreqdchnIG6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)

    • Process drops python dynamic module

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)

    • Process drops legitimate windows executable

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)

    • Application launched itself

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)

    • Uses WMIC.EXE to obtain BIOS management information

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • The process drops C-runtime libraries

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)

    • Loads Python modules

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Uses WMIC.EXE to obtain Windows Installer data

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4264)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Uses WMIC.EXE to obtain physical disk drive information

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Uses WMIC.EXE to obtain CPU information

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Checks for external IP

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

  • INFO

    • Reads the computer name

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)
      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Checks supported languages

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)
      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Create files in a temporary directory

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)
      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5748)
      • WMIC.exe (PID: 6096)
      • WMIC.exe (PID: 4264)
      • WMIC.exe (PID: 5000)
      • WMIC.exe (PID: 5548)
      • WMIC.exe (PID: 4592)

    • Checks proxy server information

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)

    • PyInstaller has been detected (YARA)

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)
      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 5580)

    • Application based on Rust

      • 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe (PID: 3736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:04:19 14:28:26+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 176640
InitializedDataSize: 154112
UninitializedDataSize: -
EntryPoint: 0xb9e0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe conhost.exe no specs 3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3736"C:\Users\admin\Desktop\3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe" C:\Users\admin\Desktop\3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4264wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.exe3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
4592wmic bios get serialnumberC:\Windows\System32\wbem\WMIC.exe3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5000wmic baseboard get manufacturerC:\Windows\System32\wbem\WMIC.exe3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5548wmic diskdrive get serialnumberC:\Windows\System32\wbem\WMIC.exe3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5580"C:\Users\admin\Desktop\3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe" C:\Users\admin\Desktop\3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5748wmic cpu get serialnumberC:\Windows\System32\wbem\WMIC.exe3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
6096wmic baseboard get serialnumberC:\Windows\System32\wbem\WMIC.exe3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
44 843
Read events
44 843
Write events
0
Delete events
0

Modification events

No data
Executable files
74
Suspicious files
1
Text files
10
Unknown types
1

Dropped files

PID
Process
Filename
Type
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\Pythonwin\mfc140u.dllexecutable
MD5:03A161718F1D5E41897236D48C91AE3C
SHA256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\Pythonwin\win32ui.pydexecutable
MD5:D335339C3508604925016C1F3EE0600D
SHA256:8B992A0333990A255C6DF4395AE2E4153300596D75C7FBD17780214FB359B6A7
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_cffi_backend.cp312-win_amd64.pydexecutable
MD5:0572B13646141D0B1A5718E35549577C
SHA256:D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_ctypes.pydexecutable
MD5:2A834C3738742D45C0A06D40221CC588
SHA256:F20DFA748B878751EA1C4FE77A230D65212720652B99C4E5577BCE461BBD9089
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_bz2.pydexecutable
MD5:59D60A559C23202BEB622021AF29E8A9
SHA256:706D4A0C26DD454538926CBB2FF6C64257C3D9BD48C956F7CABD6DEF36FFD13E
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_hashlib.pydexecutable
MD5:B0262BD89A59A3699BFA75C4DCC3EE06
SHA256:4ADFBBD6366D9B55D902FC54D2B42E7C8C989A83016ED707BD7A302FC3FC7B67
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_ssl.pydexecutable
MD5:DDB21BD1ACDE4264754C49842DE7EBC9
SHA256:72BB15CD8C14BA008A52D23CDCFC851A9A4BDE13DEEE302A5667C8AD60F94A57
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_queue.pydexecutable
MD5:F3ECA4F0B2C6C17ACE348E06042981A4
SHA256:FB57EE6ADF6E7B11451B6920DDD2FB943DCD9561C9EAE64FDDA27C7ED0BC1B04
55803d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\VCRUNTIME140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
35
DNS requests
10
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5448
svchost.exe
GET
200
2.16.164.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
5448
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/hwid_list.txt
US
text
10.1 Kb
unknown
GET
200
172.67.74.152:443
https://api.ipify.org/
US
text
12 b
malicious
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt
US
text
2.79 Kb
unknown
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/mac_list.txt
US
text
8.17 Kb
unknown
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt
US
text
3.07 Kb
unknown
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt
US
text
1.25 Kb
unknown
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt
US
text
1.22 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.204.148:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5448
svchost.exe
2.16.164.97:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5448
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.16.204.148
  • 2.16.204.135
  • 2.16.204.161
  • 2.16.204.134
  • 2.16.204.141
  • 2.16.204.145
  • 2.16.204.153
  • 2.16.204.155
  • 2.16.204.138
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 2.16.164.97
  • 2.16.164.81
  • 2.16.164.9
  • 2.16.164.43
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
shared
api.github.com
  • 140.82.121.6
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3736
3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3d03f10bd2bff5ae7418d92baa76212f9837159cdeed5551309ca98959525691