File name:

explorer.exe

Full analysis: https://app.any.run/tasks/ca4ac81b-ca86-4f73-8e15-3bbbf820c3db
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 16:40:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

49AD2E0EB0EE58BEC90E704728DE8C7C

SHA1:

F2C49A475FBA952FC00F695B7D536D04790CD77A

SHA256:

3FFDF0D871AA9B2430CE17F630D01A9369AAA14E87C6472A6E2FE7D708D4808A

SSDEEP:

196608:zgW2TaMj+kTyYimtx++SKcc49iaUgjEt:8XJfTy5mts+Ac47Ug4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • explorer.exe (PID: 2852)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 4784)
      • explorer.exe (PID: 2852)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • Process drops python dynamic module

      • explorer.exe (PID: 4784)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • Process drops legitimate windows executable

      • explorer.exe (PID: 4784)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • Loads Python modules

      • explorer.exe (PID: 2852)

    • There is functionality for taking screenshot (YARA)

      • explorer.exe (PID: 4784)
      • explorer.exe (PID: 2852)
      • filezilla.exe (PID: 300)

    • The process drops C-runtime libraries

      • explorer.exe (PID: 4784)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • Application launched itself

      • explorer.exe (PID: 4784)

  • INFO

    • Checks supported languages

      • explorer.exe (PID: 4784)
      • explorer.exe (PID: 2852)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • Create files in a temporary directory

      • explorer.exe (PID: 4784)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • Reads the computer name

      • explorer.exe (PID: 4784)
      • explorer.exe (PID: 2852)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • The sample compiled with english language support

      • explorer.exe (PID: 4784)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • PyInstaller has been detected (YARA)

      • explorer.exe (PID: 4784)
      • explorer.exe (PID: 2852)
      • filezilla.exe (PID: 300)

    • Reads the software policy settings

      • slui.exe (PID: 5800)
      • slui.exe (PID: 5548)

    • Manual execution by a user

      • filezilla.exe (PID: 6252)
      • filezilla.exe (PID: 1348)
      • filezilla.exe (PID: 300)
      • filezilla.exe (PID: 5392)

    • Checks proxy server information

      • slui.exe (PID: 5548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:15 15:40:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
11
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start explorer.exe sppextcomobj.exe no specs slui.exe explorer.exe slui.exe rundll32.exe no specs filezilla.exe no specs filezilla.exe filezilla.exe no specs filezilla.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files\filezilla ftp client\filezilla.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
496C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1348"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\filezilla ftp client\filezilla.exe
c:\windows\system32\ntdll.dll
2504"C:\Users\admin\Desktop\explorer.exe" C:\Users\admin\Desktop\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\explorer.exe
c:\windows\system32\ntdll.dll
2852"C:\Users\admin\Desktop\explorer.exe" C:\Users\admin\Desktop\explorer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4784"C:\Users\admin\Desktop\explorer.exe" C:\Users\admin\Desktop\explorer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5392"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files\filezilla ftp client\filezilla.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5548C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5800"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6252"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\filezilla ftp client\filezilla.exe
c:\windows\system32\ntdll.dll
Total events
1 318
Read events
1 318
Write events
0
Delete events
0

Modification events

No data
Executable files
347
Suspicious files
3
Text files
2 087
Unknown types
0

Dropped files

PID
Process
Filename
Type
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_bz2.pydexecutable
MD5:8BD61EA798D1E3EF58548480ED8EE956
SHA256:D3214E53519B65A07211F44C2BF8C6464B6CD11308561FA48967C8D2E97C1CAC
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_multiprocessing.pydexecutable
MD5:32150BED522E6C151FEF8027AD4691E0
SHA256:75CB11E3884F408016177B17D1717B066DDF71A59FD07836808703EDF5683B62
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_lzma.pydexecutable
MD5:9EC7F84B1976B469C4FA4001D5FF4412
SHA256:14762C570A210D196F5FC8F89C792E093B0875695251D490CBD4BA79C8F64999
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_queue.pydexecutable
MD5:2CE0E1816468940A4025EFB31CD75150
SHA256:0746DAB0FEAB5AB709FDF888A9A15B050B0FAF6C934C61788249B32E344D38F7
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_hashlib.pydexecutable
MD5:D0A2127B7AA88B6A47C170C933402438
SHA256:2598B1D5AF9606A85CF8BA00EB5E0EFB5C405BE3AD852D1B070D08E0EE34C526
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\VCRUNTIME140_1.dllexecutable
MD5:68156F41AE9A04D89BB6625A5CD222D4
SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_decimal.pydexecutable
MD5:5D54C76A09515D513AAB1DD43C401418
SHA256:E8861C23B443F846CF25F06B6F49BA20CFDD0C383C890F9F60C7A0AC376AC22E
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_overlapped.pydexecutable
MD5:E9436905D28DEAEF3B04E1FE2F05D7C3
SHA256:B341E788F0E90149B24B3176A6EFB2FE1A3677BCA5E2A24EF314D24BE32EE983
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_asyncio.pydexecutable
MD5:A577FF6DE2ADD83120127061D7C294A8
SHA256:8A12F0E5EF034F5C9FF5C506F701A00E3CD16009E2D3431F54EAD15BC138629F
4784explorer.exeC:\Users\admin\AppData\Local\Temp\_MEI47842\_ssl.pydexecutable
MD5:3EB767DE2C65E7F5ECE308BFBE4F727C
SHA256:1044C3550EB8CFE053757928050552AFDFD9C0ED0BCD4D4A4F888E4125F555E6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.54.128:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
780
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
780
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
95.101.54.128:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
780
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
780
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 95.101.54.128
  • 95.101.54.122
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.131
  • 20.190.159.0
  • 40.126.31.2
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
explorer.exe