File name:

一键通往二次元.exe

Full analysis: https://app.any.run/tasks/40bd3d65-01ba-46d7-aa72-d75137c2f5bf
Verdict: Malicious activity
Analysis date: June 22, 2025, 06:56:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

16ABB374EB1B759235AAEA1B03EEF712

SHA1:

495B467CE61E5D891690FAED3CAABCB04156C56A

SHA256:

4608BCC2632C46335CD9FABEED46837C4FAE07D624BC86CDBB43CECC0B701DD1

SSDEEP:

393216:LlvWJzq/qE6xebU0ybDPEHDO+hGLZFMwdIhaQE:L1WJzq/5RJfjOu+W0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6700)

  • SUSPICIOUS

    • Process drops python dynamic module

      • 一键通往二次元.exe (PID: 2952)

    • Process drops legitimate windows executable

      • 一键通往二次元.exe (PID: 2952)

    • Executable content was dropped or overwritten

      • 一键通往二次元.exe (PID: 2952)

    • Application launched itself

      • 一键通往二次元.exe (PID: 2952)

    • The process drops C-runtime libraries

      • 一键通往二次元.exe (PID: 2952)

    • Loads Python modules

      • 一键通往二次元.exe (PID: 6164)

    • Starts CMD.EXE for commands execution

      • 一键通往二次元.exe (PID: 6164)

    • Hides command output

      • cmd.exe (PID: 6700)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3748)
      • cmd.exe (PID: 7108)

    • There is functionality for taking screenshot (YARA)

      • 一键通往二次元.exe (PID: 2952)
      • 一键通往二次元.exe (PID: 6164)

    • Changes the desktop background image

      • 一键通往二次元.exe (PID: 6164)

  • INFO

    • Reads the computer name

      • 一键通往二次元.exe (PID: 2952)
      • 一键通往二次元.exe (PID: 6164)

    • Checks supported languages

      • 一键通往二次元.exe (PID: 2952)
      • 一键通往二次元.exe (PID: 6164)

    • The sample compiled with english language support

      • 一键通往二次元.exe (PID: 2952)

    • Create files in a temporary directory

      • 一键通往二次元.exe (PID: 2952)
      • 一键通往二次元.exe (PID: 6164)

    • Checks proxy server information

      • 一键通往二次元.exe (PID: 6164)
      • slui.exe (PID: 3028)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 1036)

    • PyInstaller has been detected (YARA)

      • 一键通往二次元.exe (PID: 6164)
      • 一键通往二次元.exe (PID: 2952)

    • Reads the software policy settings

      • slui.exe (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:20 05:27:02+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 167936
InitializedDataSize: 104448
UninitializedDataSize: -
EntryPoint: 0xbe20
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
15
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 一键通往二次元.exe 一键通往二次元.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036notepad C:\Users\admin\Desktop\PLEASE_README_TO_SAVE.txtC:\Windows\System32\notepad.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2708\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2952"C:\Users\admin\AppData\Local\Temp\一键通往二次元.exe" C:\Users\admin\AppData\Local\Temp\一键通往二次元.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\一键通往二次元.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3028C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3504SchtAsKs /CrEaTe /tn "gzbxjsdwdbksbcnxnmc" /tr "cmd /c start \"\" \"https://www.douyin.com/user/MS4wLjABAAAAV-AzprLNki2APB87tAjxXNoO8TuT-zhYtTrm6b6LPKjRqzonxL8uIqI_uy46Mr7w\"" /sC minute /Mo 1 /f /It /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3724C:\WINDOWS\system32\cmd.exe /c notepad %UserProfile%\Desktop\PLEASE_README_TO_SAVE.txtC:\Windows\System32\cmd.exe一键通往二次元.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3748C:\WINDOWS\system32\cmd.exe /c attrib +s +h "C:\Users\admin\Desktop\main_bg.png"C:\Windows\System32\cmd.exe一键通往二次元.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4552attrib +s +h "C:\Users\admin\Desktop\main_bg.png"C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
Total events
7 150
Read events
7 149
Write events
1
Delete events
0

Modification events

(PID) Process:(6164) ä¸€é”®é€šå¾€äºŒæ¬¡å…ƒ.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:Wallpaper
Value:
%UserProfile%\Desktop\main_bg.png
Executable files
100
Suspicious files
2
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\PIL\_imagingtk.cp312-win_amd64.pydexecutable
MD5:7E912D07A39E16BB25CF32B7153515C8
SHA256:D1E5D023821A9C38967FFAA9BDBF4DDE998A3A6BC37942CA334A13E55A1FC711
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\_asyncio.pydexecutable
MD5:70FB0B118AC9FD3292DDE530E1D789B8
SHA256:F8305023F6AD81DDC7124B311E500A58914B05A9B072BF9A6D079EA0F6257793
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\_decimal.pydexecutable
MD5:F78F9855D2A7CA940B6BE51D68B80BF2
SHA256:D4AE192BBD4627FC9487A2C1CD9869D1B461C20CFD338194E87F5CF882BBED12
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\PIL\_imagingmath.cp312-win_amd64.pydexecutable
MD5:8F67156CE61C7DE23E19F9445C8BA504
SHA256:8287A2A551BD99B5D55E18E461FEDB3704B74B0FB60F1E0881C792F90A18CE46
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\_elementtree.pydexecutable
MD5:90D8D8F055B4F05396DFE5322D883234
SHA256:D010CC7519332A8EB4E5125AD57227192DE7737DB63EC72FFEBE0C0737B87D69
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\_bz2.pydexecutable
MD5:90F58F625A6655F80C35532A087A0319
SHA256:BD8621FCC901FA1DE3961D93184F61EA71068C436794AF2A4449738CCF949946
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\_cffi_backend.cp312-win_amd64.pydexecutable
MD5:0572B13646141D0B1A5718E35549577C
SHA256:D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\_lzma.pydexecutable
MD5:CF8DE1137F36141AFD9FF7C52A3264EE
SHA256:22D10E2D6AD3E3ED3C49EB79AB69A81AAA9D16AECA7F948DA2FE80877F106C16
2952一键通往二次元.exeC:\Users\admin\AppData\Local\Temp\_MEI29522\_multiprocessing.pydexecutable
MD5:C0A06AEBBD57D2420037162FA5A3142B
SHA256:5673B594E70D1FDAAD3895FC8C3676252B7B675656FB88EF3410BC93BB0E7687
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
29
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3576
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1644
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1644
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3964
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6164
一键通往二次元.exe
49.232.237.64:443
tc.z.wiki
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
3576
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3576
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2336
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
tc.z.wiki
  • 49.232.237.64
unknown
login.live.com
  • 20.190.160.5
  • 20.190.160.2
  • 40.126.32.76
  • 20.190.160.128
  • 20.190.160.66
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
一键通往二次元.exe