File name:	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe
Full analysis:	https://app.any.run/tasks/6e888da9-2630-41f9-b741-1bf9059f6661
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 08, 2026, 19:52:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	github stealer auto-startup python discord luna pyinstaller susp-powershell generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	0F614CAC9E70C3AAFEAE8C411B204BE8
SHA1:	D0EA8DAF4ED0B6992B7905EC6495F01EA8891BD1
SHA256:	460900FA6E4607E9A315C078FA100D2B514D07DA9A6561DCA12E22CFC2D52FF1
SSDEEP:	196608:tVooml6t8Pj7gTSsoTwa5SqD64Fl6O2VEWVtRibVg8Nj7:YFle8Pj7ZtkQSqD9niDRibVnR7

.exe	\|	InstallShield setup (57.6)
.exe	\|	Win64 Executable (generic) (36.9)
.exe	\|	Generic Win/DOS Executable (2.6)
.exe	\|	DOS Executable Generic (2.6)

MachineType:	AMD AMD64
TimeStamp:	2026:04:07 15:29:06+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	181760
InitializedDataSize:	98304
UninitializedDataSize:	-
EntryPoint:	0xdfa0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(1456) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing

PID	Process	Filename		Type
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_aesni.pyd		binary
		MD5:0B2596C23BD2792FA5CDB304417DD36D	SHA256:2369F44274DC7F03B5F37D77F39BA77EC9146CF53170CB4E9EFC2001197C698F
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_des.pyd		binary
		MD5:53F7B88C994A12109A43169E16D9FEA0	SHA256:89446AFF1D4833DCFCF3EB6F4392900CD095F656FA621928D69C589477DF772A
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_ecb.pyd		binary
		MD5:FC23D10DB102260CED6D1B0A82E83017	SHA256:633CB61F67986877CDB10E6D2FCD19B29B8F1880FAFBE17E6CE3CF3DF3E64952
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_des3.pyd		binary
		MD5:7B0BCE99E559C6868CC43FB9C3F921D9	SHA256:8EA8CFD1D8714343EADF340C060DDBAE685438A6B986CDD07282ED4663B7DA6E
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Hash\_BLAKE2b.pyd		binary
		MD5:DB79C5A551B151C0FBABA70683A22561	SHA256:E6C07DCBE2BC02B625215AB5062A13DA16A667E2A9CF143EE9CF3C8E85D1E95E
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_blowfish.pyd		binary
		MD5:BCD7095AD7E4EDC042D58D4EC72CEA9F	SHA256:771D467660DC6F6572AEA53A322DA4E0CADB96749AF7E9B995D3846B2A6450B3
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_cfb.pyd		binary
		MD5:8C2022FC051E9DC0279A2FE507E54837	SHA256:574A60FECD3B3D738F42B870C63BEDF8E00C013921EB0BBA708F9F77240A23C0
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_cast.pyd		binary
		MD5:85EF185BC09402AB82F26D77119A8C94	SHA256:DBB5559743D3474D557811366F2B24E4C8CE134D254FDA8F1BFEDE5187F12292
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_arc2.pyd		binary
		MD5:85F63E63DF3607939B73A8DFD6E97378	SHA256:EA0D32C15FFF0FB6FC91F4878DB501C8B92B52A3B09BA73AA53EC0C86BD81AE9
7780	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	C:\Users\admin\AppData\Local\Temp\_MEI77802\Cryptodome\Cipher\_raw_ctr.pyd		binary
		MD5:C22F3989DD44FCB927F0E9B2DFE7805D	SHA256:6BFE4C4637D81D815051B357C0593D9351D9409D28BFB3D87D2FAF89E46C9A30

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6076	svchost.exe	GET	200	23.58.106.108:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	POST	200	20.190.160.2:443	https://login.live.com/RST2.srf	US	binary	1.24 Kb	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
6076	svchost.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	POST	400	20.190.160.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted
5316	svchost.exe	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	US	binary	1.24 Kb	whitelisted
5316	svchost.exe	POST	400	20.190.160.5:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted
—	—	POST	400	20.190.160.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted
5316	svchost.exe	POST	400	20.190.160.5:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted
—	—	POST	400	20.190.160.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6076	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8124	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6076	svchost.exe	23.55.110.193:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
5276	MoUsoCoreWorker.exe	23.55.110.193:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6076	svchost.exe	23.58.106.108:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	23.58.106.108:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146 40.127.240.158	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
google.com	142.251.208.14	whitelisted
crl.microsoft.com	23.55.110.193 23.55.110.211	whitelisted
www.microsoft.com	23.58.106.108 88.221.169.152	whitelisted
login.live.com	20.190.160.5 20.190.160.3 20.190.160.2 20.190.160.132 40.126.32.72 20.190.160.22 40.126.32.138 40.126.32.140	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
raw.githubusercontent.com	185.199.111.133 185.199.110.133 185.199.108.133 185.199.109.133	whitelisted
ptb.discord.com	162.159.128.233 162.159.136.232 162.159.135.232 162.159.137.232 162.159.138.232	whitelisted
slscr.update.microsoft.com	74.179.77.204	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
2232	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2956	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
1724	x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

General Info

x460900fa6e4607e9a315c078fa100d2b514d07da9a6561dca12e22cfc2d52ff1.exe

0F614CAC9E70C3AAFEAE8C411B204BE8

D0EA8DAF4ED0B6992B7905EC6495F01EA8891BD1

460900FA6E4607E9A315C078FA100D2B514D07DA9A6561DCA12E22CFC2D52FF1

196608:tVooml6t8Pj7gTSsoTwa5SqD64Fl6O2VEWVtRibVg8Nj7:YFle8Pj7ZtkQSqD9niDRibVnR7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

Adds extension to the Windows Defender exclusion list

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Steals credentials from Web Browsers

Changes settings for real-time protection

Changes Windows Defender settings

Changes settings for checking scripts for malicious actions

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for protection against network attacks (IPS)

Changes Controlled Folder Access settings

Adds path to the Windows Defender exclusion list

Steals Discord credentials and data (YARA)

LUNA has been detected

SUSPICIOUS

Loads Python modules

Starts CMD.EXE for commands execution

Process drops python dynamic module

Application launched itself

Executable content was dropped or overwritten

Disables Windows Defender real-time protection (POWERSHELL)

Disables Windows Defender IPS (POWERSHELL)

Starts POWERSHELL.EXE for commands execution

Uses NETSH.EXE to obtain data on the network

Adds exclusion path to Windows Defender (POWERSHELL)

The process hide an interactive prompt from the user

Script adds exclusion extension to Windows Defender

INFO

Reads the computer name

Create files in a temporary directory

Checks supported languages

Launching a file from the Startup directory

Creates files or folders in the user directory

Manual execution by a user

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

PyInstaller has been detected (YARA)

There is functionality for taking screenshot (YARA)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information