File name:	app.exe
Full analysis:	https://app.any.run/tasks/a4cdc706-cc73-4db1-be54-6c5c7af73545
Verdict:	Malicious activity
Analysis date:	May 17, 2025, 22:02:26
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	python pyinstaller
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	7FC13BD8769DD987E144ECAFDDD0BC16
SHA1:	4AEB0D31D9C80B01C7D8154026110FB7657F9BF7
SHA256:	5537EBA9D3AA7768BDB1B5DA527CB01B23BD1441F9C2002E9070CB8F6E6C5234
SSDEEP:	98304:4CYzB8ltevLL7x1a7MC2xumzy722pACb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgC:97I4tjl4bEEZ5KAOXsu5m5xqKg

.exe	\|	InstallShield setup (57.6)
.exe	\|	Win64 Executable (generic) (36.9)
.exe	\|	Generic Win/DOS Executable (2.6)
.exe	\|	DOS Executable Generic (2.6)

MachineType:	AMD AMD64
TimeStamp:	2025:04:21 13:13:56+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	173568
InitializedDataSize:	155648
UninitializedDataSize:	-
EntryPoint:	0xce30
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Filename		Type
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\VCRUNTIME140.dll		executable
		MD5:BE8DBE2DC77EBE7F88F910C61AEC691A	SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_decimal.pyd		executable
		MD5:C88282908BA54510EDA3887C488198EB	SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_asyncio.pyd		executable
		MD5:07A6E6DCC30E1C4C7E0CDC41A457A887	SHA256:746BC8FA88282AFE19DC60E426CC0A75BEA3BD137CCA06A0B57A30BD31459403
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_multiprocessing.pyd		executable
		MD5:CF0B31F01A95E9F181D87197786B96CA	SHA256:975C1947798E3C39898C86675CA1EB68249F77361F41F172F9800275227213B9
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_bz2.pyd		executable
		MD5:AA1083BDE6D21CABFC630A18F51B1926	SHA256:00B8CA9A338D2B47285C9E56D6D893DB2A999B47216756F18439997FB80A56E3
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_queue.pyd		executable
		MD5:7F52EF40B083F34FD5E723E97B13382F	SHA256:3F8E7E6AA13B417ACC78B63434FB1144E6319A010A9FC376C54D6E69B638FE4C
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_socket.pyd		executable
		MD5:B77017BAA2004833EF3847A3A3141280	SHA256:A19E3C7C03EF1B5625790B1C9C42594909311AB6DF540FBF43C6AA93300AB166
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_ctypes.pyd		executable
		MD5:565D011CE1CEE4D48E722C7421300090	SHA256:C148292328F0AAB7863AF82F54F613961E7CB95B7215F7A81CAFAF45BD4C42B7
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_overlapped.pyd		executable
		MD5:78E8049E26DF6FD3A4011562FF8E74A0	SHA256:CA106E4DFDEAFEABF9E98956D3D8D0CB73E109F1A96F1A7E35BC47DBD7C7E164
868	app.exe	C:\Users\admin\AppData\Local\Temp\_MEI8682\_lzma.pyd		executable
		MD5:B86B9F292AF12006187EBE6C606A377D	SHA256:F5E01B516C2C23035F7703E23569DEC26C5616C05A929B2580AE474A5C6722C5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5812	MoUsoCoreWorker.exe	GET	200	23.50.131.200:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d872b7233105058c	unknown	—	—	whitelisted
3640	svchost.exe	GET	200	23.50.131.200:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7c5aa67f22d7d48d	unknown	—	—	whitelisted
1352	svchost.exe	GET	200	184.24.77.4:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	208.89.74.29:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?462b6f4b189d3e72	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	208.89.74.29:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?e631054164025918	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	208.89.74.29:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?01658cdb802755c3	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	208.89.74.29:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ad7715771b7798aa	unknown	—	—	whitelisted

Domain	IP	Reputation
google.com	216.58.206.78	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
ctldl.windowsupdate.com	23.50.131.200 23.50.131.216 208.89.74.29 208.89.74.27 208.89.74.17 208.89.74.19 208.89.74.21 208.89.74.23 208.89.74.31	whitelisted
login.live.com	40.126.32.72 20.190.160.131 20.190.160.67 40.126.32.68 40.126.32.138 40.126.32.140 40.126.32.133 20.190.160.130 20.190.160.132 20.190.160.17 20.190.160.3 20.190.160.5 40.126.32.136 20.190.160.65 20.190.160.66	whitelisted
checkappexec.microsoft.com	4.209.164.61	whitelisted
fs.microsoft.com	23.197.142.186	whitelisted
self.events.data.microsoft.com	13.69.239.73	whitelisted

PID	Process	Class	Message
1352	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method

PID	Process	IP	Domain	ASN	CN	Reputation
1352	svchost.exe	184.24.77.4:80	—	Akamai International B.V.	DE	unknown
5812	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5812	MoUsoCoreWorker.exe	23.50.131.200:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	whitelisted
3640	svchost.exe	40.126.32.72:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3640	svchost.exe	23.50.131.200:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	whitelisted
5268	smartscreen.exe	4.209.164.61:443	checkappexec.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6108	svchost.exe	23.197.142.186:443	fs.microsoft.com	Akamai International B.V.	US	whitelisted
2988	OfficeClickToRun.exe	13.69.239.73:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2768	svchost.exe	208.89.74.29:80	ctldl.windowsupdate.com	—	US	whitelisted

General Info

app.exe

7FC13BD8769DD987E144ECAFDDD0BC16

4AEB0D31D9C80B01C7D8154026110FB7657F9BF7

5537EBA9D3AA7768BDB1B5DA527CB01B23BD1441F9C2002E9070CB8F6E6C5234

98304:4CYzB8ltevLL7x1a7MC2xumzy722pACb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgC:97I4tjl4bEEZ5KAOXsu5m5xqKg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Process drops python dynamic module

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Application launched itself

Starts CMD.EXE for commands execution

Loads Python modules

Reads settings of System Certificates

INFO

Checks supported languages

Reads the computer name

The sample compiled with english language support

Create files in a temporary directory

PyInstaller has been detected (YARA)

Checks operating system version

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings