File name:

script.exe

Full analysis: https://app.any.run/tasks/1a84b27c-3305-4061-87b6-8df25757c594
Verdict: Malicious activity
Analysis date: May 16, 2025, 16:21:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

952DFCB0A569172586C46C3F6B22A3B9

SHA1:

3ACE06404485C4C4A1A7278B65AA90077A63D831

SHA256:

6A5BCE1C5911DD7B62C5991F9CC523466F39871FBD9BA02BE87609258144989F

SSDEEP:

98304:uCYzBZBqZVs3Fr5qXd6cGEUJHOnZkSOV0rjjjsyTe26Bb/ncfRkzKVfq7AnYRO4Y:tvfk91881mwe/kil49D96akh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • script.exe (PID: 7644)
      • script.exe (PID: 7704)

    • Process drops python dynamic module

      • script.exe (PID: 7644)

    • The process creates files with name similar to system file names

      • script.exe (PID: 7644)
      • script.exe (PID: 7704)

    • Process drops legitimate windows executable

      • script.exe (PID: 7644)

    • Application launched itself

      • script.exe (PID: 7644)
      • powershell.exe (PID: 7724)

    • The process drops C-runtime libraries

      • script.exe (PID: 7644)

    • Loads Python modules

      • script.exe (PID: 7704)

    • Starts POWERSHELL.EXE for commands execution

      • script.exe (PID: 7704)
      • powershell.exe (PID: 7724)
      • cmd.exe (PID: 5680)

    • Executing commands from a ".bat" file

      • script.exe (PID: 7704)

    • Starts CMD.EXE for commands execution

      • script.exe (PID: 7704)

    • There is functionality for taking screenshot (YARA)

      • script.exe (PID: 7644)
      • script.exe (PID: 7704)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5680)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7352)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 7724)
      • script.exe (PID: 7704)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 7724)
      • script.exe (PID: 7704)

  • INFO

    • Checks supported languages

      • script.exe (PID: 7644)
      • script.exe (PID: 7704)

    • Reads the computer name

      • script.exe (PID: 7644)

    • Create files in a temporary directory

      • script.exe (PID: 7644)

    • The sample compiled with english language support

      • script.exe (PID: 7644)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8068)

    • Creates files or folders in the user directory

      • script.exe (PID: 7704)

    • PyInstaller has been detected (YARA)

      • script.exe (PID: 7644)
      • script.exe (PID: 7704)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • script.exe (PID: 7704)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7352)

    • Checks proxy server information

      • slui.exe (PID: 1180)

    • Reads the software policy settings

      • slui.exe (PID: 1180)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:16 16:19:27+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 194560
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
14
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start script.exe script.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs script.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5404"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5680cmd.exe /c C:\Users\admin\AppData\Roaming\OFFLINE\dec-excute-main.batC:\Windows\System32\cmd.exescript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
7272\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7352powershell -NoProfile -Command "$key = 'now';" "$content = [System.IO.File]::ReadAllBytes(\"C:\Users\admin\AppData\Roaming\OFFLINE\xx-svchost.exe.dead\");" "$keyBytes = [System.Text.Encoding]::UTF8.GetBytes($key);" "for ($i = 0; $i -lt $content.Length; $i++) {" " $content[$i] = $content[$i] -bxor $keyBytes[$i % $keyBytes.Length];" "}" "[System.IO.File]::WriteAllBytes(\"C:\Users\admin\AppData\Roaming\OFFLINE\xx-svchost.exe.dead\", $content);"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
7396"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7520"C:\Users\admin\AppData\Local\Temp\script.exe" C:\Users\admin\AppData\Local\Temp\script.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\script.exe
c:\windows\system32\ntdll.dll
7644"C:\Users\admin\AppData\Local\Temp\script.exe" C:\Users\admin\AppData\Local\Temp\script.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\script.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7704"C:\Users\admin\AppData\Local\Temp\script.exe" C:\Users\admin\AppData\Local\Temp\script.exe
script.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\script.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
14 028
Read events
14 028
Write events
0
Delete events
0

Modification events

No data
Executable files
109
Suspicious files
5
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_ARC4.pydexecutable
MD5:E6CD2A53023A68D45FEF9649F8692033
SHA256:A3F01B571CE3242A78E4E936840DD2B04F8219516FFF0E1FD31EBD5D6D7F6B61
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_chacha20.pydexecutable
MD5:CCC8A9191FB20271491FECB71827528B
SHA256:C8A097FA3A1B4E18844D1D24BBD6A7572774BA41859111DD3D5526FA003E6B72
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:B7F4C5762B8F8A4175EC0249045982F8
SHA256:95A25E8ECC41390ED45EE33C5F40603D0DCD598CC18302CA2C8D1C54C5DC3613
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:62959C0AB456D56FFA1D140771FCFC2C
SHA256:82BBCEAA3D6AB29E1B80F7C1594DBCAC0EA7571DB821BA7A344770D8711BE282
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_raw_des3.pydexecutable
MD5:22A0EABA28A84B835A1B0518F071EB94
SHA256:B964BD1C54BD9FBFF89733D8552D56FDC064220F66C24280A04097091A384358
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_raw_des.pydexecutable
MD5:D6EB0424CE3FD860E483F023A77143DC
SHA256:74863760AFA3AF078D9D3E639E86A15B00052504061F6331C03A8DBD40CDA2E0
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_raw_ocb.pydexecutable
MD5:5B68D6671847E464EF26E5038D1B8719
SHA256:2CC04E3FC7733BF58D2660FD3764468F74ECF5C59FBFD350EF99CEC40E815894
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_raw_ecb.pydexecutable
MD5:F80CE894517427B80BB308A9C18C6028
SHA256:3B2D667316667BE58BB2CC61EBB77DED2DBC932C3D2BE65F1EFCC8FBF3E39382
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_raw_cast.pydexecutable
MD5:902F3B0D233FF262A9037ACCF2BBCCA7
SHA256:D5B1E41CE19268FD7E4B4273BD5F94B1D30C3F705465A1AC66553757A2FC9C71
7644script.exeC:\Users\admin\AppData\Local\Temp\_MEI76442\Cryptodome\Cipher\_raw_ofb.pydexecutable
MD5:A38662AE5CC698CF04AAB87DC1ABEFE8
SHA256:BF9C0E371947621B4EF71D85702D24C1EB3D7B7C293EFD1177A4D1ACEE55B597
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
39
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
900
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
900
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.169
  • 23.48.23.158
  • 23.48.23.166
  • 23.48.23.159
  • 23.48.23.143
  • 23.48.23.176
  • 23.48.23.145
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.1
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
script.exe