File name:

build_982.exe

Full analysis: https://app.any.run/tasks/2933de89-4829-4365-88c4-9b4c4a445c4d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 15, 2026, 20:27:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
arch-exec
arch-doc
arch-html
arch-scr
stealer
pentagon
barys
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 10 sections
MD5:

196F502C954C87DFF2FAB6124BA2D324

SHA1:

F15E1AF4F129AEDFCCFB5A8E13D3A70E688BE3A1

SHA256:

6D02D0F524F0277A9A02E865F05B3390487A81BFDFDA5E6DC56848AB788030CE

SSDEEP:

49152:ZhuBOpx6nmEUpw6nCSRx/iTWit28PtbAUCt9YNERplDb90RG7cS:XFx6nmEUlC4c5dA7qGRplv9B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 7788)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 2256)

    • Changes Windows Defender settings

      • cmd.exe (PID: 2256)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8488)
      • powershell.exe (PID: 1872)
      • powershell.exe (PID: 8956)

    • Changes settings of System certificates

      • pythonw.exe (PID: 1908)

    • Actions looks like stealing of personal data

      • pythonw.exe (PID: 1464)

    • PENTAGON has been detected

      • pythonw.exe (PID: 1464)

    • Steals credentials from Web Browsers

      • pythonw.exe (PID: 1464)

    • Create files in the Startup directory

      • pythonw.exe (PID: 1464)

    • BARYS has been detected (SURICATA)

      • MSBuild.exe (PID: 8948)

  • SUSPICIOUS

    • Process drops python dynamic module

      • build_982.exe (PID: 7896)
      • python.exe (PID: 3560)
      • pythonw.exe (PID: 1908)

    • The process drops C-runtime libraries

      • build_982.exe (PID: 7896)

    • Executable content was dropped or overwritten

      • build_982.exe (PID: 7896)
      • python.exe (PID: 7724)
      • python.exe (PID: 8624)
      • python.exe (PID: 3560)
      • pythonw.exe (PID: 1908)
      • pythonw.exe (PID: 1464)
      • WinSvcHost.exe (PID: 8600)

    • Loads Python modules

      • python.exe (PID: 8624)
      • python.exe (PID: 7724)
      • python.exe (PID: 1856)
      • python.exe (PID: 4852)
      • python.exe (PID: 3560)
      • python.exe (PID: 4924)
      • python.exe (PID: 4964)
      • python.exe (PID: 8404)
      • python.exe (PID: 7516)
      • python.exe (PID: 8660)
      • pythonw.exe (PID: 4644)
      • pythonw.exe (PID: 1884)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 1908)
      • pythonw.exe (PID: 768)
      • pythonw.exe (PID: 4312)

    • The process executes VB scripts

      • wscript.exe (PID: 6852)
      • wscript.exe (PID: 6324)
      • wscript.exe (PID: 6788)
      • wscript.exe (PID: 8124)
      • wscript.exe (PID: 3976)
      • wscript.exe (PID: 5636)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6788)
      • wscript.exe (PID: 6852)
      • wscript.exe (PID: 6324)
      • wscript.exe (PID: 3976)
      • wscript.exe (PID: 8124)
      • wscript.exe (PID: 5636)

    • Application launched itself

      • python.exe (PID: 3560)
      • python.exe (PID: 7516)
      • pythonw.exe (PID: 4644)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 768)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5872)
      • cmd.exe (PID: 2256)

    • The executable file from the user directory is run by the CMD process

      • python.exe (PID: 7516)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • python.exe (PID: 7516)

    • Used cmstp for execute code hidden within an inf file

      • python.exe (PID: 7516)

    • Uses TASKKILL.EXE to kill process

      • dllhost.exe (PID: 7788)
      • pythonw.exe (PID: 1464)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2256)

    • Executing commands from ".cmd" file

      • pythonw.exe (PID: 4644)

    • Adds exclusion path to Windows Defender (POWERSHELL)

      • cmd.exe (PID: 2256)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 2256)

    • Adds/modifies Windows certificates

      • pythonw.exe (PID: 1908)

    • Possible stealing from browsers

      • pythonw.exe (PID: 1464)

    • Loads DLL from Mozilla Firefox

      • pythonw.exe (PID: 768)

    • Possible stealing from crypto wallets

      • pythonw.exe (PID: 1464)

    • Possible stealing of messenger data

      • pythonw.exe (PID: 1464)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 1872)
      • powershell.exe (PID: 8956)
      • FieldHandle.exe (PID: 2996)

    • Escape characters obfuscation (POWERSHELL)

      • powershell.exe (PID: 8956)

    • The process creates files with name similar to system file names

      • pythonw.exe (PID: 1464)

  • INFO

    • Creates files or folders in the user directory

      • build_982.exe (PID: 7896)
      • python.exe (PID: 7724)
      • python.exe (PID: 8624)
      • python.exe (PID: 3560)
      • python.exe (PID: 4924)
      • python.exe (PID: 8404)
      • python.exe (PID: 8660)
      • python.exe (PID: 4964)
      • pythonw.exe (PID: 1884)
      • pythonw.exe (PID: 1908)
      • WerFault.exe (PID: 9012)
      • WerFault.exe (PID: 2424)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 4312)
      • WinSvcHost.exe (PID: 8600)

    • Reads the computer name

      • build_982.exe (PID: 7896)
      • python.exe (PID: 8624)
      • python.exe (PID: 7724)
      • python.exe (PID: 1856)
      • python.exe (PID: 3560)
      • python.exe (PID: 4924)
      • python.exe (PID: 8404)
      • python.exe (PID: 4852)
      • python.exe (PID: 8660)
      • python.exe (PID: 4964)
      • pythonw.exe (PID: 1884)
      • pythonw.exe (PID: 1908)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 4312)
      • pythonw.exe (PID: 768)
      • WinSvcHost.exe (PID: 8600)
      • FieldHandle.exe (PID: 2996)
      • MSBuild.exe (PID: 8948)

    • Python executable

      • python.exe (PID: 8624)
      • python.exe (PID: 3560)
      • python.exe (PID: 7724)
      • python.exe (PID: 4852)
      • python.exe (PID: 1856)
      • python.exe (PID: 4924)
      • python.exe (PID: 8404)
      • python.exe (PID: 8660)
      • python.exe (PID: 4964)
      • python.exe (PID: 7516)
      • pythonw.exe (PID: 4644)
      • pythonw.exe (PID: 1884)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 1908)
      • pythonw.exe (PID: 4312)
      • pythonw.exe (PID: 768)

    • Checks supported languages

      • python.exe (PID: 8624)
      • python.exe (PID: 7724)
      • python.exe (PID: 4852)
      • python.exe (PID: 3560)
      • python.exe (PID: 1856)
      • python.exe (PID: 8404)
      • python.exe (PID: 4924)
      • python.exe (PID: 7516)
      • python.exe (PID: 4964)
      • python.exe (PID: 8660)
      • pythonw.exe (PID: 4644)
      • pythonw.exe (PID: 1884)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 1908)
      • pythonw.exe (PID: 768)
      • pythonw.exe (PID: 4312)
      • WinSvcHost.exe (PID: 8600)
      • FieldHandle.exe (PID: 2996)
      • MSBuild.exe (PID: 8948)

    • Create files in a temporary directory

      • python.exe (PID: 8624)
      • python.exe (PID: 7724)
      • python.exe (PID: 3560)
      • python.exe (PID: 1856)
      • python.exe (PID: 8404)
      • python.exe (PID: 4924)
      • python.exe (PID: 4852)
      • python.exe (PID: 7516)
      • python.exe (PID: 4964)
      • pythonw.exe (PID: 4644)
      • pythonw.exe (PID: 1884)
      • pythonw.exe (PID: 1908)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 4312)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 8624)
      • python.exe (PID: 7724)
      • python.exe (PID: 3560)
      • python.exe (PID: 4964)
      • pythonw.exe (PID: 1884)
      • pythonw.exe (PID: 1908)
      • pythonw.exe (PID: 1464)
      • pythonw.exe (PID: 4312)

    • Reads the machine GUID from the registry

      • python.exe (PID: 7724)
      • python.exe (PID: 8624)
      • python.exe (PID: 3560)
      • pythonw.exe (PID: 1908)
      • WinSvcHost.exe (PID: 8600)
      • FieldHandle.exe (PID: 2996)
      • MSBuild.exe (PID: 8948)

    • The sample compiled with english language support

      • build_982.exe (PID: 7896)
      • python.exe (PID: 8624)
      • python.exe (PID: 3560)

    • Disables trace logs

      • cmstp.exe (PID: 4584)
      • MSBuild.exe (PID: 8948)

    • Creates files in the program directory

      • dllhost.exe (PID: 7788)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 4584)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8488)
      • powershell.exe (PID: 1872)

    • Launching a file from the Startup directory

      • pythonw.exe (PID: 1464)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1872)
      • powershell.exe (PID: 8956)

    • Reads Environment values

      • FieldHandle.exe (PID: 2996)
      • MSBuild.exe (PID: 8948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:03:15 20:25:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.38
CodeSize: 1292288
InitializedDataSize: 1998336
UninitializedDataSize: 1024
EntryPoint: 0x14d0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
203
Monitored processes
50
Malicious processes
11
Suspicious processes
9

Behavior graph

Click at the process to see the details
start build_982.exe wscript.exe no specs python.exe conhost.exe no specs slui.exe wscript.exe no specs python.exe conhost.exe no specs wscript.exe no specs python.exe conhost.exe no specs python.exe no specs python.exe no specs python.exe no specs python.exe no specs wscript.exe no specs python.exe conhost.exe no specs cmd.exe no specs python.exe no specs python.exe no specs cmstp.exe no specs CMSTPLUA wscript.exe no specs pythonw.exe no specs taskkill.exe no specs conhost.exe no specs pythonw.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wscript.exe no specs #PENTAGON pythonw.exe pythonw.exe chrome.exe werfault.exe msedge.exe werfault.exe pythonw.exe no specs pythonw.exe no specs taskkill.exe no specs conhost.exe no specs winsvchost.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs fieldhandle.exe no specs #BARYS msbuild.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
768"C:\Users\admin\AppData\Roaming\Google\python\pythonw.exe" "-I" "-c" "from multiprocessing.spawn import spawn_main; spawn_main(parent_pid=1464, pipe_handle=584)" "--multiprocessing-fork"C:\Users\admin\AppData\Roaming\Google\python\pythonw.exepythonw.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
HIGH
Description:
Python
Exit code:
0
Version:
3.14.2
Modules
Images
c:\users\admin\appdata\roaming\google\python\pythonw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\google\python\vcruntime140.dll
c:\users\admin\appdata\roaming\google\python\python314.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrt4.dll
1340\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1464"C:\Users\admin\AppData\Roaming\Google\python\pythonw.exe" "C:\Users\admin\AppData\Local\Temp\svc.py"C:\Users\admin\AppData\Roaming\Google\python\pythonw.exe
wscript.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
HIGH
Description:
Python
Exit code:
0
Version:
3.14.2
Modules
Images
c:\users\admin\appdata\roaming\google\python\pythonw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\google\python\python314.dll
c:\users\admin\appdata\roaming\google\python\vcruntime140.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
1856C:\Users\admin\AppData\Roaming\Google\python\python.exe C:\Users\admin\AppData\Roaming\Google\python\Lib\site-packages\pip\_vendor\pyproject_hooks\_in_process\_in_process.py prepare_metadata_for_build_wheel C:\Users\admin\AppData\Local\Temp\tmp4t8fnouuC:\Users\admin\AppData\Roaming\Google\python\python.exepython.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.14.2
Modules
Images
c:\users\admin\appdata\roaming\google\python\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\google\python\python314.dll
c:\users\admin\appdata\roaming\google\python\vcruntime140.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
1872"powershell.exe" -WindowStyle Hidden -NoProfile -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\IsFixedSize\FieldHandle.exe' -Force ; Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe' -Force ; Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe' -Force ; Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe' -Force ; Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe' -Force ; Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe' -Force ; Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe' -Force ; Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe' -Force ; Add-MpPreference -ExclusionProcess 'InstallUtil.exe' -Force ; Add-MpPreference -ExclusionProcess 'RegAsm.exe' -Force ; Add-MpPreference -ExclusionProcess 'MSBuild.exe' -Force ; Add-MpPreference -ExclusionProcess 'aspnet_compiler.exe' -Force ; Add-MpPreference -ExclusionProcess 'AppLaunch.exe' -Force ; Add-MpPreference -ExclusionProcess 'RegSvcs.exe' -Force ; Add-MpPreference -ExclusionProcess 'AddInProcess.exe' -Force ; Add-MpPreference -ExclusionProcess 'FieldHandle.exe' -Force"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1884C:\Users\admin\AppData\Roaming\Google\python\pythonw.exe -m pip install fernetC:\Users\admin\AppData\Roaming\Google\python\pythonw.exepythonw.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
HIGH
Description:
Python
Exit code:
0
Version:
3.14.2
Modules
Images
c:\users\admin\appdata\roaming\google\python\pythonw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\google\python\vcruntime140.dll
c:\users\admin\appdata\roaming\google\python\python314.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1908C:\Users\admin\AppData\Roaming\Google\python\pythonw.exe -m pip install pycryptodome requests psutilC:\Users\admin\AppData\Roaming\Google\python\pythonw.exe
pythonw.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
HIGH
Description:
Python
Exit code:
0
Version:
3.14.2
Modules
Images
c:\users\admin\appdata\roaming\google\python\pythonw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\google\python\python314.dll
c:\users\admin\appdata\roaming\google\python\vcruntime140.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
2252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256cmd.exe /c C:\Users\admin\AppData\Local\Temp\WinDefConfig.cmdC:\Windows\System32\cmd.exepythonw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
59 687
Read events
59 644
Write events
35
Delete events
8

Modification events

(PID) Process:(4584) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(7788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(7788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
(PID) Process:(7788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:PF_AccessoriesName
Value:
Accessories
(PID) Process:(4584) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4584) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4584) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4584) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4584) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4584) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
98
Suspicious files
2 451
Text files
1 671
Unknown types
0

Dropped files

PID
Process
Filename
Type
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\python3.dllexecutable
MD5:3740E03E444C539461FEDCF191758226
SHA256:28A395FB2BDA5E71084478ABEA00DA9AB1C1DFEB7C4856C258518BEE9CC146F1
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\vcruntime140_1.dllexecutable
MD5:C0C0B4C611561F94798B62EB43097722
SHA256:497A280550443E3E9F89E428E51CB795139CA8944D5DEDD54A7083C00E7164E5
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\pythonw.exeexecutable
MD5:CE34CDA31EAE4589F5B158253DD55F54
SHA256:58B39B6D8DC9F51A94F1A3143E49B7498FB804A101F2B33BAA14BD72D45298F8
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\python314.dllexecutable
MD5:23B7BEC4BB8CF109503029B50F5EADD5
SHA256:7FFE3AB11342DB03CC18B026F27485C0F74F5BF10F239F1F6573394900596394
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\python.exeexecutable
MD5:9BD26657353D7441A72F29AB43F1FD37
SHA256:FDA7026477256845AFAB371E354C4D512896665F1761939CB5887D0A9DEC257A
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\pyexpat.pydexecutable
MD5:247200F8D1B0B35F957E7293CC67CDF5
SHA256:85673F29FA2F16E70FB95C1DA0E53E819033A19B43964662D1E487B307D8C400
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\winsound.pydexecutable
MD5:9E65D8122BE0DA171A75482B2EDBC9F9
SHA256:5C0F9FE89C368895F46B23292BF9656610587439DE5979E476B00FE6920F6BD5
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\select.pydexecutable
MD5:6B181CF903A5903F9D8D711A731578D3
SHA256:A0F7B2E00144794E497D11FFFC14E7A968F59E207C702CA7B262B7037065B5BA
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\unicodedata.pydexecutable
MD5:D421EAB157A93FD255554DC2D31B7A3A
SHA256:64844C24F67E7EAFB77142B4CBE4A430F4DB3B16F59191586BA6596CA19FC775
7896build_982.exeC:\Users\admin\AppData\Roaming\Google\python\_asyncio.pydexecutable
MD5:E9FF314ADB895F5AEFF2ACC7DE8AD7F4
SHA256:F9DC3B563E0B313E3FA5364C2F14B1FE08D004D70126A6DE5D78826DB77C6318
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
57
DNS requests
39
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
7244
svchost.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
356
svchost.exe
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
8080
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
356
svchost.exe
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
356
svchost.exe
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
8080
SIHClient.exe
GET
200
74.178.76.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
8080
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
8080
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
7244
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7244
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8400
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.67:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7896
build_982.exe
151.101.128.223:443
www.python.org
FASTLY
US
whitelisted
7896
build_982.exe
151.101.0.175:443
bootstrap.pypa.io
FASTLY
US
unknown
8624
python.exe
151.101.128.223:443
www.python.org
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 92.123.104.67
  • 92.123.104.12
  • 92.123.104.65
  • 92.123.104.9
  • 92.123.104.6
  • 92.123.104.66
  • 92.123.104.14
  • 92.123.104.13
  • 92.123.104.5
  • 2.16.241.207
  • 2.16.241.218
  • 2.16.241.205
whitelisted
google.com
  • 142.251.141.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
www.python.org
  • 151.101.128.223
  • 151.101.192.223
  • 151.101.64.223
  • 151.101.0.223
whitelisted
bootstrap.pypa.io
  • 151.101.0.175
  • 151.101.64.175
  • 151.101.128.175
  • 151.101.192.175
unknown
pypi.org
  • 151.101.128.223
  • 151.101.0.223
  • 151.101.64.223
  • 151.101.192.223
whitelisted
files.pythonhosted.org
  • 151.101.0.223
  • 151.101.128.223
  • 151.101.192.223
  • 151.101.64.223
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.71
  • 20.190.159.0
  • 20.190.159.129
  • 40.126.31.3
  • 20.190.159.75
  • 40.126.31.67
  • 40.126.31.128
  • 20.190.159.131
  • 20.190.159.23
  • 20.190.159.128
  • 20.190.159.130
  • 20.190.159.68
  • 40.126.31.73
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.1
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
8624
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
7244
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7724
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
2292
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
3560
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
2292
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
1908
pythonw.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
8948
MSBuild.exe
Misc activity
HUNTING [ANY.RUN] TCP binary protocol 32-LE data-len prefix on non-standard port inbound
8948
MSBuild.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Barys activity observed M3
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
build_982.exe