File name:

WEXTRACT.EXE .MUI

Full analysis: https://app.any.run/tasks/00a8ad17-6ae1-4dd7-a2e0-f8524cd33b15
Verdict: Malicious activity
Analysis date: March 16, 2025, 13:44:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
github
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

E08DFB47C3E3D12845983EA61C810F10

SHA1:

330204E74F47A7CE0A0C4AE1FF2B259EC3D2284D

SHA256:

6FE37A5615B3C47E4C6F7EB7ECA0BDCAB9E05DB9A39A1B6EC83917EED7BB72BA

SSDEEP:

393216:RYkeNu9+t8QSKwdvnibZ0YlhWsJ9sTvFWlDqr33D9DQh4Ce36Y:RYkWM+pTwdvny7HYoZIz9DcY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • WEXTRACT.EXE .MUI.exe (PID: 2100)
      • INSTAL~1.EXE (PID: 6468)
      • INSTAL~1.EXE (PID: 1128)
      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 5756)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1040)
      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 7320)

    • Changes Windows Defender settings

      • INSTAL~1.EXE (PID: 5756)

    • Adds extension to the Windows Defender exclusion list

      • INSTAL~1.EXE (PID: 5756)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6476)

  • SUSPICIOUS

    • Process drops python dynamic module

      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 1128)
      • powershell.exe (PID: 7320)

    • Process drops legitimate windows executable

      • WEXTRACT.EXE .MUI.exe (PID: 2100)
      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 1128)
      • powershell.exe (PID: 7320)

    • Starts a Microsoft application from unusual location

      • WEXTRACT.EXE .MUI.exe (PID: 2100)

    • Executable content was dropped or overwritten

      • WEXTRACT.EXE .MUI.exe (PID: 2100)
      • INSTAL~1.EXE (PID: 1128)
      • INSTAL~1.EXE (PID: 516)
      • powershell.exe (PID: 7320)

    • Application launched itself

      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 6468)
      • INSTAL~1.EXE (PID: 1128)

    • The process drops C-runtime libraries

      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 1128)
      • powershell.exe (PID: 7320)

    • Reads the date of Windows installation

      • INSTAL~1.EXE (PID: 6468)

    • Loads Python modules

      • INSTAL~1.EXE (PID: 6468)
      • INSTAL~1.EXE (PID: 5756)

    • Reads security settings of Internet Explorer

      • INSTAL~1.EXE (PID: 6468)

    • Starts POWERSHELL.EXE for commands execution

      • INSTAL~1.EXE (PID: 5756)
      • cmd.exe (PID: 736)

    • Script adds exclusion extension to Windows Defender

      • INSTAL~1.EXE (PID: 5756)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 736)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 7320)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 736)
      • net.exe (PID: 5776)

    • Probably download files using WebClient

      • cmd.exe (PID: 736)

    • Executing commands from a ".bat" file

      • INSTAL~1.EXE (PID: 5756)

    • Starts CMD.EXE for commands execution

      • INSTAL~1.EXE (PID: 5756)

  • INFO

    • Checks supported languages

      • WEXTRACT.EXE .MUI.exe (PID: 2100)
      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 6468)
      • INSTAL~1.EXE (PID: 5756)
      • INSTAL~1.EXE (PID: 1128)

    • Create files in a temporary directory

      • WEXTRACT.EXE .MUI.exe (PID: 2100)
      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 6468)
      • INSTAL~1.EXE (PID: 5756)
      • INSTAL~1.EXE (PID: 1128)

    • Reads the machine GUID from the registry

      • INSTAL~1.EXE (PID: 6468)
      • INSTAL~1.EXE (PID: 5756)

    • The sample compiled with english language support

      • WEXTRACT.EXE .MUI.exe (PID: 2100)
      • INSTAL~1.EXE (PID: 1128)
      • INSTAL~1.EXE (PID: 516)
      • powershell.exe (PID: 7320)

    • Process checks computer location settings

      • INSTAL~1.EXE (PID: 6468)

    • Reads the computer name

      • INSTAL~1.EXE (PID: 1128)
      • INSTAL~1.EXE (PID: 6468)
      • INSTAL~1.EXE (PID: 516)
      • INSTAL~1.EXE (PID: 5756)

    • Checks proxy server information

      • powershell.exe (PID: 6476)
      • slui.exe (PID: 7672)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1040)
      • powershell.exe (PID: 2552)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 1040)

    • Disables trace logs

      • powershell.exe (PID: 6476)

    • Reads the software policy settings

      • slui.exe (PID: 7672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (91.4)
.exe | Generic Win/DOS Executable (4.2)
.exe | DOS Executable Generic (4.2)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2064:11:15 23:53:33+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 40960
InitializedDataSize: 41406464
UninitializedDataSize: -
EntryPoint: 0x1140
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.26100.1
ProductVersionNumber: 11.0.26100.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.26100.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.26100.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
16
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wextract.exe            .mui.exe instal~1.exe instal~1.exe no specs instal~1.exe instal~1.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs powershell.exe powershell.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516C:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
WEXTRACT.EXE .MUI.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\instal~1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
736C:\WINDOWS\system32\cmd.exe /c "C:\Users\Public\setup.bat"C:\Windows\System32\cmd.exeINSTAL~1.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1040powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.bat'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeINSTAL~1.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1128"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE" C:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
INSTAL~1.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\instal~1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2100"C:\Users\admin\AppData\Local\Temp\WEXTRACT.EXE .MUI.exe" C:\Users\admin\AppData\Local\Temp\WEXTRACT.EXE .MUI.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.26100.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\wextract.exe .mui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2552powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeINSTAL~1.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2984\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5756"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE" C:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXEINSTAL~1.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\instal~1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
23 503
Read events
23 503
Write events
0
Delete events
0

Modification events

No data
Executable files
214
Suspicious files
500
Text files
1 381
Unknown types
0

Dropped files

PID
Process
Filename
Type
2100WEXTRACT.EXE .MUI.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
MD5:
SHA256:
2100WEXTRACT.EXE .MUI.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\API-MS~1.DLLexecutable
MD5:07EBE4D5CEF3301CCF07430F4C3E32D8
SHA256:8F8B79150E850ACC92FD6AAB614F6E3759BEA875134A62087D5DD65581E3001F
2100WEXTRACT.EXE .MUI.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\API-MS~2.DLLexecutable
MD5:557405C47613DE66B111D0E2B01F2FDB
SHA256:913EAAA7997A6AEE53574CFFB83F9C9C1700B1D8B46744A5E12D76A1E53376FD
2100WEXTRACT.EXE .MUI.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\APDEA0~1.DLLexecutable
MD5:5A72A803DF2B425D5AAFF21F0F064011
SHA256:629E52BA4E2DCA91B10EF7729A1722888E01284EED7DDA6030D0A1EC46C94086
2100WEXTRACT.EXE .MUI.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\API-MS~4.DLLexecutable
MD5:2DB5666D3600A4ABCE86BE0099C6B881
SHA256:46079C0A1B660FC187AAFD760707F369D0B60D424D878C57685545A3FCE95819
516INSTAL~1.EXEC:\Users\admin\AppData\Local\Temp\_MEI5162\PySide2\QtWidgets.pydexecutable
MD5:50062DFB592CF30CC5262793AA46AB67
SHA256:A2C9C88FB848BEBACF6889579E274C70C2EEE86DD3F209D45E656D9248EFF529
516INSTAL~1.EXEC:\Users\admin\AppData\Local\Temp\_MEI5162\PySide2\plugins\iconengines\qsvgicon.dllexecutable
MD5:DB28C60163F824D0372C0122924349FF
SHA256:6948741C5975C3C6BD4DD0537D738E23FEDA834A2AF8B0E3E6C0BD1D92043B55
2100WEXTRACT.EXE .MUI.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AP87F4~1.DLLexecutable
MD5:0F7D418C05128246AFA335A1FB400CB9
SHA256:5C9BC70586AD538B0DF1FCF5D6F1F3527450AE16935AA34BD7EB494B4F1B2DB9
2100WEXTRACT.EXE .MUI.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\API-MS~3.DLLexecutable
MD5:624401F31A706B1AE2245EB19264DC7F
SHA256:58A8D69DF60ECBEE776CD9A74B2A32B14BF2B0BD92D527EC5F19502A0D3EB8E9
516INSTAL~1.EXEC:\Users\admin\AppData\Local\Temp\_MEI5162\PySide2\plugins\imageformats\qico.dllexecutable
MD5:EB432DBD5FC22B3665064058C2E2FD29
SHA256:F472C9D9F651A044CE63659DC612632E2C7EFAEF35421E205931BBC21D68F54E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
29
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1228
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2644
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2644
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1228
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1228
backgroundTaskHost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.147
whitelisted
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.128
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.130
  • 40.126.31.128
  • 40.126.31.69
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 20.198.162.76
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
github.com
  • 140.82.121.3
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.111.133
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WEXTRACT.EXE .MUI