File name:	DreamAPIPortable.exe
Full analysis:	https://app.any.run/tasks/9a451c2b-7623-492e-bfac-0b7adbe80329
Verdict:	Malicious activity
Analysis date:	May 18, 2025, 00:09:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	pyinstaller python github
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	6610CB5FCF05BDB313186355C3C6318A
SHA1:	DC214B097FDB66249E43A4DE65B86C68153AD6AA
SHA256:	7305CBB1E020126157B14EFC7C923ED0E6553E03A0C79209895C778F2C17C442
SSDEEP:	196608:3lZZ06Vx6mDDAZzDNBcMgi9FEEuOHsN9t:1Zm6Vx6mIZzk1iKOMft

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2021:04:15 05:29:49+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.28
CodeSize:	136704
InitializedDataSize:	244224
UninitializedDataSize:	-
EntryPoint:	0x90ac
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.3.2.0
ProductVersionNumber:	1.3.2.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	acidicoala
FileDescription:	DreamAPI
FileVersion:	1.3.2.0
InternalName:	DreamAPI
LegalCopyright:	Fuck the copyright >:D
OriginalFileName:	DreamAPI.exe
ProductName:	DreamAPI
ProductVersion:	1.3.2.0


(PID) Process:	(5864) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:	(5864) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:	(5864) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL
(PID) Process:	(4976) DreamAPIPortable.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(4976) DreamAPIPortable.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyOverride
Value:
(PID) Process:	(4976) DreamAPIPortable.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyServer
Value:
(PID) Process:	(4976) DreamAPIPortable.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 1
(PID) Process:	(4976) DreamAPIPortable.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyOverride
Value: <local>
(PID) Process:	(4976) DreamAPIPortable.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyServer
Value: 127.0.0.1:8888
(PID) Process:	(1012) slui.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates
Operation:	delete value	Name:	48BAEE3F44BB4642020D4DD2A34E24B85971412D
Value:

PID	Process	Filename		Type
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\DreamAPIPortable.exe.manifest		xml
		MD5:1B365BFA91F4E67702EA80DB6E28CD21	SHA256:FBC457E4DC526CC33F12D8E62F95338002743A61A8A6CCF0DA538F53CBA40A3A
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_ssl.pyd		executable
		MD5:4DDF64B25544D11A28215052A394B457	SHA256:B673E41306D6DF496151017ECB153A69E0BE509B448697D70427AC82C1664974
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_decimal.pyd		executable
		MD5:4D1A4E9C60BB269A20282484E206A994	SHA256:5EDB8C385ADEF2CFD870C80C2DB89FBE19159B104B4A7912BADF38FC5613A765
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_asyncio.pyd		executable
		MD5:C660EC7E25CA590AE605CA2EF9A0F668	SHA256:586B1B8B933F55AC1E059240E9323540E6886DC06587CA60A42F452FBADC62B6
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_brotli.cp38-win_amd64.pyd		executable
		MD5:C128F362316BAB15BF314523BEC9E41D	SHA256:620738F5433F23A5AB6A0A7CAA59383F0984C11A9139D480D5DAC2D4582B1644
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_elementtree.pyd		executable
		MD5:C2F0D27827BCB64F9FAE79308AA7C62A	SHA256:42D3D7665119135F822C92E7B41F08B30A8F64F1E6A19B3008F8FFD84F4326C8
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_testcapi.pyd		executable
		MD5:1720D90B2D9ABDC442388ECDF13C164C	SHA256:698C41FB3E050DC3B11A881E63721BCB68C41954E2E3897B69FC1068CAB22EEC
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_lzma.pyd		executable
		MD5:0CAA4DA7B74FC8E8F08BA736274BDB46	SHA256:167C5550B93541C703C8AFEB4D912719D5039230A7EFCE8F4BC500F175252ED8
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_socket.pyd		executable
		MD5:49F417DE4AAAE069D5B2D5D5A4DDABE1	SHA256:F1930CA4C78029FB41F3F661194B9D3001D0A99F45D68BF3A4A87D9EA36AAD20
2320	DreamAPIPortable.exe	C:\Users\admin\AppData\Local\Temp\_MEI23202\_ctypes.pyd		executable
		MD5:DA2FF1686AB85C37A2A247BB8595C258	SHA256:279560B61E20B869A059A103FB010093F9E367420BC81182646E357DE8B9740F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5680	SIHClient.exe	GET	200	104.124.11.58:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5680	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5680	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5680	SIHClient.exe	GET	200	104.124.11.58:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5680	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5680	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5680	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5680	SIHClient.exe	GET	200	104.124.11.58:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5680	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5680	SIHClient.exe	104.124.11.58:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5680	SIHClient.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
5680	SIHClient.exe	13.95.31.18:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5216	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4976	DreamAPIPortable.exe	185.199.109.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	172.217.18.14	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
crl.microsoft.com	104.124.11.58 104.124.11.17	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.19	whitelisted
raw.githubusercontent.com	185.199.109.133 185.199.108.133 185.199.111.133 185.199.110.133	whitelisted

General Info

DreamAPIPortable.exe

6610CB5FCF05BDB313186355C3C6318A

DC214B097FDB66249E43A4DE65B86C68153AD6AA

7305CBB1E020126157B14EFC7C923ED0E6553E03A0C79209895C778F2C17C442

196608:3lZZ06Vx6mDDAZzDNBcMgi9FEEuOHsN9t:1Zm6Vx6mIZzk1iKOMft

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Process drops python dynamic module

Process drops legitimate windows executable

Application launched itself

Starts CMD.EXE for commands execution

Loads Python modules

Adds/modifies Windows certificates

The process drops C-runtime libraries

Reads security settings of Internet Explorer

Drops a system driver (possible attempt to evade defenses)

There is functionality for taking screenshot (YARA)

INFO

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

PyInstaller has been detected (YARA)

Checks proxy server information

Reads the machine GUID from the registry

Reads the computer name

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings