File name:

sims-4-updater-v1.3.4.exe

Full analysis: https://app.any.run/tasks/f423b92b-0b73-41d0-8c4f-a9f18fff2d13
Verdict: Malicious activity
Analysis date: September 07, 2024, 18:03:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pyinstaller
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

D34CE38D2811B4014DC5576D7671A780

SHA1:

FB0948BDA56D6AB2D70E490A5CD9E77EA3F06D17

SHA256:

7D30BA7852E9047E93C2488CB0305AD71551692FF42A295225BC8EFBE7E8053C

SSDEEP:

98304:RsiYNXu8M+DHmOVWjtKxgJpNC0ErFqTGJbU8U0OBTfMXFSYAbYpB4RplQ94geo7d:H1YYCyPuI3pIwhqbr6TnYlF7KbI4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • sims-4-updater-v1.3.4.exe (PID: 5704)

    • Executable content was dropped or overwritten

      • sims-4-updater-v1.3.4.exe (PID: 5704)

    • Process drops python dynamic module

      • sims-4-updater-v1.3.4.exe (PID: 5704)

    • Process drops legitimate windows executable

      • sims-4-updater-v1.3.4.exe (PID: 5704)

    • Application launched itself

      • sims-4-updater-v1.3.4.exe (PID: 5704)

    • Loads Python modules

      • sims-4-updater-v1.3.4.exe (PID: 2476)

    • Starts CMD.EXE for commands execution

      • sims-4-updater-v1.3.4.exe (PID: 2476)

  • INFO

    • Reads the computer name

      • sims-4-updater-v1.3.4.exe (PID: 5704)
      • sims-4-updater-v1.3.4.exe (PID: 2476)

    • Checks supported languages

      • sims-4-updater-v1.3.4.exe (PID: 5704)
      • sims-4-updater-v1.3.4.exe (PID: 2476)

    • Create files in a temporary directory

      • sims-4-updater-v1.3.4.exe (PID: 5704)
      • sims-4-updater-v1.3.4.exe (PID: 2476)

    • PyInstaller has been detected (YARA)

      • sims-4-updater-v1.3.4.exe (PID: 5704)
      • sims-4-updater-v1.3.4.exe (PID: 2476)

    • Reads the machine GUID from the registry

      • sims-4-updater-v1.3.4.exe (PID: 2476)

    • Checks proxy server information

      • sims-4-updater-v1.3.4.exe (PID: 2476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:09 00:12:23+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.32
CodeSize: 165888
InitializedDataSize: 137728
UninitializedDataSize: -
EntryPoint: 0xafb0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT sims-4-updater-v1.3.4.exe THREAT sims-4-updater-v1.3.4.exe cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1840\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2476"C:\Users\admin\Desktop\sims-4-updater-v1.3.4.exe" C:\Users\admin\Desktop\sims-4-updater-v1.3.4.exe
sims-4-updater-v1.3.4.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sims-4-updater-v1.3.4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5704"C:\Users\admin\Desktop\sims-4-updater-v1.3.4.exe" C:\Users\admin\Desktop\sims-4-updater-v1.3.4.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sims-4-updater-v1.3.4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6368C:\WINDOWS\system32\cmd.exe /c "updater_readme.txt"C:\Windows\System32\cmd.exesims-4-updater-v1.3.4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
361
Read events
361
Write events
0
Delete events
0

Modification events

No data
Executable files
76
Suspicious files
4
Text files
926
Unknown types
0

Dropped files

PID
Process
Filename
Type
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_socket.pydexecutable
MD5:819166054FEC07EFCD1062F13C2147EE
SHA256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_multiprocessing.pydexecutable
MD5:A9A0588711147E01EED59BE23C7944A9
SHA256:7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_queue.pydexecutable
MD5:D8C1B81BBC125B6AD1F48A172181336E
SHA256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_decimal.pydexecutable
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_uuid.pydexecutable
MD5:B68C98113C8E7E83AF56BA98FF3AC84A
SHA256:990586F2A2BA00D48B59BDD03D3C223B8E9FB7D7FAB6D414BAC2833EB1241CA2
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_tkinter.pydexecutable
MD5:8DA8E5348D9F9572CE9216AC8A628C2B
SHA256:06B96357F5DD83D0D8105127E7AAEACB834DDF1AE03FA46AAFFDC1E5FD0A7621
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:DA9189023A6B7872DE881052F3B990F9
SHA256:F38193429C05622DF65BFA1428895197B851D981875737C55F1CFE04A88664EF
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\_hashlib.pydexecutable
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
5704sims-4-updater-v1.3.4.exeC:\Users\admin\AppData\Local\Temp\_MEI57042\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6192
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6880
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6880
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6192
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6880
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6192
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6880
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.212.174
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
gist.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
shared
rentry.co
  • 104.26.2.16
  • 172.67.75.40
  • 104.26.3.16
unknown
rentry.org
  • 164.132.58.105
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
2476
sims-4-updater-v1.3.4.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sims-4-updater-v1.3.4.exe