File name:	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259
Full analysis:	https://app.any.run/tasks/eba587d8-6868-4e51-add4-39722ff247de
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 18:23:37
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	07EAA90195AAF70A631F72D4895D89A5
SHA1:	46F03B9CB0D1E059BD2FCED6AFA8883D54AA9AA8
SHA256:	7ED6D5ECB0AA7351E4C029F3432CF8407CDEE1D1C7F547146A9E597AF18E5259
SSDEEP:	98304:+bXK7rombMuYXg5073YVmb50EhibGf+k4l/onUZXFCh0bRbHI6jdoRpl89a/ylTy:7mcpsyrVlId8AAygu

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:02:08 06:03:50+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.34
CodeSize:	165888
InitializedDataSize:	154624
UninitializedDataSize:	-
EntryPoint:	0xb310
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(4980) WerFault.exe	Key:	\REGISTRY\A\{7289cde1-b8ef-e05b-ba88-0c52fad961b6}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(4980) WerFault.exe	Key:	\REGISTRY\A\{7289cde1-b8ef-e05b-ba88-0c52fad961b6}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\VCRUNTIME140.dll		executable
		MD5:870FEA4E961E2FBD00110D3783E529BE	SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\_bz2.pyd		executable
		MD5:10D42EFAC304861AD19821B4594FA959	SHA256:8EECDCC250637652E6BABC306EA6B8820E9E835DDD2434816D0E0FD0CA67FD14
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:928BE2A3FC2E88BDA5CA0808324E97C4	SHA256:CC6C2FDF1C34FA82036165B111F91220BCF7E43AAB79DFB284F982F0590BEBB1
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\_ssl.pyd		executable
		MD5:93905020F4158C5119D16EE6792F8057	SHA256:D9CC4358D9351FED11EEC03753A8FA8ED981A6C2246BBD7CB0B0A3472C09FDC4
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-errorhandling-l1-1-0.dll		executable
		MD5:6177998C2CE574A177E524746B77EFE7	SHA256:A0AA340274D4BB46B6D9547D647AB7DC16C229577BBAB836E6A4F3307F310332
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-file-l2-1-0.dll		executable
		MD5:361C6BCFCEA263749419B0FBED7A0CE8	SHA256:B74AEFD6FA638BE3F415165C8109121A2093597421101ABC312EE7FFA1130278
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-libraryloader-l1-1-0.dll		executable
		MD5:B45F933A57E388CFC5399645CDB696F3	SHA256:2F9C3B077DA02C587964A59E9C4E2F383FF8357229EAB4B4F04814DF94D78FF0
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-file-l1-2-0.dll		executable
		MD5:9D8413744097196F92327F632A85ACEE	SHA256:6878D8168D5CC159EFE58F14E5BA10310D99B53AB8495521E54C966994DAC50B
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:33636552339A4A04D75B7C32DBEC59D9	SHA256:05B478718540A6F410A3AD859F7D5E56C223D6786EACC7E9BC80264F587FD0C7
6388	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	C:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-interlocked-l1-1-0.dll		executable
		MD5:28FD20B58320F0ED023D9CA19DA3A06D	SHA256:2F2F9660F4FFA814F465676D5B9CB9BB70D0B7C5FC5EB14C34CFE94A50883B21

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
6564	7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe	107.173.111.16:443	—	AS-COLOCROSSING	US	malicious
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2384	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5204	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259

07EAA90195AAF70A631F72D4895D89A5

46F03B9CB0D1E059BD2FCED6AFA8883D54AA9AA8

7ED6D5ECB0AA7351E4C029F3432CF8407CDEE1D1C7F547146A9E597AF18E5259

98304:+bXK7rombMuYXg5073YVmb50EhibGf+k4l/onUZXFCh0bRbHI6jdoRpl89a/ylTy:7mcpsyrVlId8AAygu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Executes application which crashes

Loads Python modules

Process drops python dynamic module

Application launched itself

Executable content was dropped or overwritten

INFO

The sample compiled with english language support

Checks supported languages

Checks proxy server information

Reads the computer name

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings