File name:

7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259

Full analysis: https://app.any.run/tasks/eba587d8-6868-4e51-add4-39722ff247de
Verdict: Malicious activity
Analysis date: March 24, 2025, 18:23:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

07EAA90195AAF70A631F72D4895D89A5

SHA1:

46F03B9CB0D1E059BD2FCED6AFA8883D54AA9AA8

SHA256:

7ED6D5ECB0AA7351E4C029F3432CF8407CDEE1D1C7F547146A9E597AF18E5259

SSDEEP:

98304:+bXK7rombMuYXg5073YVmb50EhibGf+k4l/onUZXFCh0bRbHI6jdoRpl89a/ylTy:7mcpsyrVlId8AAygu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)

    • The process drops C-runtime libraries

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)

    • Process drops python dynamic module

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)

    • Process drops legitimate windows executable

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)

    • Application launched itself

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)

    • Loads Python modules

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)

    • Reads security settings of Internet Explorer

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)

    • Executes application which crashes

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)

  • INFO

    • Reads the computer name

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)
      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)

    • Checks supported languages

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)
      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)

    • Create files in a temporary directory

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)

    • The sample compiled with english language support

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6388)

    • Checks proxy server information

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)
      • slui.exe (PID: 5204)

    • Reads the machine GUID from the registry

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)

    • Reads the software policy settings

      • 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe (PID: 6564)
      • slui.exe (PID: 5204)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:02:08 06:03:50+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.34
CodeSize: 165888
InitializedDataSize: 154624
UninitializedDataSize: -
EntryPoint: 0xb310
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe werfault.exe no specs slui.exe 7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Users\admin\Desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe" C:\Users\admin\Desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
c:\windows\system32\ntdll.dll
4980C:\WINDOWS\system32\WerFault.exe -u -p 6564 -s 1796C:\Windows\System32\WerFault.exe7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5204C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6388"C:\Users\admin\Desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe" C:\Users\admin\Desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225622
Modules
Images
c:\users\admin\desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6564"C:\Users\admin\Desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe" C:\Users\admin\Desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225622
Modules
Images
c:\users\admin\desktop\7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
8 484
Read events
8 478
Write events
3
Delete events
3

Modification events

(PID) Process:(4980) WerFault.exeKey:\REGISTRY\A\{7289cde1-b8ef-e05b-ba88-0c52fad961b6}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(4980) WerFault.exeKey:\REGISTRY\A\{7289cde1-b8ef-e05b-ba88-0c52fad961b6}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
53
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\_decimal.pydexecutable
MD5:A1FFC2A156E9266932C351A88E5E7FAB
SHA256:B8409829DC4FDE70F38754DE55D3090A1CD52C78FFECE2A08572A58DE3AF294D
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\_ctypes.pydexecutable
MD5:DF6BE515E183A0E4DBE9CDDA17836664
SHA256:AF598AE52DDC6869F24D36A483B77988385A5BBBF4618B2E2630D89D10A107EE
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\_hashlib.pydexecutable
MD5:F419AC6E11B4138EEA1FE8C86689076A
SHA256:441D32922122E59F75A728CC818F8E50613866A6C3DEC627098E6CC6C53624E2
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\_socket.pydexecutable
MD5:0FC65EC300553D8070E6B44B9B23B8C0
SHA256:360744663FCE8DEC252ABBDA1168F470244FDB6DA5740BB7AB3171E19106E63C
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:361C6BCFCEA263749419B0FBED7A0CE8
SHA256:B74AEFD6FA638BE3F415165C8109121A2093597421101ABC312EE7FFA1130278
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:6177998C2CE574A177E524746B77EFE7
SHA256:A0AA340274D4BB46B6D9547D647AB7DC16C229577BBAB836E6A4F3307F310332
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:7699C096202DA0DB6B07FAFC914D60ED
SHA256:0052515763A1A31D2527A2EB2523FB7B88D8E55C4E4DA5EF352B565476BF21E0
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\_bz2.pydexecutable
MD5:10D42EFAC304861AD19821B4594FA959
SHA256:8EECDCC250637652E6BABC306EA6B8820E9E835DDD2434816D0E0FD0CA67FD14
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\_lzma.pydexecutable
MD5:3230404A7191C6228A8772D3610E49E5
SHA256:33AE42F744D2688BB7D5519F32FF7B7489B96F4EEA47F66D2009DBA6A0023903
63887ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exeC:\Users\admin\AppData\Local\Temp\_MEI63882\_ssl.pydexecutable
MD5:93905020F4158C5119D16EE6792F8057
SHA256:D9CC4358D9351FED11EEC03753A8FA8ED981A6C2246BBD7CB0B0A3472C09FDC4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
6564
7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259.exe
107.173.111.16:443
AS-COLOCROSSING
US
malicious
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2384
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5204
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7ed6d5ecb0aa7351e4c029f3432cf8407cdee1d1c7f547146a9e597af18e5259