File name:

bark15.exe

Full analysis: https://app.any.run/tasks/4f19fd69-f9d2-4ac8-9dca-d0b09c92dbf9
Verdict: Malicious activity
Analysis date: May 17, 2025, 13:28:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

134C9967ED3F6256583D2C98E192C73F

SHA1:

5A47D27C765BFC01B12A260F0AAA57827D3BAAC2

SHA256:

873A0768A4DC176029B566882F76D0A0FBCC472E423C1C5E51A68FF0A9AFBB69

SSDEEP:

98304:L/0CD+qu8MhH3VWjtKxgvb9RvOYVAYwVf9TtYw9pk9dbXtpEKLuIgqNT9iaadc5R:PvI4KIYK3pIwfDbro49

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops python dynamic module

      • bark15.exe (PID: 5868)

    • Process drops legitimate windows executable

      • bark15.exe (PID: 5868)

    • Executable content was dropped or overwritten

      • bark15.exe (PID: 5868)

    • The process drops C-runtime libraries

      • bark15.exe (PID: 5868)

    • Application launched itself

      • bark15.exe (PID: 5868)

    • Loads Python modules

      • bark15.exe (PID: 664)

    • There is functionality for taking screenshot (YARA)

      • bark15.exe (PID: 664)

  • INFO

    • Reads the computer name

      • bark15.exe (PID: 5868)
      • bark15.exe (PID: 664)

    • Checks supported languages

      • bark15.exe (PID: 5868)
      • bark15.exe (PID: 664)

    • The sample compiled with english language support

      • bark15.exe (PID: 5868)

    • PyInstaller has been detected (YARA)

      • bark15.exe (PID: 5868)
      • bark15.exe (PID: 664)

    • Create files in a temporary directory

      • bark15.exe (PID: 5868)

    • Reads the machine GUID from the registry

      • bark15.exe (PID: 664)

    • Checks proxy server information

      • slui.exe (PID: 4188)

    • Reads the software policy settings

      • slui.exe (PID: 4188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 09:28:20+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 178688
InitializedDataSize: 153600
UninitializedDataSize: -
EntryPoint: 0xc380
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bark15.exe conhost.exe no specs bark15.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Users\admin\Desktop\bark15.exe" C:\Users\admin\Desktop\bark15.exebark15.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bark15.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebark15.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5868"C:\Users\admin\Desktop\bark15.exe" C:\Users\admin\Desktop\bark15.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bark15.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 578
Read events
3 578
Write events
0
Delete events
0

Modification events

No data
Executable files
56
Suspicious files
3
Text files
920
Unknown types
0

Dropped files

PID
Process
Filename
Type
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_hashlib.pydexecutable
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_decimal.pydexecutable
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_tcl_data\encoding\cp1253.enctext
MD5:441B86A0DE77F25C91DF1CD4685F651D
SHA256:5B8D47451F847C1BDE12CACA3739CA29860553C0B6399EE990D51B26F9A69722
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_tcl_data\auto.tcltext
MD5:08EDF746B4A088CB4185C165177BD604
SHA256:517204EE436D08EFC287ABC97433C3BFFCAF42EC6592A3009B9FD3B985AD772C
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_tcl_data\clock.tcltext
MD5:88BB44A1364147FDD80F9FD78FBCEF61
SHA256:1947F8B188AB4AB6AA72EA68A58D2D9ADD0894FDF320F6B074EAE0F198368FB7
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_tcl_data\encoding\ascii.enctext
MD5:9E3A454FA480E9A99D2D5ACDAA775233
SHA256:FB87BF197F4F485B08EA81F7534BC07D9C3A538D022424BE11011A1FE3C413FD
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_tcl_data\encoding\cp1254.enctext
MD5:5FA9162BEC5A4DEA97B5EA2840CFB065
SHA256:31639CA96A4D3602D59BD012540FE179917E0561CB11A0D0B61F1B950EB76911
5868bark15.exeC:\Users\admin\AppData\Local\Temp\_MEI58682\_tcl_data\encoding\cp1250.enctext
MD5:9568EDE60D3F917F1671F5A625A801C4
SHA256:E2991A6F7A7A4D8D3C4C97947298FD5BACB3EAA2F898CEE17F5E21A9861B9626
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
48
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4180
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4180
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.13
  • 23.216.77.6
  • 23.216.77.41
  • 23.216.77.30
  • 23.216.77.35
  • 23.216.77.21
  • 23.216.77.38
  • 23.216.77.8
  • 23.216.77.19
  • 23.216.77.37
  • 23.216.77.28
  • 23.216.77.25
  • 23.216.77.22
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.130
  • 40.126.31.1
  • 20.190.159.128
  • 20.190.159.68
  • 40.126.31.131
  • 20.190.159.129
  • 20.190.159.130
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bark15.exe