| File name: | not.exe |
| Full analysis: | https://app.any.run/tasks/93553e70-1efc-4b99-b3e6-bdaeb7a9e9ae |
| Verdict: | Malicious activity |
| Analysis date: | July 06, 2025, 03:34:32 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | 1FE659325CD77F02A8ED68997C4459ED |
| SHA1: | 1847C07CC2446CBC65BF70EC1481E8846DD35655 |
| SHA256: | 94D83B69787418B28CF9AC059A98478A70DC349B62D4E56CB3F9673722016EA9 |
| SSDEEP: | 98304:hC3CpAvJJbHxntMTGwdvk1aXC7ND/mgyvOYVAYwVf9TtYw9pk9dbX3pI30iLVINI:UhoF2TaMg881mwTuzNl7EAF |
MALICIOUS
Disables task manager
- reg.exe (PID: 4984)
Disables command prompt
- reg.exe (PID: 984)
SUSPICIOUS
Process drops python dynamic module
- not.exe (PID: 4412)
- not.exe (PID: 2792)
Executable content was dropped or overwritten
- not.exe (PID: 4412)
- not.exe (PID: 2792)
The process drops C-runtime libraries
- not.exe (PID: 4412)
- not.exe (PID: 2792)
There is functionality for taking screenshot (YARA)
- not.exe (PID: 4412)
- not.exe (PID: 2792)
- not.exe (PID: 6240)
Process drops legitimate windows executable
- not.exe (PID: 4412)
- not.exe (PID: 2792)
Application launched itself
- not.exe (PID: 4412)
- not.exe (PID: 4708)
- not.exe (PID: 2792)
Loads Python modules
- not.exe (PID: 4708)
- not.exe (PID: 6240)
Reads security settings of Internet Explorer
- not.exe (PID: 4708)
Reads the date of Windows installation
- not.exe (PID: 4708)
Uses REG/REGEDIT.EXE to modify registry
- not.exe (PID: 6240)
Takes ownership (TAKEOWN.EXE)
- not.exe (PID: 6240)
Uses ICACLS.EXE to modify access control lists
- not.exe (PID: 6240)
INFO
Checks supported languages
- not.exe (PID: 4412)
- not.exe (PID: 4708)
- not.exe (PID: 2792)
- not.exe (PID: 6240)
The sample compiled with english language support
- not.exe (PID: 4412)
- not.exe (PID: 2792)
Reads the computer name
- not.exe (PID: 4412)
- not.exe (PID: 4708)
- not.exe (PID: 2792)
- not.exe (PID: 6240)
PyInstaller has been detected (YARA)
- not.exe (PID: 4412)
- not.exe (PID: 2792)
- not.exe (PID: 6240)
Create files in a temporary directory
- not.exe (PID: 4412)
- not.exe (PID: 2792)
Process checks computer location settings
- not.exe (PID: 4708)
Checks proxy server information
- slui.exe (PID: 6424)
Reads the software policy settings
- slui.exe (PID: 6424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (57.6) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.9) |
| .exe | | | Generic Win/DOS Executable (2.6) |
| .exe | | | DOS Executable Generic (2.6) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:07:06 03:31:08+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 174592 |
| InitializedDataSize: | 157184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xd0d0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
2 411
Monitored processes
2 277
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details