File name:

GOODSEARCH.exe

Full analysis: https://app.any.run/tasks/0349b995-6b28-4c64-8821-dbe185b7e633
Verdict: Malicious activity
Analysis date: July 06, 2025, 20:55:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

E9F4270B42A71A9905C3320E82408968

SHA1:

90407C979AEC8B48C300BD6B0C676A74B898B9D0

SHA256:

B22780FBC46B88ED7E46C35021743FF3BBE87EC6622C2D521264DC633112FDB3

SSDEEP:

393216:dBJmstch9xrst+lZlTwwxWMHlxkHEG20pVg4LhZOkVjcD:dBJmXh9Ct+lH8wcalxkkGtpVtGMj8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • GOODSEARCH.exe (PID: 6748)

    • Process drops legitimate windows executable

      • GOODSEARCH.exe (PID: 6748)

    • Process drops python dynamic module

      • GOODSEARCH.exe (PID: 6748)

    • Executable content was dropped or overwritten

      • GOODSEARCH.exe (PID: 6748)

    • Application launched itself

      • GOODSEARCH.exe (PID: 6748)

    • Loads Python modules

      • GOODSEARCH.exe (PID: 2132)

    • There is functionality for taking screenshot (YARA)

      • GOODSEARCH.exe (PID: 6748)
      • GOODSEARCH.exe (PID: 2132)

  • INFO

    • Checks supported languages

      • GOODSEARCH.exe (PID: 6748)
      • GOODSEARCH.exe (PID: 2132)

    • Reads the computer name

      • GOODSEARCH.exe (PID: 6748)
      • GOODSEARCH.exe (PID: 2132)

    • Create files in a temporary directory

      • GOODSEARCH.exe (PID: 6748)

    • The sample compiled with english language support

      • GOODSEARCH.exe (PID: 6748)

    • PyInstaller has been detected (YARA)

      • GOODSEARCH.exe (PID: 6748)
      • GOODSEARCH.exe (PID: 2132)

    • Checks proxy server information

      • slui.exe (PID: 7136)

    • Reads the software policy settings

      • slui.exe (PID: 7136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:23 11:50:54+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 302080
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start goodsearch.exe goodsearch.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2132"C:\Users\admin\Desktop\GOODSEARCH.exe" C:\Users\admin\Desktop\GOODSEARCH.exeGOODSEARCH.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\goodsearch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6748"C:\Users\admin\Desktop\GOODSEARCH.exe" C:\Users\admin\Desktop\GOODSEARCH.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\goodsearch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7136C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 694
Read events
3 694
Write events
0
Delete events
0

Modification events

No data
Executable files
52
Suspicious files
93
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\bin\MSVCP140.dllexecutable
MD5:01B946A2EDC5CC166DE018DBB754B69C
SHA256:88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\bin\MSVCP140_2.dllexecutable
MD5:9002E0BEE6455B2322E3E717FE25F9BE
SHA256:24B47C966B6E4A65B3E4DF866D347D3427E9BD709BE550C38224427EB5E143D3
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\bin\Qt6Network.dllexecutable
MD5:4EB97AA3C5B281F569B3D36333E41676
SHA256:8ABD12EE2F4D06B9BC087D92BC40DD2650F46CE7B8DE587B97BBBD00F19A0F13
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\bin\Qt6Gui.dllexecutable
MD5:C9E8AF54833D05FE951DB2DE478CAC98
SHA256:AE656B4D85FED20042A7FB2F4F71BD0C14B4797C740BEDC005805F1040B73B83
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\bin\Qt6Widgets.dllexecutable
MD5:6532269DC53D121B4F5129FD96789D74
SHA256:0D07A57F8FB298BC57FB66E49C6580094F8FE979D9F5DEAFCFC87FE1ED2E9F0F
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\bin\Qt6Svg.dllexecutable
MD5:89CD5CD993C33CE2C984FC56A6B63736
SHA256:BC32BE9DD732D6D3B0CE2D83DF2C12FF0530F3E702E122E7BAA00D7E6759FBD5
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\plugins\imageformats\qico.dllexecutable
MD5:A0D9E077D3B1C3518024F2EF9BF9C22D
SHA256:437054B8A5868E62CC6DB2188FCFB2E4A495E2F9E0BBEDEE7B1C9BE43E1EBE37
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\plugins\imageformats\qicns.dllexecutable
MD5:DC7C91AFBC6765013234561C5E4FDB3A
SHA256:FD40152AF2337E5A6BAC4C36F9B3BAFDA1869CD36AFD48DB7DB6E94060B44FCB
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\plugins\iconengines\qsvgicon.dllexecutable
MD5:95FA1B35CBD5C7D9959ADB104DA95266
SHA256:242EE912D4B2CD024308AFB77FC38AFDA8C2664D50F64C616DF306F99D46D5B3
6748GOODSEARCH.exeC:\Users\admin\AppData\Local\Temp\_MEI67482\PyQt6\Qt6\plugins\imageformats\qjpeg.dllexecutable
MD5:EA4BD3EC9573080ADA6A3B0C19C523D6
SHA256:91B9C7A3388BEFC7021FB479DF29EB5D13EADA1733C5238D2EC57281DF5A7E11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.53.40.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.171:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.171:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.53.40.171:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.53.40.171
  • 23.53.40.185
  • 23.53.41.98
  • 23.53.40.176
  • 23.53.40.202
  • 23.53.40.187
  • 23.53.41.99
  • 23.53.41.97
  • 23.53.40.201
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GOODSEARCH.exe