File name:

OBS-Studio-30.2.3-Windows-Installer.exe

Full analysis: https://app.any.run/tasks/8e686b1e-b94a-413d-8409-b13e80e8b4c6
Verdict: Malicious activity
Analysis date: November 14, 2024, 11:13:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

287D64F35D7B81C26CA8CF2F2F6CF993

SHA1:

1F2A847FB81C3D4B488482BFADE573AB4FC3C2C1

SHA256:

B3C3CDD9E888AB607B9E146CF83CDCA6B9810C2350C95ECEA6B2990B9ABA955A

SSDEEP:

98304:h6CkGV7pBInuai/OGI6aosIDBUo1xr1Wx85kbshd4aw/TEGOIEQQJsuDIULXtu4w:R1R0i5/omyX1CWIXoPRKK6Gt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)
      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Process drops python dynamic module

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Process drops legitimate windows executable

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • The process drops C-runtime libraries

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Application launched itself

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • The process checks if it is being run in the virtual environment

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Uses WMIC.EXE to obtain BIOS management information

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Starts CMD.EXE for commands execution

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Get information on the list of running processes

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)
      • cmd.exe (PID: 4308)
      • cmd.exe (PID: 6276)
      • cmd.exe (PID: 5592)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4308)
      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 6276)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3104)

    • Uses WMIC.EXE

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Checks for external IP

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)
      • svchost.exe (PID: 2172)

    • Connects to unusual port

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

  • INFO

    • Reads the computer name

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Checks supported languages

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)
      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Create files in a temporary directory

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • PyInstaller has been detected (YARA)

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)
      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • UPX packer has been detected

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Application based on Rust

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:04 15:02:28+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 161280
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
24
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start obs-studio-30.2.3-windows-installer.exe obs-studio-30.2.3-windows-installer.exe wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\AppData\Local\Temp\OBS-Studio-30.2.3-Windows-Installer.exe" C:\Users\admin\AppData\Local\Temp\OBS-Studio-30.2.3-Windows-Installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\obs-studio-30.2.3-windows-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1788tasklist C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2272\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3104C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get UUID"C:\Windows\System32\cmd.exeOBS-Studio-30.2.3-Windows-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3648C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3828wmic bios get serialnumberC:\Windows\System32\wbem\WMIC.exeOBS-Studio-30.2.3-Windows-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
4164findstr ollydbgC:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
4208tasklist C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 638
Read events
1 638
Write events
0
Delete events
0

Modification events

No data
Executable files
68
Suspicious files
1
Text files
122
Unknown types
0

Dropped files

PID
Process
Filename
Type
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_blowfish.pydexecutable
MD5:50FB3B6DFC6A1B6DE592B659A9C28919
SHA256:BE0FB3C7C36C10F62B163979682FBE8215411C97D4E6AB76A33032B687660341
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_aes.pydexecutable
MD5:7FCE96038B14661B6FACBE02D714C219
SHA256:8E2CEF1B7744A3AFAA06E300E6332EDAE9EB8641A6E37687A3A96A1F15C7E1A5
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_Salsa20.pydexecutable
MD5:BB7724B47B6C1F3B0CFB0AB6848A9FC8
SHA256:6CAB5277B070D1F420E90CCB80F97EA558BCE8EFF43768A6C0B818EF0E778501
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_ARC4.pydexecutable
MD5:2C3D55E57EEA6B6E4A4BE649FD1069F9
SHA256:744C676D333163AD81D24B266E5133611C584F5A580C5082701D3FD6A8D201FD
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_cfb.pydexecutable
MD5:2C7FAEEC165C5485951EEACF21A2BF94
SHA256:3A5AB5C020DA800C8EA4E7D75C27C83C42B449B33993728B22E308AC2779FAA6
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:EEFBC381AE6016973E31C217B6D758B0
SHA256:184059ED9AD6799279F0817A4D648FF1CDA38C81257E87FFCE2751FF678758E9
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:75DEE2AE97414A67497CB13A7E4CB455
SHA256:29B61F0670BA8AF9FF037CAF76196F823CA6C27D7B2DF1BFF80DFF9E8B30AC5E
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_cbc.pydexecutable
MD5:0AC9D452043A7FEBF5E6E6475AECE8E3
SHA256:E0E499CDC6AA3DA978EF259185874773BFE5D57DE62B65FC6BD1025291A50012
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_des3.pydexecutable
MD5:068E483215972613E4EBD09E98D946A2
SHA256:A6986EE5D6C5EB6B564175DF0D6D47CD18E642C7F5AF9C93EBF5B4E4F98991D1
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_chacha20.pydexecutable
MD5:E6D25BE0BCC8093F9E79D9042B7B427F
SHA256:CE9B0D915101455F3D1D15B0E28F23AF69EBD34F050D43DA8F7C2CEABFD92C76
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
50
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2364
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1804
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1804
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6404
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2660
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4360
SearchApp.exe
104.126.37.163:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5584
OBS-Studio-30.2.3-Windows-Installer.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
shared
5584
OBS-Studio-30.2.3-Windows-Installer.exe
95.215.204.231:3000
Zomro B.V.
NL
unknown
2364
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 104.126.37.163
  • 104.126.37.170
  • 104.126.37.179
  • 104.126.37.171
  • 104.126.37.184
  • 104.126.37.153
  • 104.126.37.155
  • 104.126.37.168
  • 104.126.37.161
  • 104.126.37.137
  • 104.126.37.152
  • 104.126.37.136
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ipinfo.io
  • 34.117.59.81
shared
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.138
whitelisted
th.bing.com
  • 104.126.37.137
  • 104.126.37.161
  • 104.126.37.155
  • 104.126.37.152
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.144
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
5584
OBS-Studio-30.2.3-Windows-Installer.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OBS-Studio-30.2.3-Windows-Installer.exe