File name:

OBS-Studio-30.2.3-Windows-Installer.exe

Full analysis: https://app.any.run/tasks/8e686b1e-b94a-413d-8409-b13e80e8b4c6
Verdict: Malicious activity
Analysis date: November 14, 2024, 11:13:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

287D64F35D7B81C26CA8CF2F2F6CF993

SHA1:

1F2A847FB81C3D4B488482BFADE573AB4FC3C2C1

SHA256:

B3C3CDD9E888AB607B9E146CF83CDCA6B9810C2350C95ECEA6B2990B9ABA955A

SSDEEP:

98304:h6CkGV7pBInuai/OGI6aosIDBUo1xr1Wx85kbshd4aw/TEGOIEQQJsuDIULXtu4w:R1R0i5/omyX1CWIXoPRKK6Gt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)
      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Process drops legitimate windows executable

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Process drops python dynamic module

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Executable content was dropped or overwritten

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Application launched itself

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Uses WMIC.EXE to obtain BIOS management information

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Starts CMD.EXE for commands execution

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Get information on the list of running processes

      • cmd.exe (PID: 5592)
      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)
      • cmd.exe (PID: 4308)
      • cmd.exe (PID: 6276)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 4308)
      • cmd.exe (PID: 6276)

    • The process checks if it is being run in the virtual environment

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3104)

    • Uses WMIC.EXE

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Checks for external IP

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)
      • svchost.exe (PID: 2172)

    • Connects to unusual port

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

  • INFO

    • Reads the computer name

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • Checks supported languages

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)
      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • PyInstaller has been detected (YARA)

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)
      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)

    • UPX packer has been detected

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Application based on Rust

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 5584)

    • Create files in a temporary directory

      • OBS-Studio-30.2.3-Windows-Installer.exe (PID: 512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:04 15:02:28+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 161280
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
24
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start obs-studio-30.2.3-windows-installer.exe obs-studio-30.2.3-windows-installer.exe wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs wmic.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\AppData\Local\Temp\OBS-Studio-30.2.3-Windows-Installer.exe" C:\Users\admin\AppData\Local\Temp\OBS-Studio-30.2.3-Windows-Installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\obs-studio-30.2.3-windows-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1788tasklist C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2272\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3104C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get UUID"C:\Windows\System32\cmd.exeOBS-Studio-30.2.3-Windows-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3648C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3828wmic bios get serialnumberC:\Windows\System32\wbem\WMIC.exeOBS-Studio-30.2.3-Windows-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
4164findstr ollydbgC:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
4208tasklist C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 638
Read events
1 638
Write events
0
Delete events
0

Modification events

No data
Executable files
68
Suspicious files
1
Text files
122
Unknown types
0

Dropped files

PID
Process
Filename
Type
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:FD2D370103167D927EEBA5FF9573430D
SHA256:FED9DE86E007141EC486E420059E3D841752EA0C7D452056735D11E7C4B16700
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_Salsa20.pydexecutable
MD5:BB7724B47B6C1F3B0CFB0AB6848A9FC8
SHA256:6CAB5277B070D1F420E90CCB80F97EA558BCE8EFF43768A6C0B818EF0E778501
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:75DEE2AE97414A67497CB13A7E4CB455
SHA256:29B61F0670BA8AF9FF037CAF76196F823CA6C27D7B2DF1BFF80DFF9E8B30AC5E
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_ctr.pydexecutable
MD5:BCE5672E2D78D26EF52073FFA956F2EE
SHA256:DAC8E5B99A57F689C1BD5A24C5C58CB99569EEA0C5B9BC16856B3B59D98A6732
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_cbc.pydexecutable
MD5:0AC9D452043A7FEBF5E6E6475AECE8E3
SHA256:E0E499CDC6AA3DA978EF259185874773BFE5D57DE62B65FC6BD1025291A50012
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Hash\_BLAKE2s.pydexecutable
MD5:E51F40B42EE430C908229A31FA2EF83A
SHA256:3F882CA1088017E3EDDE8CE31C3F9A1B09016FFDC2BBDA2674DB7CCA7D3F5196
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:70D8E6DD3124AB7FE5D7F23F0A0E774A
SHA256:8A98084750A04005AD051C234CF0E1C42219FE04B4DCAF0F83D9B475170BDD4F
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_eksblowfish.pydexecutable
MD5:EFB8BED8E7491FC9883D48ADC5D76BBF
SHA256:17E8532C25E805F54E262CF9FF6ED319F47CE14F4CBEA8A2EA73D754A93EA048
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:EEFBC381AE6016973E31C217B6D758B0
SHA256:184059ED9AD6799279F0817A4D648FF1CDA38C81257E87FFCE2751FF678758E9
512OBS-Studio-30.2.3-Windows-Installer.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Crypto\Cipher\_raw_cast.pydexecutable
MD5:573233E4FBF0FA3DB814355658D02152
SHA256:744A5A729D6D5D59E255F01E8132E255D9526D30880DF953F7C10F88F88484B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
50
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2364
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1804
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6404
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1804
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2660
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4360
SearchApp.exe
104.126.37.163:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5584
OBS-Studio-30.2.3-Windows-Installer.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
shared
5584
OBS-Studio-30.2.3-Windows-Installer.exe
95.215.204.231:3000
Zomro B.V.
NL
unknown
2364
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 104.126.37.163
  • 104.126.37.170
  • 104.126.37.179
  • 104.126.37.171
  • 104.126.37.184
  • 104.126.37.153
  • 104.126.37.155
  • 104.126.37.168
  • 104.126.37.161
  • 104.126.37.137
  • 104.126.37.152
  • 104.126.37.136
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ipinfo.io
  • 34.117.59.81
shared
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.138
whitelisted
th.bing.com
  • 104.126.37.137
  • 104.126.37.161
  • 104.126.37.155
  • 104.126.37.152
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.144
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
5584
OBS-Studio-30.2.3-Windows-Installer.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OBS-Studio-30.2.3-Windows-Installer.exe