File name:	CookiesGrabber.exe
Full analysis:	https://app.any.run/tasks/448bf825-a689-44ce-b349-3d74c7350dc4
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 20:29:06
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	1099BAA9E7504DFFE917EEB846C16943
SHA1:	F69FDF685BC0A2F51ACEAFE516579C50BC830330
SHA256:	B513572FBC4154717C723D52DD793C413D98EF370EFB050FF800A89C8DCD15C4
SSDEEP:	98304:zD/lCFXRRdopaZOl/QOsIgMb1mB75kzlUzUjGNgLN71bxelLb/ncfNAnYRO4Y6Zd:GJG93881mwe/kiPNAnQBI1G

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:06:21 18:25:10+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	179712
InitializedDataSize:	155136
UninitializedDataSize:	-
EntryPoint:	0xc650
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

PID	Process	Filename		Type
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_Salsa20.pyd		executable
		MD5:17C99EDF022309BC2C54A732FB8FBF26	SHA256:34EB9C505180358711D8D6268E3F0E700C58AC9F47B0AD68565ED73BAB5DBD81
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_ARC4.pyd		executable
		MD5:EFF0F16D6E853EA2CBC7B3BCAB5E0591	SHA256:9892A83A3E511BD1024BFCCE460DBDE2690FD2A3C0C449081950C40EFDBA4C7D
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_raw_aesni.pyd		executable
		MD5:133B156E060C77AF41B38841A32DA4B6	SHA256:20005B988FE848983A65F7F4727EC27148E4D0ABEAB9CFD0E58778F812BF7595
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_raw_eksblowfish.pyd		executable
		MD5:B6037CEAA162C50FC25F1B361B4250C9	SHA256:605AECF52ACD7D17B7B1000AEEDEE6C0601D6BC5F753756E7EE70A83F44FCCB2
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_raw_blowfish.pyd		executable
		MD5:403A4F70938F58C15DAEB4A63D7ECADB	SHA256:FB407812E3E4D17B2CA981C8B95C716FF1B288A5E4658A831CD067A2837A753B
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_raw_des3.pyd		executable
		MD5:494239F9453679D80511BECC23C6B621	SHA256:9C849A1DD641A3143C25B261E18D8F1453B00BB975E324384F15311C1B544F3D
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_chacha20.pyd		executable
		MD5:709BE56D3AE0CB50807A6B54A762C875	SHA256:612B4DA235E04CB9CE0106A13AA31AB7D5F651A0685653EDC9A57E1F93BE5670
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_raw_cfb.pyd		executable
		MD5:BF18D19EB79557E767A8E8E1EDA6C060	SHA256:6DE05E3507157C94F20825196677E12964780502D5A3DD04424B05C3E4AEF186
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_raw_ecb.pyd		executable
		MD5:B9F8151C65BDAF81BF9407A32E77959B	SHA256:ED154E6C22235659E57532B0A8B3CD7A081603C6CAE9CB165E436006881C1C74
7048	CookiesGrabber.exe	C:\Users\admin\AppData\Local\Temp\_MEI70482\Crypto\Cipher\_raw_ofb.pyd		executable
		MD5:A2B9F1DB81EE431F07A848F44153518F	SHA256:CD11346BDC23F15D68701C3F602B621BB7C93CF1AAA193FF079225603514122D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
5504	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5504	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5504	SIHClient.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5504	SIHClient.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	unknown
5504	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3588	RUXIMICS.exe	GET	200	184.25.50.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3588	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	184.25.50.10:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.25.50.10:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3588	RUXIMICS.exe	184.25.50.10:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	184.25.50.10 184.25.50.8	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
login.live.com	20.190.160.64 20.190.160.132 20.190.160.4 40.126.32.134 20.190.160.65 20.190.160.67 40.126.32.74 20.190.160.22	whitelisted
nexusrules.officeapps.live.com	52.111.236.21	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249 172.211.123.250	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

CookiesGrabber.exe

1099BAA9E7504DFFE917EEB846C16943

F69FDF685BC0A2F51ACEAFE516579C50BC830330

B513572FBC4154717C723D52DD793C413D98EF370EFB050FF800A89C8DCD15C4

98304:zD/lCFXRRdopaZOl/QOsIgMb1mB75kzlUzUjGNgLN71bxelLb/ncfNAnYRO4Y6Zd:GJG93881mwe/kiPNAnQBI1G

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Process drops python dynamic module

Process drops legitimate windows executable

The process drops C-runtime libraries

Application launched itself

Loads Python modules

Reads browser cookies

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings