File name:

Soundkeybind.exe

Full analysis: https://app.any.run/tasks/755d8d7c-e926-4f12-9fe9-a08039ab295f
Verdict: Malicious activity
Analysis date: May 18, 2025, 02:19:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pyinstaller
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

BB36717D19EA3EDEFEEE646FD04A724B

SHA1:

0E57182EF4EDCFD5687E7F9DD0E1867A398897F1

SHA256:

B93F9B999F544F12291B55E51B79960EC528B27452F08B6DF9EA58F6EEED7C3A

SSDEEP:

196608:r9D4Zd9j2TaM6Ja881mwpD4ZB/2/kiZLp49M196lxec0:rBMd9yUJa6w1MB/2/j744uxN0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Soundkeybind.exe (PID: 7400)

    • Process drops legitimate windows executable

      • Soundkeybind.exe (PID: 7400)

    • Executable content was dropped or overwritten

      • Soundkeybind.exe (PID: 7400)

    • Process drops python dynamic module

      • Soundkeybind.exe (PID: 7400)

    • There is functionality for taking screenshot (YARA)

      • Soundkeybind.exe (PID: 7400)
      • Soundkeybind.exe (PID: 7872)

    • Application launched itself

      • Soundkeybind.exe (PID: 7400)

    • Loads Python modules

      • Soundkeybind.exe (PID: 7872)

  • INFO

    • Checks supported languages

      • Soundkeybind.exe (PID: 7400)
      • Soundkeybind.exe (PID: 7872)

    • Reads the computer name

      • Soundkeybind.exe (PID: 7400)
      • Soundkeybind.exe (PID: 7872)

    • The sample compiled with english language support

      • Soundkeybind.exe (PID: 7400)

    • PyInstaller has been detected (YARA)

      • Soundkeybind.exe (PID: 7400)
      • Soundkeybind.exe (PID: 7872)

    • Create files in a temporary directory

      • Soundkeybind.exe (PID: 7400)
      • Soundkeybind.exe (PID: 7872)

    • Checks proxy server information

      • slui.exe (PID: 8012)

    • Reads the software policy settings

      • slui.exe (PID: 8012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 05:04:07+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 114176
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start soundkeybind.exe soundkeybind.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7400"C:\Users\admin\Desktop\Soundkeybind.exe" C:\Users\admin\Desktop\Soundkeybind.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\soundkeybind.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7872"C:\Users\admin\Desktop\Soundkeybind.exe" C:\Users\admin\Desktop\Soundkeybind.exeSoundkeybind.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\soundkeybind.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
8012C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 623
Read events
3 623
Write events
0
Delete events
0

Modification events

No data
Executable files
125
Suspicious files
5
Text files
931
Unknown types
0

Dropped files

PID
Process
Filename
Type
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\PIL\_webp.cp313-win_amd64.pydexecutable
MD5:DC1EB999BCF2D899D471B0A69D9BD5F5
SHA256:A3CC7904DB99ECD04251770CA451D29A0AACC7719C5634585B750EFF76B08696
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\PIL\_imagingmath.cp313-win_amd64.pydexecutable
MD5:EEEBAB827CC3CD51B5D8457E64347BCF
SHA256:70B431DC693846D430F88A4626966D959E5A6C793508470E8351FF2730939A48
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\SDL2_image.dllexecutable
MD5:B8D249A5E394B4E6A954C557AF1B80E6
SHA256:1E364AF75FEE0C83506FBDFD4D5B0E386C4E9C6A33DDBDDAC61DDB131E360194
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\SDL2_mixer.dllexecutable
MD5:201AA86DC9349396B83EED4C15ABE764
SHA256:2A0FC5E9F72C2EAEC3240CB82B7594A58CCDA609485981F256B94D0A4DD8D6F8
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\PIL\_imaging.cp313-win_amd64.pydexecutable
MD5:A487E7AD30ED2DE466A8590A24D745E7
SHA256:31621E7BB62091C2AA80CAC5F5C929132AF3EC568A061680564DC073F2630357
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\PIL\_imagingtk.cp313-win_amd64.pydexecutable
MD5:2CC0C18F26989042CDAD77EFE3CCF3FB
SHA256:A3183192C1CDC7B2D8331B6B78EED6826A0A0594FE45B06FD0E9809414AD6A53
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\PIL\_imagingcms.cp313-win_amd64.pydexecutable
MD5:9E1C5CC1597928921DC88652279FD297
SHA256:B02A8C0342C51CFEB9BF8A79C79744E791A14F4A21A1A8B4046A7171D4620629
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\SDL2.dllexecutable
MD5:83C5FF24EAE3B9038D74AD91DC884E32
SHA256:520D0459B91EFA32FBCCF9027A9CA1FC5AAE657E679CE8E90F179F9CF5AFD279
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\_overlapped.pydexecutable
MD5:363409FBACB1867F2CE45E3C6922DDB4
SHA256:F154AC9D5CA0646D18F6197C0406F7541B6E0752B2D82A330036C1E39D3A49E7
7400Soundkeybind.exeC:\Users\admin\AppData\Local\Temp\_MEI74002\_lzma.pydexecutable
MD5:D63E2E743EA103626D33B3C1D882F419
SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7604
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7604
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.129
  • 20.190.159.71
  • 20.190.159.75
  • 40.126.31.0
  • 20.190.159.73
  • 40.126.31.130
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Soundkeybind.exe