File name:

1 (173)

Full analysis: https://app.any.run/tasks/5faf3454-416a-4c6c-b5c1-931cd0dcad03
Verdict: Malicious activity
Analysis date: March 24, 2025, 16:51:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

3F369F627C7E25F598B1B17D8905B2A0

SHA1:

83E4B63876E4DA8141B921BC3E1D59D3595E77D8

SHA256:

CDA9367C37B4CB0745D09BC05E525DAEA618DC341BE33D1D6ABEE7189B3D791D

SSDEEP:

49152:oIc0euibtmmpn+S8PSuOuPxRfWXNqtRXfK5JIUNY/a72EbLckqe6:oRJ7gs+S8auOuPxRWXNcvAJhNY/02Eb1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • 1 (173).exe (PID: 7348)
      • download.exe (PID: 2504)

    • Reads security settings of Internet Explorer

      • 1 (173).exe (PID: 7348)
      • 1 (173).exe (PID: 7464)

    • Executable content was dropped or overwritten

      • 1 (173).exe (PID: 7464)
      • download.exe (PID: 2504)

    • Reads Microsoft Outlook installation path

      • 1 (173).exe (PID: 7464)

    • Process drops python dynamic module

      • download.exe (PID: 2504)

    • The process drops C-runtime libraries

      • download.exe (PID: 2504)

    • Process drops legitimate windows executable

      • download.exe (PID: 2504)

    • Starts CMD.EXE for commands execution

      • download.exe (PID: 7000)

    • Loads Python modules

      • download.exe (PID: 7000)

    • Reads Internet Explorer settings

      • 1 (173).exe (PID: 7464)

  • INFO

    • Create files in a temporary directory

      • 1 (173).exe (PID: 7464)
      • 1 (173).exe (PID: 7348)
      • download.exe (PID: 2504)

    • Reads the computer name

      • 1 (173).exe (PID: 7464)
      • 1 (173).exe (PID: 7348)

    • Checks supported languages

      • 1 (173).exe (PID: 7348)
      • 1 (173).exe (PID: 7464)
      • download.exe (PID: 7000)

    • Process checks computer location settings

      • 1 (173).exe (PID: 7348)

    • Checks proxy server information

      • 1 (173).exe (PID: 7464)

    • Reads the machine GUID from the registry

      • 1 (173).exe (PID: 7464)

    • Manual execution by a user

      • download.exe (PID: 2504)
      • YouTubeDownloaderHD.exe (PID: 672)
      • notepad.exe (PID: 8148)
      • notepad.exe (PID: 8032)

    • Creates files or folders in the user directory

      • 1 (173).exe (PID: 7464)

    • Reads the software policy settings

      • 1 (173).exe (PID: 7464)

    • The sample compiled with english language support

      • 1 (173).exe (PID: 7464)
      • download.exe (PID: 2504)

    • PyInstaller has been detected (YARA)

      • download.exe (PID: 2504)

    • Checks operating system version

      • download.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 8032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 898560
InitializedDataSize: 306688
UninitializedDataSize: -
EntryPoint: 0xd83a0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
14
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 1 (173).exe no specs 1 (173).exe sppextcomobj.exe no specs slui.exe youtubedownloaderhd.exe no specs download.exe conhost.exe no specs download.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs notepad.exe no specs notepad.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exedownload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
672"C:\Users\admin\Desktop\YouTubeDownloaderHD.exe" C:\Users\admin\Desktop\YouTubeDownloaderHD.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225781
Version:
5.9.6.0
Modules
Images
c:\users\admin\desktop\youtubedownloaderhd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
780C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exedownload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2504"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4428C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exedownload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedownload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7000"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exedownload.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7348"C:\Users\admin\AppData\Local\Temp\1 (173).exe" C:\Users\admin\AppData\Local\Temp\1 (173).exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1 (173).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7464"C:\Users\admin\AppData\Local\Temp\1 (173).exe" /RSFC:\Users\admin\AppData\Local\Temp\1 (173).exe
1 (173).exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\1 (173).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7660C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
2 547
Read events
2 544
Write events
3
Delete events
0

Modification events

(PID) Process:(7464) 1 (173).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7464) 1 (173).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7464) 1 (173).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
117
Suspicious files
13
Text files
76
Unknown types
0

Dropped files

PID
Process
Filename
Type
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\css\sdk-ui\images\progress-bg-corner.pngimage
MD5:608F1F20CD6CA9936EAA7E8C14F366BE
SHA256:86B6E6826BCDE2955D64D4600A4E01693522C1FDDF156CE31C4BA45B3653A7BD
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\css\sdk-ui\progress-bar.csstext
MD5:5335F1C12201B5F7CF5F8B4F5692E3D1
SHA256:974CD89E64BDAA85BF36ED2A50AF266D245D781A8139F5B45D7C55A0B0841DDA
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\images\Grey_Button_Hover.pngimage
MD5:316C96F3909516E4F402CDBF793010D9
SHA256:458E1A7A46722533382277A934AFD4E087FE52A5370C8B225AB6194ACC420466
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\csshover3.htcbinary
MD5:52FA0DA50BF4B27EE625C80D36C67941
SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\css\main.csstext
MD5:FB45D7F6FB4D518A0ECC05CF7CE5363C
SHA256:4A01A4D6E711E873A065510A407CB6D37535D8BECABBCFE9F05FE3DEC13E5B9E
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\css\sdk-ui\images\button-bg.pngimage
MD5:98B1DE48DFA64DC2AA1E52FACFBEE3B0
SHA256:2693930C474FE640E2FE8D6EF98ABE2ECD303D2392C3D8B2E006E8942BA8F534
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\css\sdk-ui\button.csstext
MD5:37E1FF96E084EC201F0D95FEEF4D5E94
SHA256:8E806F5B94FC294E918503C8053EF1284E4F4B1E02C7DA4F4635E33EC33E0534
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\css\sdk-ui\browse.csstext
MD5:6009D6E864F60AEA980A9DF94C1F7E1C
SHA256:5EF48A8C8C3771B4F233314D50DD3B5AFDCD99DD4B74A9745C8FE7B22207056D
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\images\Color_Button.pngimage
MD5:CCFBCBB51598A1946B19FF56C4AE9BD1
SHA256:7EC494B43D8C70C338929FD88AF752E117BB924A4284B93567E7B8C9CB79BE9F
73481 (173).exeC:\Users\admin\AppData\Local\Temp\ish1094359\images\Close.pngimage
MD5:C222A4F3D309721C0898606960120266
SHA256:F638CC042B7ADE6F43F2FAF0077E020137562E559178396B7E975DB39AC13DF6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
26
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7464
1 (173).exe
GET
301
67.217.61.118:80
http://static.updatestar.net/img/icons/1506230.32.png
unknown
unknown
7464
1 (173).exe
GET
301
138.201.226.176:80
http://www.youtubedownloaderhd.com/files/youtube_downloader_hd_setup.exe
unknown
whitelisted
7464
1 (173).exe
GET
200
138.201.226.176:80
http://www.youtubedownloaderhd.com/files/youtube_downloader_hd.zip
unknown
whitelisted
7840
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7464
1 (173).exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEQCtjS32RoGg02RH6qlPonPB
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1228
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7464
1 (173).exe
GET
200
18.244.18.92:80
http://crls.ssl.com/SSL.com-TLS-T-ECC-R2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7464
1 (173).exe
67.217.61.118:80
static.updatestar.net
IS-AS-1
US
suspicious
7464
1 (173).exe
138.201.226.176:80
www.youtubedownloaderhd.com
Hetzner Online GmbH
DE
whitelisted
7464
1 (173).exe
172.67.71.196:443
static.updatestar.com
CLOUDFLARENET
US
suspicious
7464
1 (173).exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted
7464
1 (173).exe
18.244.18.92:80
crls.ssl.com
US
whitelisted
2564
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
os.updatestarcdn.com
malicious
www.youtubedownloaderhd.com
  • 138.201.226.176
whitelisted
static.updatestar.net
  • 67.217.61.118
unknown
static.updatestar.com
  • 172.67.71.196
  • 104.26.6.50
  • 104.26.7.50
unknown
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
crls.ssl.com
  • 18.244.18.92
  • 18.244.18.55
  • 18.244.18.60
  • 18.244.18.54
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.133
  • 20.190.160.130
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.67
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1 (173)