File name:	Fleasion NT.exe
Full analysis:	https://app.any.run/tasks/1d3c1a25-4367-47d5-ae3d-a4ab07892f86
Verdict:	Malicious activity
Analysis date:	February 06, 2026, 17:15:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	pyinstaller windivert-sys mal-driver python github rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	E51C6B85494B3B94E37BCEADB1BB6036
SHA1:	3DA50162BC86E54794047554E7D5E2EDCCA86E9E
SHA256:	D16B8D98ADF20F23761FF4D3E7EA516B299EA6D9D0B26E8ACEDE7E96DF67ADC9
SSDEEP:	393216:Of+U+acjKjW2wvNs3jbTy/67WylNUfZGOKU4l45BCrvxXjX:OmPqJkojdWygGe4pvN

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2026:01:16 21:40:14+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	181760
InitializedDataSize:	102912
UninitializedDataSize:	-
EntryPoint:	0xdfa0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(8240) windows-redirector.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:	write	Name:	EventMessageFile
Value: C:\Users\admin\AppData\Local\Temp\_MEI83882\mitmproxy_windows\WinDivert64.sys
(PID) Process:	(8240) windows-redirector.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:	write	Name:	TypesSupported
Value: 7

PID	Process	Filename		Type
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\VCRUNTIME140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\_asyncio.pyd		executable
		MD5:70DEC3CE00E5CAF45246736B53EA3AD0	SHA256:8CEF0CD8333F88A9F9E52FA0D151B5F661D452EFBCFC507DC28A46259B82596C
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\VCRUNTIME140_1.dll		executable
		MD5:68156F41AE9A04D89BB6625A5CD222D4	SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\_bz2.pyd		executable
		MD5:057325E89B4DB46E6B18A52D1A691CAA	SHA256:5BA872CAA7FCEE0F4FB81C6E0201CEED9BD92A3624F16828DD316144D292A869
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\_ctypes.pyd		executable
		MD5:2185849BC0423F6641EE30804F475478	SHA256:199CD8D7DB743C316771EF7BBF414BA9A9CDAE1F974E90DA6103563B2023538D
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\_decimal.pyd		executable
		MD5:F465C15E7BACEAC920DC58A5FB922C1C	SHA256:F4A486A0CA6A53659159A404614C7E7EDCCB6BFBCDEB844F6CEE544436A826CB
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\_cffi_backend.cp313-win_amd64.pyd		executable
		MD5:F2EFF52A9B6ED2534F84CC7B77379649	SHA256:D5B09DA2E726B4E90CF0EDAD5D2A0EC52F369DFD060E14D3807A32B2205031FA
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\PIL\_imagingmath.cp313-win_amd64.pyd		executable
		MD5:8E6549AA0C2D4F6FA5295A1D99E46EE7	SHA256:F1AB775BAD05260C123B2A3232BF74F6C3BDBE2BD20CA73747B83B2D8756BD03
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\PIL\_webp.cp313-win_amd64.pyd		executable
		MD5:293783C2B33D359E5A8644044336AF58	SHA256:AAD5F6DD25C23FB497C37905FE8A11517995177700A13169AF266160FEDD324A
8388	Fleasion NT.exe	C:\Users\admin\AppData\Local\Temp\_MEI83882\PIL\_imagingcms.cp313-win_amd64.pyd		executable
		MD5:A0687E26AADFE45EE22D58009D52FA7A	SHA256:7E19FE243F99B4CBDEC0A2A8256000AD84C8FFF8C9901587C59F3F4EC7162F5C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6768	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
4468	svchost.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	—	—	whitelisted
8048	SIHClient.exe	GET	304	74.179.77.204:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
8048	SIHClient.exe	GET	200	20.242.39.171:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	US	—	—	whitelisted
8048	SIHClient.exe	GET	200	74.179.77.204:443	https://slscr.update.microsoft.com/sls/ping	US	—	—	whitelisted
8048	SIHClient.exe	GET	304	74.179.77.204:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	US	binary	313 b	whitelisted
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	958 b	whitelisted
4468	svchost.exe	GET	200	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	text	5.63 Kb	whitelisted
356	svchost.exe	POST	200	20.190.159.131:443	https://login.live.com/RST2.srf	US	xml	10.3 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
4468	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4876	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	184.86.103.81:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
5568	SearchApp.exe	184.86.103.94:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5568	SearchApp.exe	184.86.103.81:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
www.bing.com	184.86.103.81 184.86.103.69 184.86.103.74 184.86.103.75 184.86.103.71 184.86.103.94 184.86.103.77 184.86.103.72 184.86.103.78	whitelisted
th.bing.com	184.86.103.94 184.86.103.91 184.86.103.87 184.86.103.89 184.86.103.71 184.86.103.93 184.86.103.90 184.86.103.69 184.86.103.92	whitelisted
google.com	142.250.201.174	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
self.events.data.microsoft.com	20.189.173.2	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.159.131 20.190.159.75 20.190.159.2 40.126.31.2 20.190.159.23 20.190.159.71 20.190.159.128 40.126.31.67	whitelisted
crl.microsoft.com	2.18.64.196 2.18.64.210	whitelisted

PID	Process	Class	Message
4468	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

General Info

Fleasion NT.exe

E51C6B85494B3B94E37BCEADB1BB6036

3DA50162BC86E54794047554E7D5E2EDCCA86E9E

D16B8D98ADF20F23761FF4D3E7EA516B299EA6D9D0B26E8ACEDE7E96DF67ADC9

393216:Of+U+acjKjW2wvNs3jbTy/67WylNUfZGOKU4l45BCrvxXjX:OmPqJkojdWygGe4pvN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Malicious driver has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Process drops python dynamic module

The process drops C-runtime libraries

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

Application launched itself

Loads Python modules

Get information on the list of running processes

Reads the date of Windows installation

Named pipe usage

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Drops script file

There is functionality for taking screenshot (YARA)

PyInstaller has been detected (YARA)

Checks proxy server information

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Process checks computer location settings

Application based on Rust

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings