File name:

Madium-Launcher.exe

Full analysis: https://app.any.run/tasks/c7c46cb5-809b-4310-8fa3-f46ef0af58b6
Verdict: Malicious activity
Analysis date: April 10, 2026, 12:54:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
etherhiding
python
arch-exec
arch-doc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

E4095C42EFB29B2BDA2D2B8A274FA6ED

SHA1:

CAA315D843F1F4EBD0FF8499A65C388AEC58BA21

SHA256:

E065C3D6BC1470A6C4C162BB9AD28A2EBBC4AAC4E28707EF5D7ECA82511B7B23

SSDEEP:

12288:l8UjuPjsIOKwYw9PhUupXsD/KQL0eCfYz7PtY9nYN3Ir:HuPjsIOKh8PhdpXsD/KQL0eCfm7tY9Yi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Madium-Launcher.exe (PID: 2000)
      • tar.exe (PID: 3112)
      • python.exe (PID: 7536)
      • python.exe (PID: 6912)

    • Loads Python modules

      • python.exe (PID: 7536)
      • python.exe (PID: 6912)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2792)

    • The process drops C-runtime libraries

      • curl.exe (PID: 7728)
      • tar.exe (PID: 3112)

    • Process drops python dynamic module

      • tar.exe (PID: 3112)
      • python.exe (PID: 6912)

  • INFO

    • The sample compiled with english language support

      • Madium-Launcher.exe (PID: 2000)
      • curl.exe (PID: 7728)
      • tar.exe (PID: 3112)
      • python.exe (PID: 7536)
      • python.exe (PID: 6912)

    • Create files in a temporary directory

      • Madium-Launcher.exe (PID: 2000)
      • python.exe (PID: 7536)
      • python.exe (PID: 6912)

    • Checks supported languages

      • Madium-Launcher.exe (PID: 2000)
      • Launcher.exe (PID: 2576)
      • curl.exe (PID: 7728)
      • tar.exe (PID: 3112)
      • python.exe (PID: 7536)
      • curl.exe (PID: 6832)
      • curl.exe (PID: 6732)
      • python.exe (PID: 6912)

    • Reads CPU info

      • Launcher.exe (PID: 2576)

    • Reads the computer name

      • Launcher.exe (PID: 2576)
      • Madium-Launcher.exe (PID: 2000)
      • curl.exe (PID: 7728)
      • curl.exe (PID: 6832)
      • python.exe (PID: 7536)
      • curl.exe (PID: 6732)
      • python.exe (PID: 6912)

    • Execution of CURL command

      • Launcher.exe (PID: 2576)

    • Creates files or folders in the user directory

      • curl.exe (PID: 7728)
      • curl.exe (PID: 6832)
      • python.exe (PID: 7536)
      • tar.exe (PID: 3112)
      • curl.exe (PID: 6732)
      • python.exe (PID: 6912)

    • Python executable

      • python.exe (PID: 7536)
      • python.exe (PID: 6912)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 7536)
      • python.exe (PID: 6912)

    • Manual execution by a user

      • cmd.exe (PID: 2792)
      • notepad.exe (PID: 7248)
      • notepad.exe (PID: 7456)
      • notepad.exe (PID: 7836)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7456)
      • notepad.exe (PID: 7248)
      • notepad.exe (PID: 7836)

    • Reads the machine GUID from the registry

      • python.exe (PID: 7536)
      • python.exe (PID: 6912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:04:10 01:21:44+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 13312
InitializedDataSize: 279040
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.1
ProductVersionNumber: 2.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Madium
FileDescription: Madium Executor
FileVersion: 2.0.0.1
ProductName: Madium-Launcher
ProductVersion: 2.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
21
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start madium-launcher.exe launcher.exe slui.exe curl.exe conhost.exe no specs tar.exe conhost.exe no specs curl.exe conhost.exe no specs python.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs curl.exe conhost.exe no specs python.exe conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1284\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1456C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2000"C:\Users\admin\Desktop\Madium-Launcher.exe" C:\Users\admin\Desktop\Madium-Launcher.exe
explorer.exe
User:
admin
Company:
Madium
Integrity Level:
MEDIUM
Description:
Madium Executor
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\desktop\madium-launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntvdm64.dll
c:\windows\system32\advapi32.dll
2016\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2156\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execurl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2576"C:\Users\admin\AppData\Local\Temp\9FF6599A\Launcher.exe"C:\Users\admin\AppData\Local\Temp\9FF6599A\Launcher.exe
Madium-Launcher.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\9ff6599a\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2792C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\ctypes\macholib\fetch_macholib.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3112"tar" "-xf" "C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python.zip" "-C" "C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex"C:\Windows\System32\tar.exe
Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
bsdtar archive tool
Exit code:
0
Version:
3.5.2 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\archiveint.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\kernel.appcore.dll
Total events
16 630
Read events
16 629
Write events
1
Delete events
0

Modification events

(PID) Process:(1456) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
94
Suspicious files
1 448
Text files
1 027
Unknown types
97

Dropped files

PID
Process
Filename
Type
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\pyexpat.pydexecutable
MD5:B34CA0FCD5E0E4F060FE211273AC2946
SHA256:B6670D91A76E9F00609752AB19AAE0B1EBE00D24D9D8D22068989BBB24D0AA44
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python3.dllexecutable
MD5:2E2BB725B92A3D30B1E42CC43275BB7B
SHA256:D52BACA085F88B40F30C855E6C55791E5375C80F60F94057061E77E33F4CAD7A
7728curl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python.zip.downloadingbinary
MD5:4C0A5A44D4CA1D0BC76FE08EA8B76ADC
SHA256:0D57BB6CB078B74D23DBFE91F77D6780D45BED328911609F1F7EE2BA1606BF44
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python.exeexecutable
MD5:FD6AFF3A270AE170C7657373316D37C0
SHA256:CA60CF785B2314A6D6599ECED15BDF094E6DB171BEC996B97A70B995942C3C37
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\vcruntime140_1.dllexecutable
MD5:68156F41AE9A04D89BB6625A5CD222D4
SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\vcruntime140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\LICENSE.txttext
MD5:B52C821C7750804295E23B9E94525085
SHA256:E502C6B880FF58D614901495A9009C136539CD0B1E2A2ABB8FC00B934C203419
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\pythonw.exeexecutable
MD5:EE1293BAD480D2F19FC9B852455E89C6
SHA256:D1AC257D433DEFC5516AE5B9BA837922D417164C0CB2FB1C57119FF1C7650524
2576Launcher.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python.zipbinary
MD5:4C0A5A44D4CA1D0BC76FE08EA8B76ADC
SHA256:0D57BB6CB078B74D23DBFE91F77D6780D45BED328911609F1F7EE2BA1606BF44
3112tar.exeC:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python312.dllexecutable
MD5:B243D61F4248909BC721674D70A633DE
SHA256:93488FA7E631CC0A2BD808B9EEE8617280EE9B6FF499AB424A1A1CBF24D77DC7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
29
DNS requests
16
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3352
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
2576
Launcher.exe
POST
200
132.145.155.63:443
https://rpc-mainnet.matic.quiknode.pro/
US
text
231 b
unknown
7536
python.exe
GET
200
151.101.192.223:443
https://pypi.org/simple/pip/
US
text
140 Kb
unknown
6832
curl.exe
GET
200
151.101.0.175:443
https://bootstrap.pypa.io/get-pip.py
US
text
2.09 Mb
unknown
7728
curl.exe
GET
200
151.101.128.223:443
https://www.python.org/ftp/python/3.12.7/python-3.12.7-embed-amd64.zip
US
compressed
5.00 Mb
unknown
7536
python.exe
GET
200
151.101.128.223:443
https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl.metadata
US
binary
4.57 Kb
unknown
7536
python.exe
GET
200
151.101.128.223:443
https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl
US
binary
1.70 Mb
unknown
6832
curl.exe
GET
200
151.101.0.175:443
https://bootstrap.pypa.io/get-pip.py
US
text
2.09 Mb
unknown
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5412
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3352
svchost.exe
23.216.77.22:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3352
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
2576
Launcher.exe
167.233.12.120:443
polygon-rpc.com
HETZNER-AS
DE
whitelisted
1456
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.13.138
  • 142.251.13.100
  • 142.251.13.139
  • 142.251.13.102
  • 142.251.13.113
  • 142.251.13.101
whitelisted
crl.microsoft.com
  • 23.216.77.22
  • 23.216.77.8
  • 23.216.77.25
  • 23.216.77.36
  • 23.216.77.21
  • 23.216.77.19
  • 23.216.77.6
  • 23.216.77.30
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
polygon-rpc.com
  • 167.233.12.120
whitelisted
rpc-mainnet.matic.quiknode.pro
  • 132.145.155.63
unknown
www.python.org
  • 151.101.128.223
  • 151.101.0.223
  • 151.101.192.223
  • 151.101.64.223
whitelisted
bootstrap.pypa.io
  • 151.101.0.175
  • 151.101.64.175
  • 151.101.128.175
  • 151.101.192.175
unknown
pypi.org
  • 151.101.192.223
  • 151.101.64.223
  • 151.101.0.223
  • 151.101.128.223
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
ET INFO Blockchain RPC Domain in DNS Lookup (polygon-rpc .com)
2576
Launcher.exe
Misc activity
ET INFO Blockchain RPC Domain in TLS SNI (polygon-rpc .com)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro)
2576
Launcher.exe
Misc activity
ET INFO Observed Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro in TLS SNI)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
2232
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
7536
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
6912
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Madium-Launcher.exe