File name:

edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe

Full analysis: https://app.any.run/tasks/faf26d1b-f427-4dbc-8ec7-226aae48e9dd
Verdict: Malicious activity
Analysis date: August 26, 2025, 16:29:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

191F4D39A0BD47EF62691DA5150FE8BD

SHA1:

0FC274B3885814721EF72DDEE56DEFBE734921C5

SHA256:

EDF5B31B61D6F0D6185E723265E7080983CA098D2CED1D275D5E33719BD8784D

SSDEEP:

98304:IC3CpA2+6m9T5/ISs2Psx+6NuFhHCBIIWRsw5u3lTAuB5Zq7J45ZFwj51Q7wyjya:lXhBiCWMG+A7q/T+4lOkmb7fbxo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)

    • Process drops legitimate windows executable

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)

    • Executable content was dropped or overwritten

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)

    • Process drops python dynamic module

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)

    • Application launched itself

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)

    • Loads Python modules

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

    • There is functionality for taking screenshot (YARA)

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)
      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

  • INFO

    • Create files in a temporary directory

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)
      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

    • Checks supported languages

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)
      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

    • Reads the computer name

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)
      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

    • Creates files or folders in the user directory

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

    • PyInstaller has been detected (YARA)

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)
      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

    • Launching a file from the Startup directory

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 4072)

    • The sample compiled with english language support

      • edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:08:06 11:54:24+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 163840
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2228"C:\Users\admin\AppData\Local\Temp\edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe" C:\Users\admin\AppData\Local\Temp\edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4072"C:\Users\admin\AppData\Local\Temp\edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe" C:\Users\admin\AppData\Local\Temp\edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe
edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
647
Read events
647
Write events
0
Delete events
0

Modification events

No data
Executable files
31
Suspicious files
3
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\_asyncio.pydexecutable
MD5:CC0F232F2A8A359DEE29A573667E6D77
SHA256:7A5C88CE496BAFDF31A94AE6D70B017070703BC0A7DA1DFAE7C12B21BB61030D
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\VCRUNTIME140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\_ssl.pydexecutable
MD5:6A2B0F8F50B47D05F96DEFF7883C1270
SHA256:68DAD60FF6FB36C88EF1C47D1855517BFE8DE0F5DDEA0F630B65B622A645D53A
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\_multiprocessing.pydexecutable
MD5:EB859FC7F54CBA118A321440AD088096
SHA256:14BDD15D60B9D6141009AEEDC606007C42B46C779A523D21758E57CF126DC2A4
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\_hashlib.pydexecutable
MD5:D19CB5CA144AE1FD29B6395B0225CF40
SHA256:F95EC2562A3C70FB1A6E44D72F4223CE3C7A0F0038159D09DCE629F59591D5AA
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\_lzma.pydexecutable
MD5:8CFBAFE65D6E38DDE8E2E8006B66BB3E
SHA256:6D548DB0AB73291F82CF0F4CA9EC0C81460185319C8965E829FAEACAE19444FF
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\certifi\cacert.pemtext
MD5:EFC4B0783F2C84A6244631BC2AA73312
SHA256:B1CDD2D665758EF49D08F40EA13E1A826E5F0412E9E0940C921ED1021464CDC2
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\_socket.pydexecutable
MD5:E43AED7D6A8BCD9DDFC59C2D1A2C4B02
SHA256:2C2A6A6BA360E38F0C2B5A53B4626F833A3111844D95615EBF35BE0E76B1EF7A
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\h2-4.2.0.dist-info\INSTALLERtext
MD5:365C9BFEB7D89244F2CE01C1DE44CB85
SHA256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
2228edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exeC:\Users\admin\AppData\Local\Temp\_MEI22282\_queue.pydexecutable
MD5:7D91DD8E5F1DBC3058EA399F5F31C1E6
SHA256:76BBA42B1392DC57A867AEF385B990FA302A4F1DCF453705AC119C9C98A36E8D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
14
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3540
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6584
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3540
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3540
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.129
  • 20.190.159.71
  • 20.190.159.68
  • 40.126.31.0
  • 20.190.159.129
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.20
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
edf5b31b61d6f0d6185e723265e7080983ca098d2ced1d275d5e33719bd8784d.exe