File name:

MyApp.exe

Full analysis: https://app.any.run/tasks/0a0264ca-84fb-4d92-a000-2f85e0a28ae6
Verdict: Malicious activity
Analysis date: July 14, 2024, 23:30:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

E18823DE5C71298FF8D63E970DF3A806

SHA1:

A868D999B1AD5A6E41B86D17F2B5BA84FC1B154D

SHA256:

F9AAD0B1727BDA41F797B01FEE01211010B42A808672B05F2B5B8FE5E9F88BE9

SSDEEP:

98304:Dl7PqG0ctP25j8YjjHz5z3fPgoPLJhckl5u27WdgpBafa8KiIbjQryrCpnyQbu+J:DFCHEVQaIM+rIasoBaiYr5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 4024)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 4024)

    • Process drops python dynamic module

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 4024)

    • Loads Python modules

      • MyApp.exe (PID: 7152)
      • MyApp.exe (PID: 6336)
      • MyApp.exe (PID: 6720)
      • MyApp.exe (PID: 1292)
      • MyApp.exe (PID: 7008)

    • Process drops legitimate windows executable

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 4024)

    • Application launched itself

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 7152)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 6720)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6336)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 1292)
      • MyApp.exe (PID: 7008)
      • MyApp.exe (PID: 6948)

    • Executable content was dropped or overwritten

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 4024)

  • INFO

    • Checks supported languages

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 7152)
      • MyApp.exe (PID: 6720)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 6336)
      • MyApp.exe (PID: 1292)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 7008)
      • MyApp.exe (PID: 4024)

    • Create files in a temporary directory

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 4024)

    • Reads the computer name

      • MyApp.exe (PID: 5524)
      • MyApp.exe (PID: 1644)
      • MyApp.exe (PID: 6640)
      • MyApp.exe (PID: 6948)
      • MyApp.exe (PID: 3992)
      • MyApp.exe (PID: 4024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:14 23:29:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 151040
UninitializedDataSize: -
EntryPoint: 0xb220
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
12
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start myapp.exe conhost.exe no specs myapp.exe no specs myapp.exe myapp.exe no specs myapp.exe myapp.exe no specs myapp.exe myapp.exe no specs myapp.exe myapp.exe no specs myapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
480\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMyApp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1292C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exeMyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1644C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exe
MyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3992C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exe
MyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4024C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exe
MyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5524"C:\Users\admin\AppData\Local\Temp\MyApp.exe" C:\Users\admin\AppData\Local\Temp\MyApp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6336C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exeMyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6640C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exe
MyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6720C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exeMyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6948C:\Users\admin\AppData\Local\Temp\MyApp.exe -m pip install cryptographyC:\Users\admin\AppData\Local\Temp\MyApp.exe
MyApp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\myapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
1 290
Read events
1 290
Write events
0
Delete events
0

Modification events

No data
Executable files
129
Suspicious files
15
Text files
5 204
Unknown types
1

Dropped files

PID
Process
Filename
Type
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\_bz2.pydexecutable
MD5:5BEBC32957922FE20E927D5C4637F100
SHA256:3ED0E5058D370FB14AA5469D81F96C5685559C054917C7280DD4125F21D25F62
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\_hashlib.pydexecutable
MD5:DA02CEFD8151ECB83F697E3BD5280775
SHA256:FD77A5756A17EC0788989F73222B0E7334DD4494B8C8647B43FE554CF3CFB354
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\_decimal.pydexecutable
MD5:492C0C36D8ED1B6CA2117869A09214DA
SHA256:B8221D1C9E2C892DD6227A6042D1E49200CD5CB82ADBD998E4A77F4EE0E9ABF1
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\_lzma.pydexecutable
MD5:195DEFE58A7549117E06A57029079702
SHA256:7BF9FF61BABEBD90C499A8ED9B62141F947F90D87E0BBD41A12E99D20E06954A
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\_queue.pydexecutable
MD5:B7E5FBD7EF3EEFFF8F502290C0E2B259
SHA256:DBDABB5FE0CCBC8B951A2C6EC033551836B072CAB756AAA56B6F22730080D173
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\cryptography-42.0.8.dist-info\INSTALLERtext
MD5:365C9BFEB7D89244F2CE01C1DE44CB85
SHA256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\charset_normalizer\md__mypyc.cp312-win_amd64.pydexecutable
MD5:BF9A9DA1CF3C98346002648C3EAE6DCF
SHA256:4107B1D6F11D842074A9F21323290BBE97E8EED4AA778FBC348EE09CC4FA4637
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\_ssl.pydexecutable
MD5:C87C5890039C3BDB55A8BC189256315F
SHA256:A5D361707F7A2A2D726B20770E8A6FC25D753BE30BCBCBBB683FFEE7959557C2
5524MyApp.exeC:\Users\admin\AppData\Local\Temp\_MEI55242\_cffi_backend.cp312-win_amd64.pydexecutable
MD5:0572B13646141D0B1A5718E35549577C
SHA256:D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
73
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2448
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2448
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3716
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1320
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3800
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7016
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6116
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2448
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2448
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4656
SearchApp.exe
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
unknown
3716
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 104.126.37.170
  • 104.126.37.178
  • 104.126.37.137
  • 104.126.37.179
  • 104.126.37.185
  • 104.126.37.186
  • 104.126.37.144
  • 104.126.37.130
  • 104.126.37.171
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.187
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.72
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MyApp.exe