Concerning processes

[EgoHeroic]

Did analysis of main.exe file and what processes it creates:

https://www.virustotal.com/gui/file/889737aecd220ef035babd1576341dd070db41f9f044a225505d8720ffaaa7f7/detection

This file enables Microsoft Compatibility Appraiser. Why? Why do I need telemetry for this to work? Why it constantly connects to Microsoft?

Plus all files: main, theme customizer, etc. is being flagged by defender.

[mathoudebine]

The Microsoft Compatibility Appraiser file operations are unrelated to this program.
Microsoft Compatibility Appraiser is a Windows scheduled task that starts/stops on predefined triggers. It seems to be enabled on the Virustotal sandbox the program has been run on. It is possible that the telemetry automatically starts to collect information on the new program.

The DNS resolution for www.microsoft.com is just standard behavior for the Microsoft Sysinternals sandbox, you can find similar behaviors on other analysis like https://www.virustotal.com/gui/file/8279696c1d78b14618500e9135886a3667b9decc65946f3729002e4bfdbb20ab/behavior

As for the flagging I wrote this article https://github.com/mathoudebine/turing-smart-screen-python/wiki/Troubleshooting#windows-installer--portable-zip-are-flagged-by-my-anti-virus
I will try to work on it but it is not easy because of the way this program is packaged and how it loads external dll