File name:

SX-CRACKED.exe

Full analysis: https://app.any.run/tasks/da9ca350-8889-43da-9bb2-8a1c5f76cd31
Verdict: Malicious activity
Analysis date: June 19, 2025, 20:16:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

7D21051DEE046D4B529FAE2D5309769F

SHA1:

CA09418AD758A6760B1A4AE8A298A998B7A28EB0

SHA256:

081129F14CA28418B06018D480FD4D7D92144C68A73D30A8FE2A9B13CD88ED11

SSDEEP:

98304:PSxUqotpaqkPvQn5WndctkUe9odMB9/4ekqUVvlaOhTxcR1o6Wm6n+6sh+r2lwj4:GwcCzjaRf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • SX-CRACKED.exe (PID: 2528)
      • cmd.exe (PID: 4760)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4760)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • SX-CRACKED.exe (PID: 3656)

    • Process drops legitimate windows executable

      • SX-CRACKED.exe (PID: 3656)

    • Application launched itself

      • SX-CRACKED.exe (PID: 3656)

    • Process drops python dynamic module

      • SX-CRACKED.exe (PID: 3656)

    • Executable content was dropped or overwritten

      • SX-CRACKED.exe (PID: 3656)

    • Loads Python modules

      • SX-CRACKED.exe (PID: 2528)

    • Starts CMD.EXE for commands execution

      • SX-CRACKED.exe (PID: 2528)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 4760)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4760)

    • Checks for external IP

      • SX-CRACKED.exe (PID: 2528)

    • There is functionality for taking screenshot (YARA)

      • SX-CRACKED.exe (PID: 2528)
      • SX-CRACKED.exe (PID: 3656)

  • INFO

    • Checks supported languages

      • SX-CRACKED.exe (PID: 3656)
      • SX-CRACKED.exe (PID: 2528)

    • Reads the computer name

      • SX-CRACKED.exe (PID: 3656)
      • SX-CRACKED.exe (PID: 2528)

    • Reads the machine GUID from the registry

      • SX-CRACKED.exe (PID: 2528)

    • The sample compiled with english language support

      • SX-CRACKED.exe (PID: 3656)

    • Create files in a temporary directory

      • SX-CRACKED.exe (PID: 3656)

    • Checks operating system version

      • SX-CRACKED.exe (PID: 2528)

    • Checks proxy server information

      • SX-CRACKED.exe (PID: 2528)
      • slui.exe (PID: 7048)

    • PyInstaller has been detected (YARA)

      • SX-CRACKED.exe (PID: 3656)
      • SX-CRACKED.exe (PID: 2528)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Reads the software policy settings

      • slui.exe (PID: 7048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:17 05:04:18+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.43
CodeSize: 160256
InitializedDataSize: 131584
UninitializedDataSize: -
EntryPoint: 0xc120
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sx-cracked.exe sx-cracked.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2528"C:\Users\admin\Desktop\SX-CRACKED.exe" C:\Users\admin\Desktop\SX-CRACKED.exe
SX-CRACKED.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sx-cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3656"C:\Users\admin\Desktop\SX-CRACKED.exe" C:\Users\admin\Desktop\SX-CRACKED.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sx-cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3676powershell Add-MpPreference -ExclusionPath 'C:\Users\admin\.cache'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4760C:\WINDOWS\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\admin\.cache'"C:\Windows\SysWOW64\cmd.exeSX-CRACKED.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6612C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\SysWOW64\cmd.exeSX-CRACKED.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7048C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
11 975
Read events
11 975
Write events
0
Delete events
0

Modification events

No data
Executable files
32
Suspicious files
2
Text files
31
Unknown types
0

Dropped files

PID
Process
Filename
Type
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\ChangePass.pytext
MD5:F70D025AD746175C0C7F9283CA78FF64
SHA256:24EB7A820CC47BA692CB246A7A3D8241DBB1B8F1F79EFC091305846C6A514BFD
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_socket.pydexecutable
MD5:DF7F5E00903900666179D254D973D734
SHA256:DE9BB2188FCF3AAD2B06B437725E3041A499CB03D31CC8EEB17B498966431F51
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_hashlib.pydexecutable
MD5:20A2243EC6B79CE5CA95CFE515FCBE09
SHA256:4539E66BF99E80661961B864FB3B36A969118FF95AEDE4C27C1A578A6D773651
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_overlapped.pydexecutable
MD5:4EAAF5A9BA63D4378911B12EDC508597
SHA256:DC659B7A2865309FDCB4120AC50A9DC3BE3AA029EE75B9F5529CB1FB6FFB56A2
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\_pytransform.dllexecutable
MD5:F6761B52AA704B451C25577FF77EE7B0
SHA256:2ABB8020C8126D4CF44FA96DBABF1A6172069EB9AED4593F7587BF9641A9391D
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\aiohttp\_http_parser.cp38-win32.pydexecutable
MD5:2B32FFDE782DFD77CA00B1C4B38F6E18
SHA256:5A416566191107CCD82F6A2E8D4B991184AF4B199515E4736B4A8B9DAE6FDECE
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\aiohttp\_helpers.cp38-win32.pydexecutable
MD5:4F1721D2F0E02AB76FD3EF159259675E
SHA256:5C39F0E4ECEE5870331BD0EB56A6C2A55922265A8C63335232CD12DF9A8EB62A
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\attrs-25.3.0.dist-info\INSTALLERtext
MD5:365C9BFEB7D89244F2CE01C1DE44CB85
SHA256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\aiohttp\_http_writer.cp38-win32.pydexecutable
MD5:34A797BB0861CE2DB45E987B7D0273C2
SHA256:BC8F3F9EF1184C101E9328250331E662D68612E27ADC287B81FD7408B79A984A
3656SX-CRACKED.exeC:\Users\admin\AppData\Local\Temp\_MEI36562\aiohttp\_websocket.cp38-win32.pydexecutable
MD5:614234B6CF2E93FDE7F4363CA948229B
SHA256:C7AC2573A8DD2EB9A622324C5AAD7211BD4D4DB13FDA8AA58FB3A2D8BF8C0B9A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.160:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.160:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4808
RUXIMICS.exe
GET
200
23.48.23.160:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4808
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4808
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.48.23.160:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.160:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4808
RUXIMICS.exe
23.48.23.160:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.160
  • 23.48.23.149
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.146
  • 23.48.23.148
  • 23.48.23.158
  • 23.48.23.159
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 51.116.253.170
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2528
SX-CRACKED.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SX-CRACKED.exe