File name:

recieve.exe

Full analysis: https://app.any.run/tasks/0ad6a742-117c-4fb1-a6e3-b599887dd7f4
Verdict: Malicious activity
Analysis date: July 05, 2025, 23:21:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

41754A03FE97DB502944A1A156B50116

SHA1:

770369D2CFC213DE053A71F47FAA44D72B890194

SHA256:

1920A122C610FDB206E24B55F29E3B85DB79F67E3920551E55BA7963EBF1CEF6

SSDEEP:

393216:Npm4jdNXYabHxbe/yLfxYIVw1SB+AOWOIHxs6wwfYy3TAQQuzNSC3g5:NpmcUKrxYAwEB+1KHGRgkozNtg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • recieve.exe (PID: 2380)

    • Process drops python dynamic module

      • recieve.exe (PID: 2380)

    • The process drops C-runtime libraries

      • recieve.exe (PID: 2380)

    • Application launched itself

      • recieve.exe (PID: 2380)

    • Loads Python modules

      • recieve.exe (PID: 1336)

    • Executable content was dropped or overwritten

      • recieve.exe (PID: 2380)

  • INFO

    • Reads the computer name

      • recieve.exe (PID: 2380)

    • Checks supported languages

      • recieve.exe (PID: 2380)
      • recieve.exe (PID: 1336)

    • The sample compiled with english language support

      • recieve.exe (PID: 2380)

    • Create files in a temporary directory

      • recieve.exe (PID: 2380)

    • PyInstaller has been detected (YARA)

      • recieve.exe (PID: 2380)
      • recieve.exe (PID: 1336)

    • Checks proxy server information

      • slui.exe (PID: 4552)

    • Reads the software policy settings

      • slui.exe (PID: 4552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:05 23:09:02+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start recieve.exe conhost.exe no specs recieve.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerecieve.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1336"C:\Users\admin\Desktop\recieve.exe" C:\Users\admin\Desktop\recieve.exerecieve.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\recieve.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2380"C:\Users\admin\Desktop\recieve.exe" C:\Users\admin\Desktop\recieve.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\recieve.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4552C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 677
Read events
3 677
Write events
0
Delete events
0

Modification events

No data
Executable files
40
Suspicious files
1
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\VCRUNTIME140_1.dllexecutable
MD5:C0C0B4C611561F94798B62EB43097722
SHA256:497A280550443E3E9F89E428E51CB795139CA8944D5DEDD54A7083C00E7164E5
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\cv2\cv2.pyd
MD5:
SHA256:
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\_ssl.pydexecutable
MD5:893EE1E905EC5A1F74B10D73A8B94E6A
SHA256:11572F6EB63E43CDC2908812506FFCDAB21BE2BE5931F1E38D856C15F5A79E6C
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\_queue.pydexecutable
MD5:8FC4810CFF733E6F17A7530D3FB67D58
SHA256:08050F94EFE7BDD9D7CBE85B1196DE391CAC1B30F4A4918610CB174AE529A5DB
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\_socket.pydexecutable
MD5:C2938DBDCDABA1CCBEFEE37F6A06CD0C
SHA256:C63E8E6A369CBE86E57C9823FB48BC5D4E7BB18455B9B001986B4768C49007DA
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\_wmi.pydexecutable
MD5:609206D81F38626F1C022D1A0FF1466B
SHA256:A7CC096244A497219269A3EE1CF2526A2B613D73FA566749F8F2408F5F4117D4
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\charset_normalizer\md__mypyc.cp313-win_amd64.pydexecutable
MD5:21E82AD181C636E1CF6C24610E2AF08F
SHA256:B9ABD964BBED3005DD625660097B375A4E62929EAB5B15780253433F6054FE95
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\base_library.zipcompressed
MD5:AE4A2B1E61AAB11768CF2D2B4BA59E18
SHA256:93CA60A2EDC287743AA6480EAEA4DC261119303F17D6337760AF8A12EC149AA3
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\_decimal.pydexecutable
MD5:90071379B9E53B2D1834D49F4FD804EC
SHA256:90045140E45EDCFE4F4859B3190184FAFF1249220011330A9D01319745766607
2380recieve.exeC:\Users\admin\AppData\Local\Temp\_MEI23802\_lzma.pydexecutable
MD5:D165B7B9A127F66704CEAA196BE319E5
SHA256:B78F5A8476139FF04731046459EFD047BB8F52DC92C5B2082EABF2929C0CA02D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
95.100.181.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
  • 95.100.181.32
  • 95.100.181.23
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.2
  • 20.190.159.71
  • 20.190.159.23
  • 40.126.31.130
  • 40.126.31.131
  • 20.190.159.64
  • 40.126.31.71
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 13.77.207.86
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
recieve.exe