File name:

RCE.exe

Full analysis: https://app.any.run/tasks/7e1eba26-a3d9-4884-a110-06a8fe9012b1
Verdict: Malicious activity
Analysis date: June 19, 2025, 17:23:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

A232E839CF0783E4A7B56136B79AF647

SHA1:

9FC566E5D3831CA2B3C7AE569B48CF91ECDAEB1E

SHA256:

27D35C0BE9120154906CB612565F02998C5FC9F7CDCD790B92C8F5A6E1BF6396

SSDEEP:

196608:AeJfadQZHwG8x881mwDH/JCzNuEwFSTbNffQp:AeJfadQZHz8x6wDfJeuESSTBQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops python dynamic module

      • RCE.exe (PID: 3092)

    • Executable content was dropped or overwritten

      • RCE.exe (PID: 3092)

    • Process drops legitimate windows executable

      • RCE.exe (PID: 3092)

    • The process drops C-runtime libraries

      • RCE.exe (PID: 3092)

    • Application launched itself

      • RCE.exe (PID: 3092)
      • updater.exe (PID: 3936)

    • Loads Python modules

      • RCE.exe (PID: 1604)

    • Starts CMD.EXE for commands execution

      • RCE.exe (PID: 1604)

    • The process executes via Task Scheduler

      • updater.exe (PID: 3936)

  • INFO

    • The sample compiled with english language support

      • RCE.exe (PID: 3092)

    • Reads the computer name

      • RCE.exe (PID: 3092)
      • updater.exe (PID: 3936)

    • Checks supported languages

      • RCE.exe (PID: 3092)
      • RCE.exe (PID: 1604)
      • updater.exe (PID: 3936)
      • updater.exe (PID: 1480)

    • Create files in a temporary directory

      • RCE.exe (PID: 3092)

    • PyInstaller has been detected (YARA)

      • RCE.exe (PID: 3092)
      • RCE.exe (PID: 1604)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3936)

    • Checks proxy server information

      • slui.exe (PID: 1128)

    • Reads the software policy settings

      • slui.exe (PID: 1128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:05 23:14:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rce.exe conhost.exe no specs rce.exe no specs cmd.exe no specs slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1128C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1480"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x27c,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1604"C:\Users\admin\Desktop\RCE.exe" C:\Users\admin\Desktop\RCE.exeRCE.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\rce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2076C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeRCE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3092"C:\Users\admin\Desktop\RCE.exe" C:\Users\admin\Desktop\RCE.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\rce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3936"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRCE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 744
Read events
3 744
Write events
0
Delete events
0

Modification events

No data
Executable files
114
Suspicious files
1
Text files
25
Unknown types
0

Dropped files

PID
Process
Filename
Type
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_aes.pydexecutable
MD5:61CB04BF8E8C111AB4B6FED3BE0E8FA9
SHA256:DD5A327AF8913D4B772E37ABB1FB7E0F74D4CE0E5850EB06A4329720FC159175
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_ARC4.pydexecutable
MD5:EFF0F16D6E853EA2CBC7B3BCAB5E0591
SHA256:9892A83A3E511BD1024BFCCE460DBDE2690FD2A3C0C449081950C40EFDBA4C7D
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_chacha20.pydexecutable
MD5:709BE56D3AE0CB50807A6B54A762C875
SHA256:612B4DA235E04CB9CE0106A13AA31AB7D5F651A0685653EDC9A57E1F93BE5670
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_Salsa20.pydexecutable
MD5:17C99EDF022309BC2C54A732FB8FBF26
SHA256:34EB9C505180358711D8D6268E3F0E700C58AC9F47B0AD68565ED73BAB5DBD81
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_des3.pydexecutable
MD5:494239F9453679D80511BECC23C6B621
SHA256:9C849A1DD641A3143C25B261E18D8F1453B00BB975E324384F15311C1B544F3D
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_des.pydexecutable
MD5:A2DE9A3A802296D900F1630358EBA28D
SHA256:DA5E3E81F96EC3CBE7C9587344421F86E422A6E74A022E565FD6184FB03BBA1C
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:B5600245089E36B00E9FB4F4327A9F5F
SHA256:61F554613F2377EF0CF192F4C329CE448560429118115179EA03B2BAA4C2E7E1
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_arc2.pydexecutable
MD5:530BB99610B35527C3B06A22FD92CCEC
SHA256:43BC2F864D062BF7FE940E9CC497EF4FDFCC6EAEAB95FD4D4EE837E4D5DE0437
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:133B156E060C77AF41B38841A32DA4B6
SHA256:20005B988FE848983A65F7F4727EC27148E4D0ABEAB9CFD0E58778F812BF7595
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_blowfish.pydexecutable
MD5:403A4F70938F58C15DAEB4A63D7ECADB
SHA256:FB407812E3E4D17B2CA981C8B95C716FF1B288A5E4658A831CD067A2837A753B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
34
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
472
RUXIMICS.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
472
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
472
RUXIMICS.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 2.16.253.202
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.129
  • 20.190.159.75
  • 40.126.31.0
  • 40.126.31.67
  • 20.190.159.64
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RCE.exe