File name:

RCE.exe

Full analysis: https://app.any.run/tasks/7e1eba26-a3d9-4884-a110-06a8fe9012b1
Verdict: Malicious activity
Analysis date: June 19, 2025, 17:23:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

A232E839CF0783E4A7B56136B79AF647

SHA1:

9FC566E5D3831CA2B3C7AE569B48CF91ECDAEB1E

SHA256:

27D35C0BE9120154906CB612565F02998C5FC9F7CDCD790B92C8F5A6E1BF6396

SSDEEP:

196608:AeJfadQZHwG8x881mwDH/JCzNuEwFSTbNffQp:AeJfadQZHz8x6wDfJeuESSTBQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RCE.exe (PID: 3092)

    • Process drops python dynamic module

      • RCE.exe (PID: 3092)

    • Process drops legitimate windows executable

      • RCE.exe (PID: 3092)

    • The process drops C-runtime libraries

      • RCE.exe (PID: 3092)

    • Application launched itself

      • RCE.exe (PID: 3092)
      • updater.exe (PID: 3936)

    • Loads Python modules

      • RCE.exe (PID: 1604)

    • Starts CMD.EXE for commands execution

      • RCE.exe (PID: 1604)

    • The process executes via Task Scheduler

      • updater.exe (PID: 3936)

  • INFO

    • Reads the computer name

      • RCE.exe (PID: 3092)
      • updater.exe (PID: 3936)

    • Checks supported languages

      • RCE.exe (PID: 3092)
      • RCE.exe (PID: 1604)
      • updater.exe (PID: 3936)
      • updater.exe (PID: 1480)

    • Create files in a temporary directory

      • RCE.exe (PID: 3092)

    • The sample compiled with english language support

      • RCE.exe (PID: 3092)

    • PyInstaller has been detected (YARA)

      • RCE.exe (PID: 3092)
      • RCE.exe (PID: 1604)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3936)

    • Checks proxy server information

      • slui.exe (PID: 1128)

    • Reads the software policy settings

      • slui.exe (PID: 1128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:05 23:14:49+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rce.exe conhost.exe no specs rce.exe no specs cmd.exe no specs slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1128C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1480"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x27c,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1604"C:\Users\admin\Desktop\RCE.exe" C:\Users\admin\Desktop\RCE.exeRCE.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\rce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2076C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeRCE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3092"C:\Users\admin\Desktop\RCE.exe" C:\Users\admin\Desktop\RCE.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\rce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3936"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRCE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 744
Read events
3 744
Write events
0
Delete events
0

Modification events

No data
Executable files
114
Suspicious files
1
Text files
25
Unknown types
0

Dropped files

PID
Process
Filename
Type
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_ARC4.pydexecutable
MD5:EFF0F16D6E853EA2CBC7B3BCAB5E0591
SHA256:9892A83A3E511BD1024BFCCE460DBDE2690FD2A3C0C449081950C40EFDBA4C7D
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_Salsa20.pydexecutable
MD5:17C99EDF022309BC2C54A732FB8FBF26
SHA256:34EB9C505180358711D8D6268E3F0E700C58AC9F47B0AD68565ED73BAB5DBD81
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:B5600245089E36B00E9FB4F4327A9F5F
SHA256:61F554613F2377EF0CF192F4C329CE448560429118115179EA03B2BAA4C2E7E1
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_cfb.pydexecutable
MD5:BF18D19EB79557E767A8E8E1EDA6C060
SHA256:6DE05E3507157C94F20825196677E12964780502D5A3DD04424B05C3E4AEF186
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_ctr.pydexecutable
MD5:3D0FB2250C76B501ABF008D8E6180594
SHA256:E5E2B54591D4CA2DC43F6D0FFDBFF45393D092E9E37C072FFE7B8769EEC3B82E
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_ofb.pydexecutable
MD5:A2B9F1DB81EE431F07A848F44153518F
SHA256:CD11346BDC23F15D68701C3F602B621BB7C93CF1AAA193FF079225603514122D
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:B9F8151C65BDAF81BF9407A32E77959B
SHA256:ED154E6C22235659E57532B0A8B3CD7A081603C6CAE9CB165E436006881C1C74
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Cipher\_raw_des.pydexecutable
MD5:A2DE9A3A802296D900F1630358EBA28D
SHA256:DA5E3E81F96EC3CBE7C9587344421F86E422A6E74A022E565FD6184FB03BBA1C
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Hash\_BLAKE2b.pydexecutable
MD5:7FCAD6D233F8F41636258C970390284C
SHA256:E0D97FD22D02BE38357905F8D833E1CD78839EDF986692EDE944F9EE0CEE8B40
3092RCE.exeC:\Users\admin\AppData\Local\Temp\_MEI30922\Crypto\Hash\_BLAKE2s.pydexecutable
MD5:EFB1F498321597F1AAF7FB6A57603C76
SHA256:2A8CA6C6E864F0F5DE6E22736D461AEC5AFA45B4CB77449731AFC0861C20C23D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
34
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
472
RUXIMICS.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
472
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
472
RUXIMICS.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 2.16.253.202
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.129
  • 20.190.159.75
  • 40.126.31.0
  • 40.126.31.67
  • 20.190.159.64
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RCE.exe