File name:

system_update.exe

Full analysis: https://app.any.run/tasks/5f17cd30-f93b-466a-bb4a-65be5b0be56e
Verdict: Malicious activity
Analysis date: June 22, 2025, 01:24:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

2C7B469365D1BED2F08917E902902734

SHA1:

8C362A3F3A6415EB7289ED84B150DCA1CDA49CCB

SHA256:

7FF6AD46AF3736BCE9A4605782A95BAC266A54010B241FFCAB07A0C2F8F71A8E

SSDEEP:

98304:HJ3dY2odRtVWi8WBYjHjC24iVoumzy722pEIHdMvAP7rGqdgl3qxvWMIbjQrfmp4:gCK5sWwE1MU48EEHDo354e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • system_update.exe (PID: 236)
      • system_update.exe (PID: 5496)

    • Application launched itself

      • updater.exe (PID: 2296)
      • system_update.exe (PID: 5496)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2296)

    • Process drops python dynamic module

      • system_update.exe (PID: 5496)

    • Process drops legitimate windows executable

      • system_update.exe (PID: 5496)

    • The process drops C-runtime libraries

      • system_update.exe (PID: 5496)

    • Loads Python modules

      • system_update.exe (PID: 236)

  • INFO

    • Reads the computer name

      • system_update.exe (PID: 5496)
      • system_update.exe (PID: 236)
      • updater.exe (PID: 2296)

    • Checks supported languages

      • updater.exe (PID: 2296)
      • updater.exe (PID: 6540)
      • system_update.exe (PID: 5496)
      • system_update.exe (PID: 236)

    • Creates files or folders in the user directory

      • system_update.exe (PID: 236)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2296)

    • Checks proxy server information

      • slui.exe (PID: 4104)

    • Reads the software policy settings

      • slui.exe (PID: 4104)

    • Create files in a temporary directory

      • system_update.exe (PID: 5496)

    • The sample compiled with english language support

      • system_update.exe (PID: 5496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:22 01:22:42+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 154624
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start system_update.exe system_update.exe slui.exe updater.exe no specs updater.exe no specs system_update.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Users\admin\Desktop\system_update.exe" C:\Users\admin\Desktop\system_update.exe
system_update.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\system_update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1520"C:\Users\admin\Desktop\system_update.exe" C:\Users\admin\Desktop\system_update.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\system_update.exe
c:\windows\system32\ntdll.dll
2296"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4104C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5496"C:\Users\admin\Desktop\system_update.exe" C:\Users\admin\Desktop\system_update.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\system_update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6540"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x27c,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 685
Read events
3 685
Write events
0
Delete events
0

Modification events

No data
Executable files
28
Suspicious files
1
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_brotli.cp311-win_amd64.pydexecutable
MD5:D9FC15CAF72E5D7F9A09B675E309F71D
SHA256:1FCD75B03673904D9471EC03C0EF26978D25135A2026020E679174BDEF976DCF
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_ctypes.pydexecutable
MD5:565D011CE1CEE4D48E722C7421300090
SHA256:C148292328F0AAB7863AF82F54F613961E7CB95B7215F7A81CAFAF45BD4C42B7
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_bz2.pydexecutable
MD5:AA1083BDE6D21CABFC630A18F51B1926
SHA256:00B8CA9A338D2B47285C9E56D6D893DB2A999B47216756F18439997FB80A56E3
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_decimal.pydexecutable
MD5:C88282908BA54510EDA3887C488198EB
SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_cffi_backend.cp311-win_amd64.pydexecutable
MD5:739D352BD982ED3957D376A9237C9248
SHA256:9AEE90CF7980C8FF694BB3FFE06C71F87EB6A613033F73E3174A732648D39980
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_hashlib.pydexecutable
MD5:B4FF25B1ACA23D48897FC616E102E9B6
SHA256:87DD0C858620287454FD6D31D52B6A48EDDBB2A08E09E8B2D9FDB0B92200D766
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_multiprocessing.pydexecutable
MD5:CF0B31F01A95E9F181D87197786B96CA
SHA256:975C1947798E3C39898C86675CA1EB68249F77361F41F172F9800275227213B9
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_queue.pydexecutable
MD5:7F52EF40B083F34FD5E723E97B13382F
SHA256:3F8E7E6AA13B417ACC78B63434FB1144E6319A010A9FC376C54D6E69B638FE4C
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_ssl.pydexecutable
MD5:0F02ECCD7933B7A7C2BDEDCA2A72AAB6
SHA256:BA5388D6A6557D431E086734A3323621DC447F63BA299B0A815E5837CF869678
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1508
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1508
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1508
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1508
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1508
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
system_update.exe