File name:

system_update.exe

Full analysis: https://app.any.run/tasks/5f17cd30-f93b-466a-bb4a-65be5b0be56e
Verdict: Malicious activity
Analysis date: June 22, 2025, 01:24:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

2C7B469365D1BED2F08917E902902734

SHA1:

8C362A3F3A6415EB7289ED84B150DCA1CDA49CCB

SHA256:

7FF6AD46AF3736BCE9A4605782A95BAC266A54010B241FFCAB07A0C2F8F71A8E

SSDEEP:

98304:HJ3dY2odRtVWi8WBYjHjC24iVoumzy722pEIHdMvAP7rGqdgl3qxvWMIbjQrfmp4:gCK5sWwE1MU48EEHDo354e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • system_update.exe (PID: 5496)

    • The process drops C-runtime libraries

      • system_update.exe (PID: 5496)

    • Process drops python dynamic module

      • system_update.exe (PID: 5496)

    • Executable content was dropped or overwritten

      • system_update.exe (PID: 5496)
      • system_update.exe (PID: 236)

    • Application launched itself

      • system_update.exe (PID: 5496)
      • updater.exe (PID: 2296)

    • Loads Python modules

      • system_update.exe (PID: 236)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2296)

  • INFO

    • Reads the computer name

      • system_update.exe (PID: 5496)
      • system_update.exe (PID: 236)
      • updater.exe (PID: 2296)

    • Checks supported languages

      • system_update.exe (PID: 5496)
      • system_update.exe (PID: 236)
      • updater.exe (PID: 2296)
      • updater.exe (PID: 6540)

    • Create files in a temporary directory

      • system_update.exe (PID: 5496)

    • The sample compiled with english language support

      • system_update.exe (PID: 5496)

    • Creates files or folders in the user directory

      • system_update.exe (PID: 236)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2296)

    • Checks proxy server information

      • slui.exe (PID: 4104)

    • Reads the software policy settings

      • slui.exe (PID: 4104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:22 01:22:42+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 154624
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start system_update.exe system_update.exe slui.exe updater.exe no specs updater.exe no specs system_update.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Users\admin\Desktop\system_update.exe" C:\Users\admin\Desktop\system_update.exe
system_update.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\system_update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1520"C:\Users\admin\Desktop\system_update.exe" C:\Users\admin\Desktop\system_update.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\system_update.exe
c:\windows\system32\ntdll.dll
2296"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4104C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5496"C:\Users\admin\Desktop\system_update.exe" C:\Users\admin\Desktop\system_update.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\system_update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6540"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x27c,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 685
Read events
3 685
Write events
0
Delete events
0

Modification events

No data
Executable files
28
Suspicious files
1
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_ssl.pydexecutable
MD5:0F02ECCD7933B7A7C2BDEDCA2A72AAB6
SHA256:BA5388D6A6557D431E086734A3323621DC447F63BA299B0A815E5837CF869678
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_hashlib.pydexecutable
MD5:B4FF25B1ACA23D48897FC616E102E9B6
SHA256:87DD0C858620287454FD6D31D52B6A48EDDBB2A08E09E8B2D9FDB0B92200D766
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_cffi_backend.cp311-win_amd64.pydexecutable
MD5:739D352BD982ED3957D376A9237C9248
SHA256:9AEE90CF7980C8FF694BB3FFE06C71F87EB6A613033F73E3174A732648D39980
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_elementtree.pydexecutable
MD5:E31FD445C65AEC18C32A99828732264A
SHA256:02E30B6A2BEE5BE5336E40A9C89575603051BDE86F9C9CDC78B7FA7D9B7BD1F0
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_ctypes.pydexecutable
MD5:565D011CE1CEE4D48E722C7421300090
SHA256:C148292328F0AAB7863AF82F54F613961E7CB95B7215F7A81CAFAF45BD4C42B7
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_decimal.pydexecutable
MD5:C88282908BA54510EDA3887C488198EB
SHA256:980A63F2B39CF16910F44384398E25F24482346A482ADDB00DE42555B17D4278
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_lzma.pydexecutable
MD5:B86B9F292AF12006187EBE6C606A377D
SHA256:F5E01B516C2C23035F7703E23569DEC26C5616C05A929B2580AE474A5C6722C5
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\_socket.pydexecutable
MD5:B77017BAA2004833EF3847A3A3141280
SHA256:A19E3C7C03EF1B5625790B1C9C42594909311AB6DF540FBF43C6AA93300AB166
5496system_update.exeC:\Users\admin\AppData\Local\Temp\_MEI54962\cryptography-44.0.2.dist-info\RECORDcsv
MD5:92EE39946C73655ECDF034872D16D82F
SHA256:FF009D3DAD8E313F0B212F129A477B7A2708838D06AD3FE18F93A0C7137E3259
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1508
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1508
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1508
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1508
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1508
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
system_update.exe