File name:

AssetReuploader.exe

Full analysis: https://app.any.run/tasks/e2c541af-1e8f-49fd-a650-a8e16a294fda
Verdict: Malicious activity
Analysis date: August 02, 2025, 11:32:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

86D918EE3D64F4B27369D7D51201ABB2

SHA1:

2F2A8CA7DD9D82341B28D536613D6C109B9FA31A

SHA256:

CDA57EC672B776287B38EEA787EAED3D4FCA66B297A11F5FDA32BC1675525FD6

SSDEEP:

98304:OD/lgEERnpm+JbsdkrFcXN2ZWVDr0qzFlU/3/Y64RN/JYAIbjQrfmpfaQPpnyQbX:YLheTy9/yT0rCjYT/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AssetReuploader.exe (PID: 7160)

    • Process drops legitimate windows executable

      • AssetReuploader.exe (PID: 7160)

    • The process drops C-runtime libraries

      • AssetReuploader.exe (PID: 7160)

    • Process drops python dynamic module

      • AssetReuploader.exe (PID: 7160)

    • Application launched itself

      • AssetReuploader.exe (PID: 7160)

    • Loads Python modules

      • AssetReuploader.exe (PID: 1560)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • AssetReuploader.exe (PID: 1560)

  • INFO

    • Checks supported languages

      • AssetReuploader.exe (PID: 7160)
      • AssetReuploader.exe (PID: 1560)

    • Reads the computer name

      • AssetReuploader.exe (PID: 7160)

    • Create files in a temporary directory

      • AssetReuploader.exe (PID: 7160)

    • The sample compiled with english language support

      • AssetReuploader.exe (PID: 7160)

    • PyInstaller has been detected (YARA)

      • AssetReuploader.exe (PID: 7160)
      • AssetReuploader.exe (PID: 1560)

    • Checks proxy server information

      • slui.exe (PID: 3488)

    • Reads the software policy settings

      • slui.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(1560) AssetReuploader.exe
Discord-Webhook-Tokens (1)1400832492675530762/USVAN4Hotmy0OZoVjsm5yyVKlCGP_swLsor-1YE7GojpG8DuCYB5-MJolNMe5lFZKmgO
Discord-Info-Links
1400832492675530762/USVAN4Hotmy0OZoVjsm5yyVKlCGP_swLsor-1YE7GojpG8DuCYB5-MJolNMe5lFZKmgO
Get Webhook Infohttps://discord.com/api/webhooks/1400832492675530762/USVAN4Hotmy0OZoVjsm5yyVKlCGP_swLsor-1YE7GojpG8DuCYB5-MJolNMe5lFZKmgO
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:08:01 14:33:03+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start assetreuploader.exe conhost.exe no specs assetreuploader.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1560"C:\Users\admin\Desktop\AssetReuploader.exe" C:\Users\admin\Desktop\AssetReuploader.exe
AssetReuploader.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\assetreuploader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(1560) AssetReuploader.exe
Discord-Webhook-Tokens (1)1400832492675530762/USVAN4Hotmy0OZoVjsm5yyVKlCGP_swLsor-1YE7GojpG8DuCYB5-MJolNMe5lFZKmgO
Discord-Info-Links
1400832492675530762/USVAN4Hotmy0OZoVjsm5yyVKlCGP_swLsor-1YE7GojpG8DuCYB5-MJolNMe5lFZKmgO
Get Webhook Infohttps://discord.com/api/webhooks/1400832492675530762/USVAN4Hotmy0OZoVjsm5yyVKlCGP_swLsor-1YE7GojpG8DuCYB5-MJolNMe5lFZKmgO
2972\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAssetReuploader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3488C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7160"C:\Users\admin\Desktop\AssetReuploader.exe" C:\Users\admin\Desktop\AssetReuploader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\assetreuploader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 696
Read events
3 696
Write events
0
Delete events
0

Modification events

No data
Executable files
22
Suspicious files
1
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_cffi_backend.cp312-win_amd64.pydexecutable
MD5:FCB71CE882F99EC085D5875E1228BDC1
SHA256:86F136553BA301C70E7BADA8416B77EB4A07F76CCB02F7D73C2999A38FA5FA5B
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_hashlib.pydexecutable
MD5:0ABFEE1DB6C16E8DDAFF12CD3E86475B
SHA256:B4CEC162B985D34AB768F66E8FA41ED28DC2F273FDE6670EEACE1D695789B137
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_queue.pydexecutable
MD5:941A3757931719DD40898D88D04690CB
SHA256:BBE7736CAED8C17C97E2B156F686521A788C25F2004AAE34AB0C282C24D57DA7
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_lzma.pydexecutable
MD5:E3E7E99B3C2EA56065740B69F1A0BC12
SHA256:B095FA2EAC97496B515031FBEA5737988B18DEEE86A11F2784F5A551732DDC0C
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\VCRUNTIME140_1.dllexecutable
MD5:68156F41AE9A04D89BB6625A5CD222D4
SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_decimal.pydexecutable
MD5:82321FB8245333842E1C31F874329170
SHA256:B7F9603F98EF232A2C5BCE7001D842C01D76ED35171AFBD898E6D17FACF38B56
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_bz2.pydexecutable
MD5:FE499B0A9F7F361FA705E7C81E1011FA
SHA256:160B5218C2035CCCBAAB9DC4CA26D099F433DCB86DBBD96425C933DC796090DF
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_wmi.pydexecutable
MD5:FDA7D7AADA1D15CAB2ADD2F4BD2E59A1
SHA256:B0ED1C62B73B291A1B57E3D8882CC269B2FCBB1253F2947DA18D9036E0C985D9
7160AssetReuploader.exeC:\Users\admin\AppData\Local\Temp\_MEI71602\_ssl.pydexecutable
MD5:EEA3E12970E28545A964A95DA7E84E0B
SHA256:61F00B0543464BBA61E0BD1128118326C9BD0CDC592854DD1A31C3D6D8DF2B83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3288
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.216.77.29
  • 23.216.77.25
  • 23.216.77.26
  • 23.216.77.31
  • 23.216.77.43
  • 23.216.77.36
  • 23.216.77.37
  • 23.216.77.21
  • 23.216.77.27
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 13.70.79.200
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AssetReuploader.exe