File name:

azahar-2121.2-windows-msvc-installer.exe

Full analysis: https://app.any.run/tasks/0226547f-2681-4b0f-b6c9-f0179a12df4a
Verdict: Malicious activity
Analysis date: June 15, 2025, 20:32:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

3EC1BC41C08E4E5D6D24AE504E9758A8

SHA1:

19BDCE2975758FC265908BE44849CE533AB0ED2A

SHA256:

0636D5AC7DA6FCE7A00815D39D6118E8783563C91ED1F4C3AD32FA8529170FF5

SSDEEP:

196608:Cm4wUMhiWAagl6/OB/l+GLmGmtSCYzq/vpb2QbD0cwovke6eQm1wgokwLXZTj:4f+Il6mB/l+JAeJiQbDL0eRwgkXZTj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • There is functionality for taking screenshot (YARA)

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Process drops legitimate windows executable

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • The process creates files with name similar to system file names

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Creates a software uninstall entry

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

  • INFO

    • Creates files in the program directory

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Checks proxy server information

      • slui.exe (PID: 4648)

    • Create files in a temporary directory

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Checks supported languages

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • The sample compiled with english language support

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Reads the software policy settings

      • slui.exe (PID: 4648)

    • Reads the computer name

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x369f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start azahar-2121.2-windows-msvc-installer.exe slui.exe azahar-2121.2-windows-msvc-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2792"C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exe" C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\azahar-2121.2-windows-msvc-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3656"C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exe" C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\azahar-2121.2-windows-msvc-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4648C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 641
Read events
3 632
Write events
9
Delete events
0

Modification events

(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayName
Value:
Azahar
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:UninstallString
Value:
C:\Program Files\Azahar\uninst.exe /AllUsers
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Azahar\azahar.exe
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayVersion
Value:
2121.2
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:URLInfoAbout
Value:
https://azahar-emu.org/
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:Publisher
Value:
Azahar Emulator Developers
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:InstallLocation
Value:
C:\Program Files\Azahar
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:EstimatedSize
Value:
89295
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:Comments
Value:
3DS emulator based on Citra
Executable files
34
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Multimedia.dllexecutable
MD5:BDD2401C24E694769007D290744FA00B
SHA256:D65D749813C1778264115EBD03ECCCD87628DD1432A03560F13B009330459306
2792azahar-2121.2-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsu74C4.tmp\LangDLL.dllexecutable
MD5:4B8A750993567AC9A350BA9768FABFA0
SHA256:4CF25411F28F639F72156C24B0F66EA42F5AEE5973F6C137D901DA6AE42D5B7E
2792azahar-2121.2-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsu74C4.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\avcodec-60.dllexecutable
MD5:5C9A91C44C5646C0D7D2EE4CF990CB5F
SHA256:639F445C807DFEF8A42A5E1BC0B1A19F82FCF2523B46820C60465BD47D8E47A5
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\avformat-60.dllexecutable
MD5:AAF5E285E8E8ED6A6E428B52728ED18E
SHA256:17E49A141502A26655CB3ADEC68C45EA19491E713EEA13B1C3C35E458E77CC1D
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Concurrent.dllexecutable
MD5:B6E82281429DDE3CE8B5017844292C06
SHA256:A406D29C40F481A2EECDA2DF125AD0FB39DD82F43EF4EF14786520B5680D8427
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Gui.dllexecutable
MD5:817B182E009F388672445E69144F8543
SHA256:CFCE665B7C477EBFF815FB27A9B55D0B629183C0CECB5282A87BAD666D76DAA8
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Network.dllexecutable
MD5:794760C25A8DE30DCB152808DD5B7416
SHA256:F6702966E341D9A2F1707DF5833DB984205B3717FB5CE3CD2A37383AC347905D
2792azahar-2121.2-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsu74C4.tmp\UserInfo.dllexecutable
MD5:E6F30908ABFC6F53B7C3C36DAEC4586D
SHA256:E0DC3112796DBAA37F25AB54B7FAC2FBF791CBC6E36A84FC61C6423B84A3677B
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\azahar-room.exeexecutable
MD5:C43C6C6E373C01ACB980D1BA1A82FE58
SHA256:5291A355BA88B23ABF3F87F431D7F3BE9C2A98AA2D0D16A73B8B851F518CA017
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
40
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
4236
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1728
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1728
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1728
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1728
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4236
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4236
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.128
  • 40.126.32.74
  • 20.190.160.5
  • 40.126.32.134
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
azahar-2121.2-windows-msvc-installer.exe