File name:

azahar-2121.2-windows-msvc-installer.exe

Full analysis: https://app.any.run/tasks/0226547f-2681-4b0f-b6c9-f0179a12df4a
Verdict: Malicious activity
Analysis date: June 15, 2025, 20:32:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

3EC1BC41C08E4E5D6D24AE504E9758A8

SHA1:

19BDCE2975758FC265908BE44849CE533AB0ED2A

SHA256:

0636D5AC7DA6FCE7A00815D39D6118E8783563C91ED1F4C3AD32FA8529170FF5

SSDEEP:

196608:Cm4wUMhiWAagl6/OB/l+GLmGmtSCYzq/vpb2QbD0cwovke6eQm1wgokwLXZTj:4f+Il6mB/l+JAeJiQbDL0eRwgkXZTj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Executable content was dropped or overwritten

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Creates a software uninstall entry

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • The process creates files with name similar to system file names

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Process drops legitimate windows executable

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

  • INFO

    • Checks supported languages

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Reads the computer name

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Create files in a temporary directory

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Creates files in the program directory

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • The sample compiled with english language support

      • azahar-2121.2-windows-msvc-installer.exe (PID: 2792)

    • Checks proxy server information

      • slui.exe (PID: 4648)

    • Reads the software policy settings

      • slui.exe (PID: 4648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x369f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start azahar-2121.2-windows-msvc-installer.exe slui.exe azahar-2121.2-windows-msvc-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2792"C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exe" C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\azahar-2121.2-windows-msvc-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3656"C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exe" C:\Users\admin\Desktop\azahar-2121.2-windows-msvc-installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\azahar-2121.2-windows-msvc-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4648C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 641
Read events
3 632
Write events
9
Delete events
0

Modification events

(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayName
Value:
Azahar
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:UninstallString
Value:
C:\Program Files\Azahar\uninst.exe /AllUsers
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Azahar\azahar.exe
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayVersion
Value:
2121.2
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:URLInfoAbout
Value:
https://azahar-emu.org/
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:Publisher
Value:
Azahar Emulator Developers
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:InstallLocation
Value:
C:\Program Files\Azahar
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:EstimatedSize
Value:
89295
(PID) Process:(2792) azahar-2121.2-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:Comments
Value:
3DS emulator based on Citra
Executable files
34
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2792azahar-2121.2-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsu74C4.tmp\LangDLL.dllexecutable
MD5:4B8A750993567AC9A350BA9768FABFA0
SHA256:4CF25411F28F639F72156C24B0F66EA42F5AEE5973F6C137D901DA6AE42D5B7E
2792azahar-2121.2-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsu74C4.tmp\UserInfo.dllexecutable
MD5:E6F30908ABFC6F53B7C3C36DAEC4586D
SHA256:E0DC3112796DBAA37F25AB54B7FAC2FBF791CBC6E36A84FC61C6423B84A3677B
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Core.dllexecutable
MD5:B5FDC51AAABE8C0F1B611E003817B3E0
SHA256:8A1AF6B5EA341EF0D01573A9005E5C68206CFEF6853B5584E8A737C26C9D9EE7
2792azahar-2121.2-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsu74C4.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\swresample-4.dllexecutable
MD5:7EEBA1942A05FE865CF997FC90430093
SHA256:BAA987629E36F324A77A8922DDBDEA7652A3AE8B5EB55A0F03B475FACDDA8293
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Widgets.dllexecutable
MD5:C3241A2E538115DBADDF3A8C283C7966
SHA256:6A97350BBFE5518C5E41453062548F493014F8037A70645246549DE33E6CFC17
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\qt.conftext
MD5:CE1386D47F6BEEBB2F15436E97203409
SHA256:6D421D82AA08563AD1A26D44883C58512127693C42FEB387645111358323FF06
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\avcodec-60.dllexecutable
MD5:5C9A91C44C5646C0D7D2EE4CF990CB5F
SHA256:639F445C807DFEF8A42A5E1BC0B1A19F82FCF2523B46820C60465BD47D8E47A5
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\avutil-58.dllexecutable
MD5:203009102EEF773A714CF83515723B4F
SHA256:A8DA1BCEC215E8B002C4F8DA2DDBC340D93937C93C480CD30D42B1D506F77A7C
2792azahar-2121.2-windows-msvc-installer.exeC:\Program Files\Azahar\avformat-60.dllexecutable
MD5:AAF5E285E8E8ED6A6E428B52728ED18E
SHA256:17E49A141502A26655CB3ADEC68C45EA19491E713EEA13B1C3C35E458E77CC1D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
40
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4236
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4236
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4236
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4236
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.128
  • 40.126.32.74
  • 20.190.160.5
  • 40.126.32.134
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
azahar-2121.2-windows-msvc-installer.exe