File name:

87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe

Full analysis: https://app.any.run/tasks/03c4bbcb-a03b-45ce-ab3d-1a17d33741a3
Verdict: Malicious activity
Analysis date: September 03, 2025, 17:03:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DCCF12E0B93FB600A10A38FEB5255706

SHA1:

68BA2833A5ACF1FA144EAC95DA4159912236A2D7

SHA256:

87E67E2B3B280A208DD9E372BF6E9A0A046614200B6297708A592A0C4EE78915

SSDEEP:

6144:NnNZb4rRvcYIO7zxqLKSdHmCQxPK7wN6xxhu8w3pg5xAcTciQpWUUUUUUUUUUU4:NNGrREYtyKSJh7wN6xxhun5g5nT9UG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

    • Changes the AppInit_DLLs value (autorun option)

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

    • Process drops legitimate windows executable

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

  • INFO

    • Reads the computer name

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

    • Checks supported languages

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

    • The sample compiled with english language support

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

    • Checks proxy server information

      • slui.exe (PID: 3740)

    • Create files in a temporary directory

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

    • Failed to create an executable file in Windows directory

      • 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe (PID: 6504)

    • Reads the software policy settings

      • slui.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:11:14 09:42:11+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 173056
InitializedDataSize: 254464
UninitializedDataSize: -
EntryPoint: 0x16334
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.17.13.4201
ProductVersionNumber: 7.17.13.4201
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NVIDIA Corporation
FileDescription: Stereo Vision Control Panel API Server
FileVersion: 7.17.13.4201
InternalName: nvSCPAPISvr.exe
LegalCopyright: (C) 2016 NVIDIA Corporation. All rights reserved.
OriginalFileName: nvSCPAPISvr.exe
ProductName: Stereo Vision Control Panel API Server
ProductVersion: 7.17.13.4201
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6504"C:\Users\admin\Desktop\87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe" C:\Users\admin\Desktop\87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe
explorer.exe
User:
admin
Company:
NVIDIA Corporation
Integrity Level:
MEDIUM
Description:
Stereo Vision Control Panel API Server
Exit code:
0
Version:
7.17.13.4201
Modules
Images
c:\users\admin\desktop\87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
Total events
3 527
Read events
3 524
Write events
3
Delete events
0

Modification events

(PID) Process:(6504) 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:AppInit_DLLs
Value:
C:\Users\admin\AppData\Local\Temp\conres.dll
(PID) Process:(6504) 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:LoadAppInit_DLLs
Value:
1
(PID) Process:(6504) 87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:RequireSignedAppInit_DLLs
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
650487e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
51
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.19.117.91:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
GB
binary
825 b
whitelisted
4012
RUXIMICS.exe
GET
200
2.19.117.91:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
GB
binary
825 b
whitelisted
4012
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.160.20:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
200
20.190.160.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
16.7 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4012
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.19.117.91:80
crl.microsoft.com
Akamai International B.V.
GB
whitelisted
4012
RUXIMICS.exe
2.19.117.91:80
crl.microsoft.com
Akamai International B.V.
GB
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4012
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 2.19.117.91
  • 2.19.117.84
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.37.198.101
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.128
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.131
  • 20.190.159.23
  • 40.126.31.2
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
87e67e2b3b280a208dd9e372bf6e9a0a046614200b6297708a592a0c4ee78915.exe