File name:

9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe

Full analysis: https://app.any.run/tasks/54c4e052-0706-4f85-a765-74e04ed881da
Verdict: Malicious activity
Analysis date: October 03, 2025, 17:43:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

E490EF4E13C1EEC865630B9275B8523C

SHA1:

33E711FE3FEA2B35E06940F65F44DE5072E4C42E

SHA256:

9090AA1BC10D0EDBCF529BF15DE9C8E24F4614680FEF219037B3CB3567AAF819

SSDEEP:

49152:m+syZaLQB8Poo71k1C/xH0lWV0rgtPtsvIhgd9jeWRn1:m+syZaLqFo71k12PV3Ftvgd9/n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe (PID: 5648)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files or folders in the user directory

      • 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe (PID: 5648)

    • Checks supported languages

      • 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe (PID: 5648)

    • Reads the computer name

      • 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe (PID: 5648)

    • Disables trace logs

      • 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe (PID: 5648)

    • Checks proxy server information

      • slui.exe (PID: 6720)

    • Reads the software policy settings

      • slui.exe (PID: 6720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:03:16 09:13:33+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 434176
InitializedDataSize: 172032
UninitializedDataSize: -
EntryPoint: 0x346e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5648"C:\Users\admin\Desktop\9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe" C:\Users\admin\Desktop\9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6720C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 169
Read events
4 153
Write events
16
Delete events
0

Modification events

(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5648) 9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
56489090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:5D2E24AB4A0E1F34D3AFC792D0681AEE
SHA256:CD633B1AAC0CF1AFAE1D90A5ABDA6F0798861A90D915660601DE2C2E91F9330B
56489090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exeC:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbktext
MD5:354CC6C02025DCFF35D1FBA31CCE598C
SHA256:519C5CEC0FC6334BF688572095440901D4342BB1544F9464CC6F99C422708224
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
43
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
unknown
POST
204
23.192.36.142:443
https://www.bing.com/web/xlsc.aspx?t=5&dl=1&wsbc=1
US
unknown
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
US
xml
11.2 Kb
unknown
GET
200
23.192.36.137:443
https://www.bing.com/th?id=ODSWG.31bcf3d1-4df8-4c6a-9b3a-447ced8d6c39&pid=dsb
US
unknown
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
US
xml
11.0 Kb
unknown
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
US
xml
11.3 Kb
unknown
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
US
xml
11.3 Kb
unknown
GET
200
23.192.36.142:443
https://www.bing.com/client/config?cc=US&setlang=en-US
US
binary
2.15 Kb
unknown
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
US
xml
11.3 Kb
unknown
GET
200
23.192.36.137:443
https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&cc=US&setlang=en-us&clientDateTime=10%2F3%2F2025%2C%205%3A43%3A20%20PM
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6904
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6016
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5948
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5224
SearchApp.exe
2.16.241.201:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2396
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4696
backgroundTaskHost.exe
2.16.241.201:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4652
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3464
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 2.16.241.201
  • 2.16.241.218
  • 2.16.241.207
  • 2.16.241.205
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.3
  • 40.126.31.67
  • 40.126.31.130
  • 20.190.159.130
  • 20.190.159.129
  • 40.126.31.128
  • 20.190.159.68
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9090aa1bc10d0edbcf529bf15de9c8e24f4614680fef219037b3cb3567aaf819.exe