File name:

9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe

Full analysis: https://app.any.run/tasks/401f3b0b-706b-43d4-a13d-d458b54a7eaa
Verdict: Malicious activity
Analysis date: August 25, 2025, 15:59:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

9BB638D2BD0DA923611BD1F43E3EC8E3

SHA1:

B3C42F66ED2A7DCEEAAA9373696385B2B140D321

SHA256:

9810ABE54BB4D5B0960117EA93AEE6490E8056883CFA3DA8056A80B72F1048FB

SSDEEP:

98304:SR6IieGEMcgumGaoZT5KwpKdihvdPtnEYJMV48DmgGV1k4OSlGpXFpnwSjAwb9rj:VEMwPhm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)
      • FlashPlayerUpdateService.exe (PID: 4744)

    • M0YV has been detected (YARA)

      • armsvc.exe (PID: 3948)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)
      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2492)

    • Process drops legitimate windows executable

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Executes as Windows Service

      • armsvc.exe (PID: 3948)
      • FlashPlayerUpdateService.exe (PID: 4744)

    • Executable content was dropped or overwritten

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Reads security settings of Internet Explorer

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

  • INFO

    • The sample compiled with english language support

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Checks supported languages

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)
      • armsvc.exe (PID: 3948)
      • FlashPlayerUpdateService.exe (PID: 4744)

    • Creates files or folders in the user directory

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Reads the computer name

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)
      • armsvc.exe (PID: 3948)
      • FlashPlayerUpdateService.exe (PID: 4744)

    • Reads the machine GUID from the registry

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Reads Environment values

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Checks proxy server information

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)
      • slui.exe (PID: 3932)

    • Creates files in the program directory

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Create files in a temporary directory

      • 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe (PID: 2232)

    • Reads the software policy settings

      • slui.exe (PID: 3932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2097:04:06 21:46:11+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 2671616
InitializedDataSize: 972288
UninitializedDataSize: -
EntryPoint: 0xc73d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 25.140.720.1
ProductVersionNumber: 25.140.720.1
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft OneDriveFileSyncHelper
InternalName: Microsoft OneDrive
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: FileSyncHelper.exe
ProductName: Microsoft OneDrive
FileVersion: 25.140.0720.0001
ProductVersion: 25.140.0720.0001
SpecialBuild: b/build/4f7ccf56-ab68-aa2a-a4b8-037b11d24d9a
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe #M0YV armsvc.exe no specs #M0YV flashplayerupdateservice.exe no specs slui.exe 9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Users\admin\Desktop\9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe" C:\Users\admin\Desktop\9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneDriveFileSyncHelper
Exit code:
0
Version:
25.140.0720.0001
Modules
Images
c:\users\admin\desktop\9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\propsys.dll
2492"C:\Users\admin\Desktop\9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe" C:\Users\admin\Desktop\9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFileSyncHelper
Exit code:
3221226540
Version:
25.140.0720.0001
Modules
Images
c:\users\admin\desktop\9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe
c:\windows\system32\ntdll.dll
3932C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3948"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Acrobat Update Service
Version:
1.824.460.1042
Modules
Images
c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4744C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
services.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
3 920
Read events
3 919
Write events
1
Delete events
0

Modification events

(PID) Process:(3948) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1628546
Executable files
3
Suspicious files
9
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\standaloneUpdaterTelemetryCache.otc-journalbinary
MD5:E5F7CC66329E9BAC7D3DDAD384D9A4BE
SHA256:195461E643F72E74FBFC01E198CE3EB20C2256EA003B05215C891A2C1F7C2F18
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Users\admin\AppData\Local\Temp\.sestext
MD5:ABAD99DB04788E09E6596266B7E39398
SHA256:1024A5F643498662D3098CB3DB0D22CF74DDFC0FC98FAD89E67BF24D3D3B75F2
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\FileSyncHelper-2025-08-25.1559.2232.1.aodlbinary
MD5:B0B5ECC1D294F9D35E9A43B3B9E7E5A0
SHA256:BA2AD4E03D6068C3F6A0D2989DCAE3F30CD7C3EF43119C0873EC5E427B85C4D0
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:A0B71BD11E058AAA9E7B70E5EE418793
SHA256:9841BBF4CED43862C2B8A9CBFCCD6A343B23BA86C86E5DE1D3FBACB0F220C0EA
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeexecutable
MD5:A9C92E0458547A584EBCC53280144C89
SHA256:552EF8216BC27D3C747063D1860B0997DEC555C8B5987FBCCC1917E27C332588
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\FileSyncHelper-2025-08-25.1559.2232.2.aodlbinary
MD5:2A8A0A38247FC67B92BE6D5DDC5EAEDE
SHA256:A0421B5949FE261FF5B10CA794635054FAF803B2E2301E3DE24A9A1CE49C2694
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\standaloneUpdaterTelemetryCache.otc-walbinary
MD5:120E8D9E1E92BA2FF3C6234135F949E6
SHA256:AC3D9965315E72ED052D36D47EDB73A2656E46B0B38903F746E1B7205DBC2DC3
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\standaloneUpdaterTelemetryCache.otcbinary
MD5:F138A66469C10D5761C6CBB36F2163C3
SHA256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\standaloneUpdaterTelemetryCache.otc-shmbinary
MD5:9C6F2FA65688FC54ED0EDCECD7EE9345
SHA256:463EF663962BA059E7F5276145BD38C66BBF9DE62DEAFE5B5A26947CF62B73FE
22329810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exeC:\Program Files\Microsoft OneDrive\FileSyncHelper\logs\FileSyncHelper-2025-08-25.1559.2232.1.odlbinary
MD5:B0B5ECC1D294F9D35E9A43B3B9E7E5A0
SHA256:BA2AD4E03D6068C3F6A0D2989DCAE3F30CD7C3EF43119C0873EC5E427B85C4D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
41
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6388
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
POST
400
20.190.159.75:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
POST
400
40.126.31.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
POST
400
40.126.31.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6388
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6388
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6024
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.128
  • 20.190.160.3
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.66
  • 20.190.160.130
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
9810abe54bb4d5b0960117ea93aee6490e8056883cfa3da8056a80b72f1048fb.exe