File name:

a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe

Full analysis: https://app.any.run/tasks/268a344d-60ce-4756-b6ed-23fbdcb13a41
Verdict: Malicious activity
Analysis date: September 04, 2025, 23:25:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

00D7B49F8A6C388390376C8B6801AA63

SHA1:

4092B75CB87522985D1E14B534831FF5B11398AA

SHA256:

A387F3A2CD48454E6765077E18F4C63A6A0AC4C97B8404C3057E4499C72A1877

SSDEEP:

98304:K5NxkqbuwI5n6vH8u8FVDUITkkFe3NLoyFhnSd/i5+5/:7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • The process creates files with name similar to system file names

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Process drops legitimate windows executable

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Executable content was dropped or overwritten

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • There is functionality for taking screenshot (YARA)

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Contacting a server suspected of hosting an CnC

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

  • INFO

    • Failed to create an executable file in Windows directory

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • The sample compiled with english language support

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Checks supported languages

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Disables trace logs

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Creates files or folders in the user directory

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Reads the computer name

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Checks proxy server information

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)
      • slui.exe (PID: 4088)

    • UPX packer has been detected

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Create files in a temporary directory

      • a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe (PID: 3960)

    • Reads the software policy settings

      • slui.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (35.9)
.exe | Win32 Executable MS Visual C++ (generic) (27)
.exe | Win64 Executable (generic) (23.9)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:13 11:44:08+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1310720
InitializedDataSize: 577536
UninitializedDataSize: -
EntryPoint: 0x112bf0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.9.139.161
ProductVersionNumber: 3.9.139.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Google Inc.
FileDescription: Picasa
FileVersion: 3.9.139.161
InternalName: Picasa
LegalCopyright: © 2003-2013 Google Inc.
OriginalFileName: Picasa.exe
ProductName: Picasa
ProductVersion: 3.9.139
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3960"C:\Users\admin\Desktop\a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe" C:\Users\admin\Desktop\a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Picasa
Version:
3.9.139.161
Modules
Images
c:\users\admin\desktop\a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4088C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 222
Read events
7 184
Write events
36
Delete events
2

Modification events

(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
121
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3960) a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3960a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncShell.dll.datexecutable
MD5:4A01E0BF8983C21174576AFB6BC523F0
SHA256:98AE515F1B656EFC2194743017C3B3F3D3258F5541A37DB60AB18A081CA18BF1
3960a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
3960a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncShell.dllexecutable
MD5:451D7517D4CEA95646B495272CA674FF
SHA256:F3904AF6B77FF33BF10794133D84C684F351539D0C391B8CD037F5B8AE92A92D
3960a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeC:\Users\admin\AppData\Local\Temp\conres.dll.000text
MD5:E609411DB8AA6775D0344C75C23AE79B
SHA256:AEFC503B1ED462D7B6280228A7B5B710792273B78934426F88325341AC5B5A92
3960a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncShell.dll.tmpexecutable
MD5:451D7517D4CEA95646B495272CA674FF
SHA256:F3904AF6B77FF33BF10794133D84C684F351539D0C391B8CD037F5B8AE92A92D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
50
DNS requests
23
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4688
RUXIMICS.exe
GET
304
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4688
RUXIMICS.exe
GET
200
23.216.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
3960
a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe
GET
200
13.248.169.48:80
http://www.aieov.com/logo.gif
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4688
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4688
RUXIMICS.exe
23.216.77.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.10
  • 23.216.77.21
  • 23.216.77.18
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.4
  • 40.126.32.76
  • 20.190.160.132
  • 20.190.160.130
  • 20.190.160.67
  • 20.190.160.22
  • 40.126.32.133
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 13.248.169.48
  • 76.223.54.146
malicious
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a387f3a2cd48454e6765077e18f4c63a6a0ac4c97b8404c3057e4499c72a1877.exe