File name:

OneShot-499570.exe

Full analysis: https://app.any.run/tasks/44060062-c5d9-4ac2-b7cd-1171c1a637ac
Verdict: Malicious activity
Analysis date: June 21, 2025, 21:29:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
delphi
auto-reg
bittorrent
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

9595E49300C884EA972200F03D7551AA

SHA1:

32266D5316E4A71037304A73B71970E422D0C4C7

SHA256:

A4C8B95638E736BFD4CABDF43121EBB65229C3754A2BB35FFE9A81A8091C2D16

SSDEEP:

196608:nYpCIpmIFYMo/QLR2MAIjAuthPIhrJm7i7fTrlWqLo:YhYMrLA+jZPEJLdWt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • OneShot-499570.exe (PID: 1472)

    • BITTORRENT has been detected (SURICATA)

      • uFiler.exe (PID: 2044)

  • SUSPICIOUS

    • Application launched itself

      • OneShot-499570.exe (PID: 1068)

    • Reads security settings of Internet Explorer

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 6124)
      • uFiler.exe (PID: 2044)

    • Executable content was dropped or overwritten

      • OneShot-499570.exe (PID: 1472)

    • The process verifies whether the antivirus software is installed

      • OneShot-499570.exe (PID: 1472)

    • Creates a software uninstall entry

      • OneShot-499570.exe (PID: 1068)

    • Starts itself from another location

      • OneShot-499570.exe (PID: 6124)

    • Reads the date of Windows installation

      • uFiler.exe (PID: 2044)

    • Potential Corporate Privacy Violation

      • uFiler.exe (PID: 2044)

  • INFO

    • Checks supported languages

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 1472)
      • OneShot-499570.exe (PID: 6124)
      • uFiler.exe (PID: 2044)
      • uFiler.exe (PID: 4192)

    • The sample compiled with english language support

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 1472)

    • Reads the computer name

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 1472)
      • OneShot-499570.exe (PID: 6124)
      • uFiler.exe (PID: 2044)
      • uFiler.exe (PID: 4192)

    • Creates files in the program directory

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 1472)
      • uFiler.exe (PID: 2044)

    • UPX packer has been detected

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 1472)
      • uFiler.exe (PID: 2044)

    • Compiled with Borland Delphi (YARA)

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 1472)
      • uFiler.exe (PID: 2044)

    • Process checks computer location settings

      • OneShot-499570.exe (PID: 1068)
      • OneShot-499570.exe (PID: 6124)

    • The sample compiled with russian language support

      • OneShot-499570.exe (PID: 1472)

    • Launching a file from a Registry key

      • OneShot-499570.exe (PID: 1472)

    • Create files in a temporary directory

      • uFiler.exe (PID: 2044)

    • Manual execution by a user

      • uFiler.exe (PID: 4192)

    • Reads the machine GUID from the registry

      • uFiler.exe (PID: 2044)

    • Checks proxy server information

      • uFiler.exe (PID: 2044)
      • slui.exe (PID: 5372)

    • Reads the software policy settings

      • uFiler.exe (PID: 2044)
      • slui.exe (PID: 5372)

    • Creates files or folders in the user directory

      • uFiler.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:09:01 16:51:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 8896512
InitializedDataSize: 131072
UninitializedDataSize: 18833408
EntryPoint: 0x1a72060
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2022.2.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: uFiler.pro
FileVersion: 2022.2.0.0
OriginalFileName: uFiler.exe
ProductName: uFiler
ProductVersion: 1.0.0
ProgramID: com.embarcadero.uFiler
FileDescription: uFiler
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start oneshot-499570.exe no specs oneshot-499570.exe oneshot-499570.exe no specs #BITTORRENT ufiler.exe ufiler.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Users\admin\Desktop\OneShot-499570.exe" C:\Users\admin\Desktop\OneShot-499570.exeexplorer.exe
User:
admin
Company:
uFiler.pro
Integrity Level:
MEDIUM
Description:
uFiler
Exit code:
0
Version:
2022.2.0.0
Modules
Images
c:\users\admin\desktop\oneshot-499570.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1472"C:\Users\admin\Desktop\OneShot-499570.exe" -a -pipeC:\Users\admin\Desktop\OneShot-499570.exe
OneShot-499570.exe
User:
admin
Company:
uFiler.pro
Integrity Level:
HIGH
Description:
uFiler
Version:
2022.2.0.0
Modules
Images
c:\users\admin\desktop\oneshot-499570.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2044"C:\Program Files (x86)\uFiler\uFiler.exe" -uFileID=499570 -uFileID=499570C:\Program Files (x86)\uFiler\uFiler.exe
OneShot-499570.exe
User:
admin
Company:
uFiler.pro
Integrity Level:
MEDIUM
Description:
uFiler
Version:
2022.2.0.0
Modules
Images
c:\program files (x86)\ufiler\ufiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4192"C:\Program Files (x86)\uFiler\uFiler.exe" -autorunC:\Program Files (x86)\uFiler\uFiler.exeexplorer.exe
User:
admin
Company:
uFiler.pro
Integrity Level:
MEDIUM
Description:
uFiler
Exit code:
0
Version:
2022.2.0.0
Modules
Images
c:\program files (x86)\ufiler\ufiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5372C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6124"C:\Users\admin\Desktop\OneShot-499570.exe" -uFileID=499570C:\Users\admin\Desktop\OneShot-499570.exeOneShot-499570.exe
User:
admin
Company:
uFiler.pro
Integrity Level:
MEDIUM
Description:
uFiler
Exit code:
0
Version:
2022.2.0.0
Modules
Images
c:\users\admin\desktop\oneshot-499570.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 381
Read events
8 350
Write events
30
Delete events
1

Modification events

(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\uFiler\uFiler
Operation:writeName:DataPath
Value:
C:\ProgramData\uFiler\data\
(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\uFiler\uFiler
Operation:writeName:FirstRun
Value:
0
(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uFiler
Operation:writeName:DisplayName
Value:
uFiler
(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uFiler
Operation:writeName:Publisher
Value:
uFiler.pro
(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uFiler
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\uFiler\uFiler.exe -Uninstall
(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uFiler
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\uFiler\uFiler.exe,0
(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\uFiler\uFiler
Operation:writeName:DateInstall
Value:
45829
(PID) Process:(1068) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\uFiler\uFiler
Operation:writeName:DownloadFilesPathF
Value:
C:\Загрузки uFiler\
(PID) Process:(1472) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\uFiler_\uFilerClientInfo
Operation:writeName:ClientID
Value:
1881058664-894142221-545823043
(PID) Process:(1472) OneShot-499570.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:uFiler
Value:
Executable files
5
Suspicious files
9
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1472OneShot-499570.exeC:\Program Files (x86)\uFiler\modules\libeay32.dllexecutable
MD5:900DAFE19A17F2E21729BA1AD2A7DDF2
SHA256:E970087342A29079BFF6B8B37FE58EBF579FD9BF8B5C0815BDC4231B73F9529F
2044uFiler.exeC:\ProgramData\uFiler\data\uFiler.db-journalbinary
MD5:98D8E407D87D7486FFDA275E2E383FB0
SHA256:7082DD0D954FDFD81B237DAB71318F470A58C4802DA327B1C9548BD83A5EE29B
1472OneShot-499570.exeC:\Program Files (x86)\uFiler\modules\ubtorrent\ubtorrent.dllexecutable
MD5:39FD9F3BA43E3E1896467C690053523A
SHA256:C7B7AF783ECD72104159CCA39FA347F1E110D512E8BD5863D130DA9DE8594D7C
2044uFiler.exeC:\ProgramData\uFiler\data\uFiler.dbbinary
MD5:B4DC16C81C773E52271B8289C58BD63B
SHA256:392A0A67888A7E66DEF6AC168A0BB2E89E5F734BB92E51C67BB2640C8AA383B2
2044uFiler.exeC:\ProgramData\uFiler\data\ufiles\499570.ufilebinary
MD5:29BAC6202FEBBA7FDA8E6C49B54E8CE3
SHA256:BDF7FB565698AE80BEC7B4F56A419CAE06E9C495030E72E5D6663F824D32359D
1472OneShot-499570.exeC:\Program Files (x86)\uFiler\modules\ssleay32.dllexecutable
MD5:5D7476F34764F278852406CDB3BEACB6
SHA256:DF74479FC4CFF960FAAB94C481DB6B962844E1396716FF5E84FD97EB0FCFA661
1472OneShot-499570.exeC:\Program Files (x86)\uFiler\uFiler.exeexecutable
MD5:9595E49300C884EA972200F03D7551AA
SHA256:A4C8B95638E736BFD4CABDF43121EBB65229C3754A2BB35FFE9A81A8091C2D16
1472OneShot-499570.exeC:\ProgramData\uFiler\data\uFiler.exeexecutable
MD5:9595E49300C884EA972200F03D7551AA
SHA256:A4C8B95638E736BFD4CABDF43121EBB65229C3754A2BB35FFE9A81A8091C2D16
1068OneShot-499570.exeC:\Users\admin\Desktop\uFiler.lnkbinary
MD5:84B3CA52B47AD26A54BD0C655AFFE145
SHA256:2D2EC165602DC4A8B012B73A8F2808524ED6FBD1E8071C60D819A7769A8B8DED
2044uFiler.exeC:\Users\admin\AppData\Local\Temp\499570.ufilebinary
MD5:29BAC6202FEBBA7FDA8E6C49B54E8CE3
SHA256:BDF7FB565698AE80BEC7B4F56A419CAE06E9C495030E72E5D6663F824D32359D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
67
DNS requests
26
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4808
RUXIMICS.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4808
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4808
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4808
RUXIMICS.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
5944
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
1268
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
4808
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.2
  • 20.190.160.128
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.132
  • 40.126.32.68
  • 20.190.160.5
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
dht.libtorrent.org
  • 185.157.221.247
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET P2P Possible Torrent Download via HTTP Request
Potential Corporate Privacy Violation
ET P2P BitTorrent - Torrent File Downloaded
Potential Corporate Privacy Violation
ET P2P Possible Torrent Download via HTTP Request
Potential Corporate Privacy Violation
ET P2P BitTorrent - Torrent File Downloaded
Potential Corporate Privacy Violation
ET P2P Possible Torrent Download via HTTP Request
2044
uFiler.exe
Potential Corporate Privacy Violation
ET P2P Libtorrent User-Agent
2044
uFiler.exe
Misc activity
INFO [ANY.RUN] P2P BitTorrent Protocol
2044
uFiler.exe
Potential Corporate Privacy Violation
ET P2P Libtorrent User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OneShot-499570.exe