File name:

azahar-2121.1-windows-msvc-installer.exe

Full analysis: https://app.any.run/tasks/dd6c6e03-4bf5-49af-aeb2-1b5a91686396
Verdict: Malicious activity
Analysis date: May 25, 2025, 00:44:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

EE395D182BADAC4AB66ACC6FC23F6232

SHA1:

6ECC61A9F61A869973F8E8D75D8611685EBED6C1

SHA256:

A882384B8FC9577ED00E8C39A7779A9D452ADC2C157B3A3010F3F1C0E784D17F

SSDEEP:

393216:vAu/bwpSKdNE6FoyFb7kTz2K/4+8gvfGcPQ8:vAu/UpXTOyF/AhDM8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • There is functionality for taking screenshot (YARA)

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • Process drops legitimate windows executable

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • Creates a software uninstall entry

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • The process creates files with name similar to system file names

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

  • INFO

    • Create files in a temporary directory

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • Reads the computer name

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • Checks supported languages

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • Creates files in the program directory

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • The sample compiled with english language support

      • azahar-2121.1-windows-msvc-installer.exe (PID: 4724)

    • Checks proxy server information

      • slui.exe (PID: 5680)

    • Reads the software policy settings

      • slui.exe (PID: 5680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x369f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start azahar-2121.1-windows-msvc-installer.exe slui.exe azahar-2121.1-windows-msvc-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1324"C:\Users\admin\Desktop\azahar-2121.1-windows-msvc-installer.exe" C:\Users\admin\Desktop\azahar-2121.1-windows-msvc-installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\azahar-2121.1-windows-msvc-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4724"C:\Users\admin\Desktop\azahar-2121.1-windows-msvc-installer.exe" C:\Users\admin\Desktop\azahar-2121.1-windows-msvc-installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\azahar-2121.1-windows-msvc-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5680C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 567
Read events
3 558
Write events
9
Delete events
0

Modification events

(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:EstimatedSize
Value:
89284
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:Comments
Value:
3DS emulator based on Citra
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayName
Value:
Azahar
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:UninstallString
Value:
C:\Program Files\Azahar\uninst.exe /AllUsers
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Azahar\azahar.exe
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:DisplayVersion
Value:
2121.1
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:URLInfoAbout
Value:
https://azahar-emu.org/
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:Publisher
Value:
Azahar Emulator Developers
(PID) Process:(4724) azahar-2121.1-windows-msvc-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Azahar
Operation:writeName:InstallLocation
Value:
C:\Program Files\Azahar
Executable files
34
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4724azahar-2121.1-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Multimedia.dllexecutable
MD5:BDD2401C24E694769007D290744FA00B
SHA256:D65D749813C1778264115EBD03ECCCD87628DD1432A03560F13B009330459306
4724azahar-2121.1-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsiCA2A.tmp\nsDialogs.dllexecutable
MD5:8F0E7415F33843431DF308BB8E06AF81
SHA256:BB49F15FA83452370047A7801E39FC7F64E70C7545B8999BB85AA4749EAA048B
4724azahar-2121.1-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsiCA2A.tmp\LangDLL.dllexecutable
MD5:4B8A750993567AC9A350BA9768FABFA0
SHA256:4CF25411F28F639F72156C24B0F66EA42F5AEE5973F6C137D901DA6AE42D5B7E
4724azahar-2121.1-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Gui.dllexecutable
MD5:817B182E009F388672445E69144F8543
SHA256:CFCE665B7C477EBFF815FB27A9B55D0B629183C0CECB5282A87BAD666D76DAA8
4724azahar-2121.1-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Network.dllexecutable
MD5:794760C25A8DE30DCB152808DD5B7416
SHA256:F6702966E341D9A2F1707DF5833DB984205B3717FB5CE3CD2A37383AC347905D
4724azahar-2121.1-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Concurrent.dllexecutable
MD5:B6E82281429DDE3CE8B5017844292C06
SHA256:A406D29C40F481A2EECDA2DF125AD0FB39DD82F43EF4EF14786520B5680D8427
4724azahar-2121.1-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Widgets.dllexecutable
MD5:C3241A2E538115DBADDF3A8C283C7966
SHA256:6A97350BBFE5518C5E41453062548F493014F8037A70645246549DE33E6CFC17
4724azahar-2121.1-windows-msvc-installer.exeC:\Program Files\Azahar\Qt6Svg.dllexecutable
MD5:3B75CF39102E5152A34BAB94EDF82167
SHA256:CC8FEFC7BFF06FE18E7994039B0943A26B3FED4D5C9B09845E464BAD3ADF4F66
4724azahar-2121.1-windows-msvc-installer.exeC:\Users\admin\AppData\Local\Temp\nsiCA2A.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
4724azahar-2121.1-windows-msvc-installer.exeC:\Program Files\Azahar\qt.conftext
MD5:CE1386D47F6BEEBB2F15436E97203409
SHA256:6D421D82AA08563AD1A26D44883C58512127693C42FEB387645111358323FF06
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4300
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5680
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
azahar-2121.1-windows-msvc-installer.exe