File name:

AirMyPC.exe

Full analysis: https://app.any.run/tasks/3694a6e8-c44e-445d-9c4f-a08bea43f7f6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 08, 2025, 15:11:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
btinfo
tool
loader
banload
antivm
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

3FABFF185E85E5631B1753F5782D9523

SHA1:

31D269D8FFE16C5168E41C43B8A8B73581A6190A

SHA256:

D5FFF843645AB47000738A36B7073F1D0E7C2CD4CC8612CE7325EF4DA8CD7412

SSDEEP:

98304:h0nDFmjPEr6ru5nvf4MK/WyQANdcGrB31Oksw6o2yqmp+nVkl+vZINJaDLyk3CJ2:WnDFySE/kgl00EA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Banload is detected

      • AirMyPC.exe (PID: 4788)

  • SUSPICIOUS

    • Reads the BIOS version

      • AirMyPC.exe (PID: 4788)

    • Application launched itself

      • AirMyPC.exe (PID: 6420)

    • There is functionality for VM detection VirtualBox (YARA)

      • AirMyPC.exe (PID: 4788)

    • There is functionality for taking screenshot (YARA)

      • AirMyPC.exe (PID: 4788)

    • There is functionality for communication over UDP network (YARA)

      • AirMyPC.exe (PID: 4788)

  • INFO

    • Creates files in the program directory

      • AirMyPC.exe (PID: 4788)

    • The sample compiled with english language support

      • AirMyPC.exe (PID: 6420)

    • Creates files or folders in the user directory

      • AirMyPC.exe (PID: 4788)

    • BTINFO mutex has been found

      • AirMyPC.exe (PID: 6420)

    • Reads the computer name

      • AirMyPC.exe (PID: 4788)

    • Reads the machine GUID from the registry

      • AirMyPC.exe (PID: 4788)

    • Checks supported languages

      • AirMyPC.exe (PID: 6420)
      • AirMyPC.exe (PID: 4788)

    • Checks proxy server information

      • slui.exe (PID: 4104)

    • Reads the software policy settings

      • slui.exe (PID: 4104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:22 13:52:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 83.82
CodeSize: 823296
InitializedDataSize: 9576448
UninitializedDataSize: -
EntryPoint: 0x140a70e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 7.2.0.0
ProductVersionNumber: 7.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AirMyPC
FileDescription: AirMyPC
FileVersion: 7.2.0.0
InternalName: AirMyPC.exe
LegalCopyright: AirMyPC. All rights reserved.
OriginalFileName: AirMyPC.exe
ProductName: AirMyPC
ProductVersion: 7.2.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start airmypc.exe airmypc.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4104C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4788"C:\Users\admin\Desktop\AirMyPC.exe" C:\Users\admin\Desktop\AirMyPC.exe
AirMyPC.exe
User:
admin
Company:
AirMyPC
Integrity Level:
MEDIUM
Description:
AirMyPC
Version:
7.2.0.0
Modules
Images
c:\users\admin\desktop\airmypc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6420"C:\Users\admin\Desktop\AirMyPC.exe" C:\Users\admin\Desktop\AirMyPC.exe
explorer.exe
User:
admin
Company:
AirMyPC
Integrity Level:
MEDIUM
Description:
AirMyPC
Version:
7.2.0.0
Modules
Images
c:\users\admin\desktop\airmypc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
4 034
Read events
4 004
Write events
30
Delete events
0

Modification events

(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{R7C0DB872A3F777C0}
Value:
4E480EAF
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{K7C0DB872A3F777C0}
Value:
8F18FDB3D5251F30DA7F00668D34DD19386001412489399FE6E1324E480EAFB77F1D5FC3A30333FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD0C3193FFFFFFFFFFFFFFFF9FE6E132D5251F30DA7F00668D34DD19386001412489399FE6E1324E480EAFB77F1D5FC3A30333FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD0C3193FFFFFFFFFFFFFFFF9FE6E1320000
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{I7E2D12DB489AA234}
Value:
01000000
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{07E2D12DB489AA234}
Value:
5B32930FEF81A6A44106519E01B2AC82DA3A9564DAB4D08495EADCBE18B30F1A7AE9032347C24873F4A905517BF3A056B1DB6A6011AA74899618BC5454036534C1B3FB58E39C06085B31CA895B596675173CF3A7E1BA48D5967D97392E9756596EA7C2CB210777940CFA806022A3E07CE108B4C85A697FF2FC1C73DFED7BAA9877483ABA636E7029492DFEF135FDA639316A3DD8873A56F32C9DB1145D084DDB
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{I7E2D12DB489AA234}
Value:
02000000
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{07E2D12DB489AA234}
Value:
5B32930FEF81A6A44106519E01B2AC82DA3A9564DAB4D08495EADCBE18B30F1A7AE9032347C24873F4A905517BF3A056B1DB6A6011AA74899618BC5454036534C1B3FB58E39C06085B31CA895B596675173CF3A7E0BA48D5967D96392E9756596EA7C2CB210777940CFA806022A3E07CE108B4C85A697FF2FC1C73DFED7BAA9877483ABA636E7029492DFEF135FDA639316A3DD8873A56F02C9DB114068C0F7B
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{I7E2D12DB489AA234}
Value:
03000000
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{07E2D12DB489AA234}
Value:
5B32930FEF81A6A44106519E01B2AC82DA3A9564DAB4D08495EADCBE18B30F1A7AE9032347C24873F4A905517BF3A056B1DB6A6011AA74899618BC5454036534C1B3FB58E39C06085B31CA895B596675173CF3A7E0BA48D5967D96392E9756596EA7C2CB210777940CFA806022A3E07CE108B4C85A697FF2FC1C73DFED7BAA9877483ABA636E7029492DFEF135FDA639316A3DD8873A56F12C9DB114B6A56F46
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{I7E2D12DB489AA234}
Value:
04000000
(PID) Process:(4788) AirMyPC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Licenses
Operation:writeName:{07E2D12DB489AA234}
Value:
5B32930FEF81A6A44106519E01B2AC82DA3A9564DAB4D08495EADCBE18B30F1A7AE9032347C24873F4A905517BF3A056B1DB6A6011AA74899618BC5454036534C1B3FB58E39C06085B31CA895B596675173CFFBDA2FC09EDBD3CD20A6AD40B185B93F48F78354FD04FB8E55D1492D64AF239A8CC5B6982EF058DCD3E92C5FAE588674FD63231C6C154C28597B7E13FC81F528CCF18C4AFEFC8080E0A4327A26211309F49E9EE6896E56B7D28BD83EB44B29A52AEFEDFBD1332B7EDF593E47B5F
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4788AirMyPC.exeC:\ProgramData\TEMP\RAIDTestbinary
MD5:3B49487C910878648C7BF3B284CC10F7
SHA256:83F46988C892125462EF5EC267DF80675DC7807E1CD691EDC57BEFFBB7FA6CE8
4788AirMyPC.exeC:\Users\admin\AppData\Local\AirMyPC\debug.txttext
MD5:B99A94748A78658915AD898DE060DAA3
SHA256:9760945513D1274CD54C51261084C3D5D478071E6DB0F80AC30FE4B9B2F5C361
4788AirMyPC.exeC:\Users\admin\AppData\Local\AirMyPC\settings.txttext
MD5:D57609EF1F66C3D9AF2140329D2E3E54
SHA256:8C82F9E9F8F413DAEEA11681D8CA545B1C990626E040BD2F7435F3B6823F8A86
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
46
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5172
RUXIMICS.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5172
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
3876
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
400
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5172
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5172
RUXIMICS.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.43
  • 23.216.77.11
  • 23.216.77.42
  • 23.216.77.12
  • 23.216.77.15
  • 23.216.77.4
  • 23.216.77.38
  • 23.216.77.17
  • 23.216.77.35
  • 23.216.77.30
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.129
  • 20.190.159.129
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.3
  • 20.190.159.0
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
www.airmypc.com
  • 74.208.236.164
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
Process
Message
AirMyPC.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
AirMyPC.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
AirMyPC.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AirMyPC.exe