File name:

saiec.exe

Full analysis: https://app.any.run/tasks/c74f9427-1cd5-4200-a045-5608c2ca1711
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 24, 2026, 10:03:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
upx
babylon
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

266053C06940992CCC5AE706FA85AD63

SHA1:

E8F6A9A812B4DBE20933CC06E3C66797A92C9848

SHA256:

E685C5E8EC5CE983408F278A33B236CB355FC0F4CBCA9361C920D28EE12DE25D

SSDEEP:

12288:Rd1HbEyfeRvfQF9y31GVpQdZbePtgwWV6AQSXP9yWvbjgUAov:Rd1HbEyfeRvIFA3yQdNe1dzAQ2P9yWvh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • saiec.exe (PID: 8100)
      • client.exe (PID: 5420)
      • client.exe (PID: 4692)
      • client.exe (PID: 4308)
      • client.exe (PID: 4784)

    • BABYLON has been detected (YARA)

      • client.exe (PID: 4692)
      • client.exe (PID: 5420)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • saiec.exe (PID: 8100)

    • Starts itself from another location

      • saiec.exe (PID: 8100)

    • Application launched itself

      • client.exe (PID: 5420)

  • INFO

    • Reads the computer name

      • saiec.exe (PID: 8100)
      • client.exe (PID: 5420)
      • client.exe (PID: 4692)
      • client.exe (PID: 4308)
      • client.exe (PID: 4784)

    • Checks supported languages

      • saiec.exe (PID: 8100)
      • client.exe (PID: 5420)
      • client.exe (PID: 4692)
      • client.exe (PID: 4308)
      • client.exe (PID: 4784)

    • Launching a file from a Registry key

      • saiec.exe (PID: 8100)
      • client.exe (PID: 5420)
      • client.exe (PID: 4692)
      • client.exe (PID: 4308)
      • client.exe (PID: 4784)

    • Manual execution by a user

      • client.exe (PID: 4308)
      • client.exe (PID: 4784)

    • There is functionality for taking screenshot (YARA)

      • client.exe (PID: 4692)
      • client.exe (PID: 5420)

    • UPX packer has been detected

      • client.exe (PID: 5420)
      • client.exe (PID: 4692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:31 21:07:17+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 364544
InitializedDataSize: 4096
UninitializedDataSize: 446464
EntryPoint: 0xc60d0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
6
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start saiec.exe #BABYLON client.exe #BABYLON client.exe slui.exe client.exe client.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4308C:\ProgramData\saiec\client.exeC:\ProgramData\saiec\client.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\programdata\saiec\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4692"C:\ProgramData\saiec\client.exe" 5420C:\ProgramData\saiec\client.exe
client.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\saiec\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4784C:\ProgramData\saiec\client.exeC:\ProgramData\saiec\client.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\programdata\saiec\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5420"C:\ProgramData\saiec\client.exe"C:\ProgramData\saiec\client.exe
saiec.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\saiec\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
8100"C:\Users\admin\Desktop\saiec.exe" C:\Users\admin\Desktop\saiec.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\saiec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 423
Read events
4 347
Write events
76
Delete events
0

Modification events

(PID) Process:(8100) saiec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:saiecafrica
Value:
C:\ProgramData\saiec\client.exe
(PID) Process:(5420) client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:saiecafrica
Value:
C:\ProgramData\saiec\client.exe
(PID) Process:(4692) client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:saiecafrica
Value:
C:\ProgramData\saiec\client.exe
(PID) Process:(2436) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(4308) client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:saiecafrica
Value:
C:\ProgramData\saiec\client.exe
(PID) Process:(4784) client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:saiecafrica
Value:
C:\ProgramData\saiec\client.exe
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8100saiec.exeC:\ProgramData\saiec\client.exeexecutable
MD5:266053C06940992CCC5AE706FA85AD63
SHA256:E685C5E8EC5CE983408F278A33B236CB355FC0F4CBCA9361C920D28EE12DE25D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
41
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
57.153.246.3:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
5796
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5796
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
5796
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
5796
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3352
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3352
svchost.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5796
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
2436
slui.exe
POST
500
128.24.231.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
svchost.exe
57.153.246.3:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
57.153.246.3:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7824
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3352
svchost.exe
23.216.77.29:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3352
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5420
client.exe
104.21.16.33:20000
saiec.africa
CLOUDFLARENET
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 57.153.246.3
  • 48.209.138.168
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
crl.microsoft.com
  • 23.216.77.29
  • 23.216.77.38
  • 23.216.77.37
  • 23.216.77.28
  • 23.216.77.41
  • 23.216.77.8
  • 23.216.77.13
  • 23.216.77.32
  • 23.216.77.36
  • 2.16.164.114
  • 2.16.164.9
  • 2.16.164.106
  • 2.16.164.51
whitelisted
google.com
  • 192.178.183.139
  • 192.178.183.113
  • 192.178.183.138
  • 192.178.183.101
  • 192.178.183.102
  • 192.178.183.100
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.52.181.212
whitelisted
saiec.africa
  • 104.21.16.33
  • 172.67.166.16
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.232.92.97
whitelisted
self.events.data.microsoft.com
  • 20.189.173.8
whitelisted

Threats

PID
Process
Class
Message
5276
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
saiec.exe