File name:

setup.exe

Full analysis: https://app.any.run/tasks/2a9943aa-3757-4afb-85ac-dd7abcfe93c5
Verdict: Malicious activity
Analysis date: November 02, 2024, 21:27:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

9CD083C3DF1499E4E873C7271E3EC7EC

SHA1:

1245AE6A0383FAAC28673F1B81A81F2C3CB74D9F

SHA256:

0A44FE811CA83E09075B9166C362979A705A08155E24D1981DD2A222693A53A3

SSDEEP:

98304:xCrX8IqXt40x4IYoXgzxGbryVfVYGC0q1lupnVEkHi8rSHrQ835NA1R0iObMX/Tg:XGfor6a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup.exe (PID: 2432)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 2432)
      • setup.exe (PID: 6704)

    • Reads the date of Windows installation

      • setup.exe (PID: 2432)
      • setup.exe (PID: 6704)

    • Starts CMD.EXE for commands execution

      • setup.exe (PID: 2432)
      • setup.exe (PID: 6704)
      • cmd.exe (PID: 6648)

    • Application launched itself

      • setup.exe (PID: 2432)
      • cmd.exe (PID: 6648)

    • Executing commands from ".cmd" file

      • setup.exe (PID: 6704)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6648)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 6648)

    • Uses NSLOOKUP.EXE to check DNS info

      • cmd.exe (PID: 4816)
      • cmd.exe (PID: 6852)
      • cmd.exe (PID: 2632)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6852)
      • cmd.exe (PID: 4816)
      • cmd.exe (PID: 2632)
      • cmd.exe (PID: 6648)

    • Hides command output

      • cmd.exe (PID: 6852)
      • cmd.exe (PID: 4816)
      • cmd.exe (PID: 2632)

    • The executable file from the user directory is run by the CMD process

      • wget.exe (PID: 6484)
      • dnsx.exe (PID: 3964)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 6648)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 6648)

  • INFO

    • Process checks computer location settings

      • setup.exe (PID: 2432)
      • setup.exe (PID: 6704)

    • Checks supported languages

      • setup.exe (PID: 2432)
      • setup.exe (PID: 6704)
      • wget.exe (PID: 6484)
      • dnsx.exe (PID: 3964)

    • Create files in a temporary directory

      • setup.exe (PID: 2432)
      • dnsx.exe (PID: 3964)

    • The process uses the downloaded file

      • setup.exe (PID: 2432)
      • setup.exe (PID: 6704)

    • Reads the computer name

      • setup.exe (PID: 2432)
      • setup.exe (PID: 6704)
      • wget.exe (PID: 6484)

    • Reads the machine GUID from the registry

      • dnsx.exe (PID: 3964)

    • Application based on Golang

      • dnsx.exe (PID: 3964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2018:05:21 01:49:53+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 126976
InitializedDataSize: 146944
UninitializedDataSize: -
EntryPoint: 0x1f550
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 7.0.0.0
ProductVersionNumber: 7.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Adobe Systems Incorporated
FileDescription: Adobe Setup
FileVersion: 7.0.0.0
InternalName: PostInstall
LegalCopyright: © 1990-2024 Adobe Systems Inc
OriginalFileName: setup.exe
PrivateBuild: September 14, 2024
ProductName: Setup
ProductVersion: 7.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
28
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe cmd.exe no specs conhost.exe no specs setup.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs ping.exe no specs findstr.exe no specs cmd.exe no specs nslookup.exe findstr.exe no specs cmd.exe no specs nslookup.exe findstr.exe no specs cmd.exe no specs nslookup.exe findstr.exe no specs wget.exe findstr.exe no specs cmd.exe no specs findstr.exe no specs THREAT dnsx.exe sort.exe no specs findstr.exe no specs findstr.exe no specs ipconfig.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1172nslookup -type=ns ic.adobe.ioC:\Windows\System32\nslookup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\mswsock.dll
1248ipconfig /flushdnsC:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
1372nslookup -type=ns ic.adobe.ioC:\Windows\System32\nslookup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\mswsock.dll
2432"C:\Users\admin\Desktop\setup.exe" C:\Users\admin\Desktop\setup.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Setup
Exit code:
0
Version:
7.0.0.0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2632C:\WINDOWS\system32\cmd.exe /c 2>nul nslookup -type=ns ic.adobe.io|findstr /i /l /c:"nameserver = "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3964"C:\Users\admin\AppData\Local\Temp\Adobe Temp\dnsx.exe" -t 100 -retry 2 -silent -resp-onlyC:\Users\admin\AppData\Local\Temp\Adobe Temp\dnsx.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\adobe temp\dnsx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4816C:\WINDOWS\system32\cmd.exe /c 2>nul nslookup -type=ns ic.adobe.io|findstr /i /l /c:"nameserver = "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5100netsh advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" dir=outC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5184findstr /i /l /c:"nameserver = "C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
5512findstr /i /l /c:"TTL=" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
4 758
Read events
4 758
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
2432setup.exeC:\Users\admin\AppData\Local\Temp\Adobe Temp\wget.exeexecutable
MD5:B1F557BD6A97A95CFF5DBCC55BF6E9BB
SHA256:A6093F8F40F90AD576B0463FB352318416EA24265D3E8F43D4F7F3723F7E7F77
2432setup.exeC:\Users\admin\AppData\Local\Temp\Adobe Temp\iplist.txttext
MD5:828BFCA9C54502D5E37FBA5EC08D4DB7
SHA256:913A66F0BAC65D27FCE3AC0BCC513D282E55A13A02EA7CFD46FAA635F9BE47AF
2432setup.exeC:\Users\admin\AppData\Local\Temp\Adobe Temp\dnsx.exeexecutable
MD5:47C028F041C83817250E3D49126A8C88
SHA256:9F7A353258017C04C5197379F5F5F6821E32712346C9AC4611313B2712805120
2432setup.exeC:\Users\admin\AppData\Local\Temp\Adobe Temp\BlockIPs.cmdtext
MD5:93EA3E33B0BFB145BD4F61B7BAA5BFF8
SHA256:E7A3AF9D8CF431AC154096742DB85FD98F17F0B8D884D29009C0B5DCEEE8BAEC
2432setup.exeC:\Users\admin\AppData\Local\Temp\Adobe Temp\pihole.txttext
MD5:427E165E573B16B949128195C42D4068
SHA256:53F9072A46472D1C34A7E4CA60472E42A8700578B82F5C71064222C4622175AE
3964dnsx.exeC:\Users\admin\AppData\Local\Temp\hm083131451\CURRENT.0text
MD5:6159AC332FBA78E3046D9F75EDB5E396
SHA256:179AEE986B08DD1C9B42165766A9F86BE710E30D130C79FF234C4F8FBFB85F76
3964dnsx.exeC:\Users\admin\AppData\Local\Temp\hm083131451\CURRENTtext
MD5:6159AC332FBA78E3046D9F75EDB5E396
SHA256:179AEE986B08DD1C9B42165766A9F86BE710E30D130C79FF234C4F8FBFB85F76
6804findstr.exeC:\Users\admin\AppData\Local\Temp\Adobe Temp\hosts.txttext
MD5:E8DA74B5B56D3BA6D0D5C67CA21EAFCD
SHA256:6C58DAC8A7FF58426F4A5F136AD0F485FB069CD7F317A60C646FD304D94E304C
3964dnsx.exeC:\Users\admin\AppData\Local\Temp\hm083131451\MANIFEST-000000binary
MD5:CBA3CA9834B7BB57A118F54D112359DA
SHA256:135E8BB0B3D297C61E0B989D02D4445D9A16A7D4FFD1C66FCFF7B42E1BCC53AC
3964dnsx.exeC:\Users\admin\AppData\Local\Temp\hm083131451\LOGtext
MD5:7915EEC8D597E5BFEB10D38E476F3C8D
SHA256:A7BAA7671BE425310923829331F096C4E7290A05B080522A76B83BA43E6DEE5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
1 747
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1744
RUXIMICS.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1744
RUXIMICS.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
188.114.97.3:443
https://a.dove.isdumb.one/pihole.txt
unknown
text
24.0 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
13.71.55.58:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IN
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
13.71.55.58:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IN
whitelisted
1744
RUXIMICS.exe
13.71.55.58:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IN
whitelisted
4
System
192.168.100.255:138
whitelisted
6484
wget.exe
188.114.96.3:443
a.dove.isdumb.one
CLOUDFLARENET
NL
unknown
1744
RUXIMICS.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1744
RUXIMICS.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 13.71.55.58
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
2.100.168.192.in-addr.arpa
whitelisted
ic.adobe.io
whitelisted
a.dove.isdumb.one
  • 188.114.96.3
  • 188.114.97.3
unknown
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 23.32.185.131
whitelisted
04jkjo2db5.adobestats.io
unknown
3d5rp7oyng.adobestats.io
unknown
3ea8nnv3fo.adobestats.io
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe