Malware analysis setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/be16bb46-0dee-4db7-a76e-cb9c3a3d55a3
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 17:16:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	9CD083C3DF1499E4E873C7271E3EC7EC
SHA1:	1245AE6A0383FAAC28673F1B81A81F2C3CB74D9F
SHA256:	0A44FE811CA83E09075B9166C362979A705A08155E24D1981DD2A222693A53A3
SSDEEP:	98304:xCrX8IqXt40x4IYoXgzxGbryVfVYGC0q1lupnVEkHi8rSHrQ835NA1R0iObMX/Tg:XGfor6a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Application launched itself
  - setup.exe (PID: 4676)
  - cmd.exe (PID: 2804)
- Reads the date of Windows installation
  - setup.exe (PID: 4676)
  - setup.exe (PID: 1324)
- Executable content was dropped or overwritten
  - setup.exe (PID: 4676)
- Starts CMD.EXE for commands execution
  - setup.exe (PID: 4676)
  - setup.exe (PID: 1324)
  - cmd.exe (PID: 2804)
- Reads security settings of Internet Explorer
  - setup.exe (PID: 4676)
  - setup.exe (PID: 1324)
- Executing commands from ".cmd" file
  - setup.exe (PID: 1324)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - cmd.exe (PID: 2804)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 2804)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 2804)
  - cmd.exe (PID: 6948)
  - cmd.exe (PID: 5900)
  - cmd.exe (PID: 6404)
- Hides command output
  - cmd.exe (PID: 6948)
  - cmd.exe (PID: 6404)
  - cmd.exe (PID: 5900)
- Uses NSLOOKUP.EXE to check DNS info
  - cmd.exe (PID: 6948)
  - cmd.exe (PID: 5900)
  - cmd.exe (PID: 6404)
- The executable file from the user directory is run by the CMD process
  - dnsx.exe (PID: 3608)
  - wget.exe (PID: 4116)
- There is functionality for taking screenshot (YARA)
  - setup.exe (PID: 4676)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 2804)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 2804)
INFO
- Process checks computer location settings
  - setup.exe (PID: 4676)
  - setup.exe (PID: 1324)
- Reads the computer name
  - setup.exe (PID: 4676)
  - setup.exe (PID: 1324)
  - wget.exe (PID: 4116)
- Create files in a temporary directory
  - setup.exe (PID: 4676)
  - dnsx.exe (PID: 3608)
- Checks supported languages
  - setup.exe (PID: 4676)
  - setup.exe (PID: 1324)
  - wget.exe (PID: 4116)
  - dnsx.exe (PID: 3608)
- Reads the machine GUID from the registry
  - dnsx.exe (PID: 3608)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2018:05:21 01:49:53+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	10
CodeSize:	126976
InitializedDataSize:	146944
UninitializedDataSize:	-
EntryPoint:	0x1f550
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	7.0.0.0
ProductVersionNumber:	7.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Adobe Systems Incorporated
FileDescription:	Adobe Setup
FileVersion:	7.0.0.0
InternalName:	PostInstall
LegalCopyright:	© 1990-2024 Adobe Systems Inc
OriginalFileName:	setup.exe
PrivateBuild:	September 14, 2024
ProductName:	Setup
ProductVersion:	7.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

699

Monitored processes

565

Malicious processes

3

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

316

findstr /l /c:",52.222.214.91,"

C:\Windows\System32\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

1

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

316

C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.15,108.138.26.27,108.138.26.31,108.138.26.4,108.138.26.42,108.138.26.44,108.138.26.51,108.138.26.56,108.138.26.57,108.138.26.58,108.138.26.70,108.138.26.72,108.138.26.79,108.138.26.86,108.138.26.99,108.138.7.117,108.138.7.118,108.138.7.2,108.138.7.32,108.138.7.47,108.138.7.50,108.138.7.8,108.138.7.97,13.32.121.102,13.32.121.107,13.32.121.18,13.32.121.2,13.32.121.24,13.32.121.34,13.32.121.40,13.32.121.43,13.32.121.55,13.32.121.60,13.32.121.64,13.32.27.106,13.32.27.113,13.32.27.125,13.32.27.128,13.32.27.16,13.32.27.24,13.32.27.30,13.32.27.36,13.32.27.45,13.32.27.75,13.32.27.9,13.32.27.95,13.32.99.120,13.32.99.124,13.32.99.56,13.32.99.6,13.32.99.68,13.32.99.7,13.32.99.81,13.32.99.99,13.33.187.10,13.33.187.101,13.33.187.108,13.33.187.113,13.33.187.120,13.33.187.13,13.33.187.28,13.33.187.42,13.33.187.5,13.33.187.56,13.33.187.57,13.33.187.67,13.33.187.74,13.33.187.75,13.33.187.97,13.35.58.104,13.35.58.106,13.35.58.21,13.35.58.49,143.204.215.111,143.204.215.16,143.204.215.2,143.204.215.27,143.204.215.31,143.204.215.40,143.204.215.46,143.204.215.59,143.204.215.65,143.204.215.66,143.204.215.74,143.204.215.90,143.204.98.10,143.204.98.103,143.204.98.104,143.204.98.105,143.204.98.113,143.204.98.125,143.204.98.128,143.204.98.31,143.204.98.32,143.204.98.46,143.204.98.96,18.244.18.102,18.244.18.129,18.244.18.46,18.244.18.81,18.245.31.103,18.245.31.112,18.245.31.113,18.245.31.115,18.245.31.121,18.245.31.123,18.245.31.129,18.245.31.16,18.245.31.18,18.245.31.2,18.245.31.23,18.245.31.32,18.245.31.44,18.245.31.48,18.245.31.49,18.245.31.51,18.245.31.55,18.245.31.74,18.245.31.78,18.245.31.79,18.245.31.85,18.245.31.92,18.245.31.94,18.245.31.96,18.245.46.11,18.245.46.112,18.245.46.114,18.245.46.117,18.245.46.121,18.245.46.129,18.245.46.54,18.245.46.66,18.245.60.100,18.245.60.109,18.245.60.16,18.245.60.4,18.245.60.62,18.245.60.68,18.245.60.84,18.245.60.93,18.66.102.104,18.66.102.19,18.66.102.27,18.66.102.35,18.66.102.71,18.66.102.75,18.66.102.84,18.66.112.114,18.66.112.126,18.66.112.3,18.66.112.55,18.66.112.69,18.66.112.7,18.66.112.78,18.66.122.104,18.66.122.12,18.66.122.122,18.66.122.31,18.66.122.49,18.66.122.73,18.66.122.92,18.66.147.113,18.66.147.12,18.66.147.31,18.66.147.35,3.160.150.100,3.160.150.113,3.160.150.17,3.160.150.2,3.160.150.30,3.160.150.41,3.160.150.52,3.160.150.65,3.160.150.66,3.160.150.68,3.160.150.8,3.160.150.82,3.160.150.91,3.160.150.97,3.160.150.98,3.161.82.106,3.161.82.109,3.161.82.11,3.161.82.24,3.161.82.27,3.161.82.32,3.161.82.38,3.161.82.40,3.161.82.47,3.161.82.56,3.161.82.58,3.161.82.59,3.161.82.61,3.161.82.64,3.161.82.77,3.161.82.79,3.161.82.84,3.161.82.87,3.161.82.93,3.161.82.94,3.167.227.102,3.167.227.106,3.167.227.109,3.167.227.115,3.167.227.21,3.167.227.60,3.167.227.73,3.167.227.81,3.171.214.106,3.171.214.118,3.171.214.125,3.171.214.2,3.171.214.23,3.171.214.32,3.171.214.44,3.171.214.97,52.222.136.117,52.222.136.13,52.222.136.31,52.222.136.32,52.222.136.5,52.222.136.52,52.222.136.6,52.222.214.120,52.222.214.124,52.222.214.129,52.222.214.14,52.222.214.43,52.222.214.5,52.222.214.62,52.222.214.66,52.222.214.67,52.222.214.73,52.222.214.91,52.222.214.97,52.222.236.116,52.222.236.128,52.222.236.2,52.222.236.25,52.222.236.48,52.222.236.70,52.222.236.97,52.222.236.99,54.192.97.107,54.192.97.46,54.192.97.72,54.192.97.82,65.9.66.108,65.9.66.109,65.9.66.26,65.9.66.33,65.9.95.121,65.9.95.47,65.9.95.77,65.9.95.94,"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

432

findstr /l /c:",18.245.46.11,"

C:\Windows\System32\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

1

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

432

C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.15,108.138.26.27,108.138.26.31,108.138.26.4,108.138.26.42,108.138.26.44,108.138.26.51,108.138.26.56,108.138.26.57,108.138.26.58,108.138.26.70,108.138.26.72,108.138.26.79,108.138.26.86,108.138.26.99,108.138.7.117,108.138.7.118,108.138.7.2,108.138.7.32,108.138.7.47,108.138.7.50,108.138.7.8,108.138.7.97,13.32.121.102,13.32.121.107,13.32.121.18,13.32.121.2,13.32.121.24,13.32.121.34,13.32.121.40,13.32.121.43,13.32.121.55,13.32.121.60,13.32.121.64,13.32.27.106,13.32.27.113,13.32.27.125,13.32.27.128,13.32.27.16,13.32.27.24,13.32.27.30,13.32.27.36,13.32.27.45,13.32.27.75,13.32.27.9,13.32.27.95,13.32.99.120,13.32.99.124,13.32.99.56,13.32.99.6,13.32.99.68,13.32.99.7,13.32.99.81,13.32.99.99,13.33.187.10,13.33.187.101,13.33.187.108,13.33.187.113,13.33.187.120,13.33.187.13,13.33.187.28,13.33.187.42,13.33.187.5,13.33.187.56,13.33.187.57,13.33.187.67,13.33.187.74,13.33.187.75,13.33.187.97,13.35.58.104,13.35.58.106,13.35.58.21,13.35.58.49,143.204.215.111,143.204.215.16,143.204.215.2,143.204.215.27,143.204.215.31,143.204.215.40,143.204.215.46,143.204.215.59,143.204.215.65,143.204.215.66,143.204.215.74,143.204.215.90,143.204.98.10,143.204.98.103,143.204.98.104,143.204.98.105,143.204.98.113,143.204.98.125,143.204.98.128,143.204.98.31,143.204.98.32,143.204.98.46,143.204.98.96,18.244.18.102,18.244.18.129,18.244.18.46,18.244.18.81,18.245.31.103,18.245.31.112,18.245.31.113,18.245.31.115,18.245.31.121,18.245.31.123,18.245.31.129,18.245.31.16,18.245.31.18,18.245.31.2,18.245.31.23,18.245.31.32,18.245.31.44,18.245.31.48,18.245.31.49,18.245.31.51,18.245.31.55,18.245.31.74,18.245.31.78,18.245.31.79,18.245.31.85,18.245.31.92,18.245.31.94,18.245.31.96,18.245.46.11,18.245.46.112,18.245.46.114,18.245.46.117,18.245.46.121,18.245.46.129,18.245.46.54,18.245.46.66,18.245.60.100,18.245.60.109,18.245.60.16,18.245.60.4,18.245.60.62,18.245.60.68,18.245.60.84,18.245.60.93,18.66.102.104,18.66.102.19,18.66.102.27,18.66.102.35,18.66.102.71,18.66.102.75,"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

432

findstr /l /c:",52.222.214.73,"

C:\Windows\System32\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

1

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

472

findstr /l /c:",3.161.82.38,"

C:\Windows\System32\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

1

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

472

C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.15,108.138.26.27,108.138.26.31,108.138.26.4,108.138.26.42,108.138.26.44,108.138.26.51,108.138.26.56,108.138.26.57,108.138.26.58,108.138.26.70,108.138.26.72,108.138.26.79,108.138.26.86,108.138.26.99,108.138.7.117,108.138.7.118,108.138.7.2,108.138.7.32,108.138.7.47,108.138.7.50,108.138.7.8,108.138.7.97,13.32.121.102,13.32.121.107,13.32.121.18,13.32.121.2,13.32.121.24,13.32.121.34,13.32.121.40,13.32.121.43,13.32.121.55,13.32.121.60,13.32.121.64,13.32.27.106,13.32.27.113,13.32.27.125,13.32.27.128,13.32.27.16,13.32.27.24,13.32.27.30,13.32.27.36,13.32.27.45,13.32.27.75,13.32.27.9,13.32.27.95,13.32.99.120,13.32.99.124,13.32.99.56,13.32.99.6,13.32.99.68,13.32.99.7,13.32.99.81,13.32.99.99,13.33.187.10,13.33.187.101,13.33.187.108,13.33.187.113,13.33.187.120,13.33.187.13,13.33.187.28,13.33.187.42,13.33.187.5,13.33.187.56,13.33.187.57,13.33.187.67,13.33.187.74,13.33.187.75,13.33.187.97,13.35.58.104,13.35.58.106,13.35.58.21,13.35.58.49,143.204.215.111,143.204.215.16,143.204.215.2,143.204.215.27,143.204.215.31,143.204.215.40,143.204.215.46,143.204.215.59,143.204.215.65,143.204.215.66,143.204.215.74,143.204.215.90,143.204.98.10,143.204.98.103,143.204.98.104,143.204.98.105,143.204.98.113,143.204.98.125,143.204.98.128,143.204.98.31,143.204.98.32,143.204.98.46,143.204.98.96,18.244.18.102,18.244.18.129,18.244.18.46,18.244.18.81,18.245.31.103,18.245.31.112,18.245.31.113,18.245.31.115,18.245.31.121,18.245.31.123,18.245.31.129,18.245.31.16,18.245.31.18,18.245.31.2,18.245.31.23,18.245.31.32,18.245.31.44,18.245.31.48,18.245.31.49,18.245.31.51,18.245.31.55,18.245.31.74,18.245.31.78,18.245.31.79,18.245.31.85,18.245.31.92,18.245.31.94,18.245.31.96,18.245.46.11,18.245.46.112,18.245.46.114,18.245.46.117,18.245.46.121,18.245.46.129,18.245.46.54,18.245.46.66,18.245.60.100,18.245.60.109,18.245.60.16,18.245.60.4,18.245.60.62,18.245.60.68,18.245.60.84,18.245.60.93,18.66.102.104,18.66.102.19,18.66.102.27,18.66.102.35,18.66.102.71,18.66.102.75,18.66.102.84,18.66.112.114,18.66.112.126,18.66.112.3,18.66.112.55,18.66.112.69,18.66.112.7,18.66.112.78,18.66.122.104,18.66.122.12,18.66.122.122,18.66.122.31,18.66.122.49,18.66.122.73,18.66.122.92,18.66.147.113,18.66.147.12,18.66.147.31,18.66.147.35,3.160.150.100,3.160.150.113,3.160.150.17,3.160.150.2,3.160.150.30,3.160.150.41,3.160.150.52,3.160.150.65,3.160.150.66,3.160.150.68,3.160.150.8,3.160.150.82,3.160.150.91,3.160.150.97,3.160.150.98,3.161.82.106,3.161.82.109,3.161.82.11,3.161.82.24,3.161.82.27,3.161.82.32,3.161.82.38,3.161.82.40,3.161.82.47,3.161.82.56,3.161.82.58,3.161.82.59,3.161.82.61,3.161.82.64,3.161.82.77,3.161.82.79,3.161.82.84,3.161.82.87,3.161.82.93,3.161.82.94,3.167.227.102,3.167.227.106,3.167.227.109,3.167.227.115,3.167.227.21,3.167.227.60,3.167.227.73,3.167.227.81,"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

592

C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.15,108.138.26.27,108.138.26.31,108.138.26.4,108.138.26.42,108.138.26.44,108.138.26.51,108.138.26.56,108.138.26.57,108.138.26.58,108.138.26.70,108.138.26.72,108.138.26.79,108.138.26.86,108.138.26.99,108.138.7.117,108.138.7.118,108.138.7.2,108.138.7.32,108.138.7.47,108.138.7.50,108.138.7.8,108.138.7.97,13.32.121.102,13.32.121.107,13.32.121.18,13.32.121.2,13.32.121.24,13.32.121.34,13.32.121.40,13.32.121.43,13.32.121.55,13.32.121.60,13.32.121.64,13.32.27.106,13.32.27.113,13.32.27.125,13.32.27.128,13.32.27.16,13.32.27.24,13.32.27.30,13.32.27.36,13.32.27.45,13.32.27.75,13.32.27.9,13.32.27.95,13.32.99.120,13.32.99.124,13.32.99.56,13.32.99.6,13.32.99.68,13.32.99.7,13.32.99.81,13.32.99.99,13.33.187.10,13.33.187.101,13.33.187.108,13.33.187.113,13.33.187.120,13.33.187.13,13.33.187.28,13.33.187.42,13.33.187.5,13.33.187.56,13.33.187.57,13.33.187.67,13.33.187.74,13.33.187.75,13.33.187.97,13.35.58.104,13.35.58.106,13.35.58.21,13.35.58.49,143.204.215.111,143.204.215.16,143.204.215.2,143.204.215.27,143.204.215.31,143.204.215.40,143.204.215.46,143.204.215.59,143.204.215.65,143.204.215.66,143.204.215.74,143.204.215.90,143.204.98.10,143.204.98.103,143.204.98.104,143.204.98.105,143.204.98.113,143.204.98.125,143.204.98.128,143.204.98.31,143.204.98.32,143.204.98.46,143.204.98.96,18.244.18.102,18.244.18.129,18.244.18.46,18.244.18.81,18.245.31.103,18.245.31.112,18.245.31.113,18.245.31.115,18.245.31.121,18.245.31.123,18.245.31.129,18.245.31.16,18.245.31.18,18.245.31.2,18.245.31.23,18.245.31.32,18.245.31.44,18.245.31.48,18.245.31.49,18.245.31.51,18.245.31.55,18.245.31.74,18.245.31.78,18.245.31.79,18.245.31.85,18.245.31.92,18.245.31.94,18.245.31.96,18.245.46.11,18.245.46.112,18.245.46.114,18.245.46.117,18.245.46.121,18.245.46.129,18.245.46.54,18.245.46.66,18.245.60.100,18.245.60.109,18.245.60.16,18.245.60.4,18.245.60.62,18.245.60.68,18.245.60.84,18.245.60.93,18.66.102.104,18.66.102.19,"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

592

C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.15,108.138.26.27,108.138.26.31,108.138.26.4,108.138.26.42,108.138.26.44,108.138.26.51,108.138.26.56,108.138.26.57,108.138.26.58,108.138.26.70,108.138.26.72,108.138.26.79,108.138.26.86,108.138.26.99,108.138.7.117,108.138.7.118,108.138.7.2,108.138.7.32,108.138.7.47,108.138.7.50,108.138.7.8,108.138.7.97,13.32.121.102,13.32.121.107,13.32.121.18,13.32.121.2,13.32.121.24,13.32.121.34,13.32.121.40,13.32.121.43,13.32.121.55,13.32.121.60,13.32.121.64,13.32.27.106,13.32.27.113,13.32.27.125,13.32.27.128,13.32.27.16,13.32.27.24,13.32.27.30,13.32.27.36,13.32.27.45,13.32.27.75,13.32.27.9,13.32.27.95,13.32.99.120,13.32.99.124,13.32.99.56,13.32.99.6,13.32.99.68,13.32.99.7,13.32.99.81,13.32.99.99,13.33.187.10,13.33.187.101,13.33.187.108,13.33.187.113,13.33.187.120,13.33.187.13,13.33.187.28,13.33.187.42,13.33.187.5,13.33.187.56,13.33.187.57,13.33.187.67,13.33.187.74,13.33.187.75,13.33.187.97,13.35.58.104,13.35.58.106,13.35.58.21,13.35.58.49,143.204.215.111,143.204.215.16,143.204.215.2,143.204.215.27,143.204.215.31,143.204.215.40,143.204.215.46,143.204.215.59,143.204.215.65,143.204.215.66,143.204.215.74,143.204.215.90,143.204.98.10,143.204.98.103,143.204.98.104,143.204.98.105,143.204.98.113,143.204.98.125,143.204.98.128,143.204.98.31,143.204.98.32,143.204.98.46,143.204.98.96,18.244.18.102,18.244.18.129,18.244.18.46,18.244.18.81,18.245.31.103,18.245.31.112,18.245.31.113,18.245.31.115,18.245.31.121,18.245.31.123,18.245.31.129,18.245.31.16,18.245.31.18,18.245.31.2,18.245.31.23,18.245.31.32,18.245.31.44,18.245.31.48,18.245.31.49,18.245.31.51,18.245.31.55,18.245.31.74,18.245.31.78,18.245.31.79,18.245.31.85,18.245.31.92,18.245.31.94,18.245.31.96,18.245.46.11,18.245.46.112,18.245.46.114,18.245.46.117,18.245.46.121,18.245.46.129,18.245.46.54,18.245.46.66,18.245.60.100,18.245.60.109,18.245.60.16,18.245.60.4,18.245.60.62,18.245.60.68,18.245.60.84,18.245.60.93,18.66.102.104,18.66.102.19,18.66.102.27,18.66.102.35,18.66.102.71,18.66.102.75,18.66.102.84,18.66.112.114,18.66.112.126,18.66.112.3,18.66.112.55,18.66.112.69,18.66.112.7,18.66.112.78,18.66.122.104,18.66.122.12,18.66.122.122,18.66.122.31,18.66.122.49,18.66.122.73,18.66.122.92,18.66.147.113,18.66.147.12,18.66.147.31,"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

620

C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.15,108.138.26.27,108.138.26.31,108.138.26.4,108.138.26.42,108.138.26.44,108.138.26.51,108.138.26.56,108.138.26.57,108.138.26.58,108.138.26.70,108.138.26.72,108.138.26.79,108.138.26.86,108.138.26.99,108.138.7.117,108.138.7.118,108.138.7.2,108.138.7.32,108.138.7.47,108.138.7.50,108.138.7.8,108.138.7.97,13.32.121.102,13.32.121.107,13.32.121.18,13.32.121.2,13.32.121.24,13.32.121.34,13.32.121.40,13.32.121.43,13.32.121.55,13.32.121.60,13.32.121.64,13.32.27.106,13.32.27.113,13.32.27.125,13.32.27.128,13.32.27.16,13.32.27.24,13.32.27.30,13.32.27.36,13.32.27.45,13.32.27.75,13.32.27.9,13.32.27.95,13.32.99.120,13.32.99.124,13.32.99.56,13.32.99.6,13.32.99.68,13.32.99.7,13.32.99.81,13.32.99.99,13.33.187.10,13.33.187.101,13.33.187.108,13.33.187.113,13.33.187.120,13.33.187.13,13.33.187.28,13.33.187.42,13.33.187.5,13.33.187.56,"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

11 100

Read events

11 100

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

2

Suspicious files

2

Text files

7

Unknown types

0

Dropped files

PID	Process	Filename		Type
4676	setup.exe	C:\Users\admin\AppData\Local\Temp\Adobe Temp\wget.exe		executable
		MD5:B1F557BD6A97A95CFF5DBCC55BF6E9BB	SHA256:A6093F8F40F90AD576B0463FB352318416EA24265D3E8F43D4F7F3723F7E7F77
4676	setup.exe	C:\Users\admin\AppData\Local\Temp\Adobe Temp\pihole.txt		text
		MD5:427E165E573B16B949128195C42D4068	SHA256:53F9072A46472D1C34A7E4CA60472E42A8700578B82F5C71064222C4622175AE
4676	setup.exe	C:\Users\admin\AppData\Local\Temp\Adobe Temp\BlockIPs.cmd		text
		MD5:93EA3E33B0BFB145BD4F61B7BAA5BFF8	SHA256:E7A3AF9D8CF431AC154096742DB85FD98F17F0B8D884D29009C0B5DCEEE8BAEC
4676	setup.exe	C:\Users\admin\AppData\Local\Temp\Adobe Temp\dnsx.exe		executable
		MD5:47C028F041C83817250E3D49126A8C88	SHA256:9F7A353258017C04C5197379F5F5F6821E32712346C9AC4611313B2712805120
4676	setup.exe	C:\Users\admin\AppData\Local\Temp\Adobe Temp\iplist.txt		text
		MD5:828BFCA9C54502D5E37FBA5EC08D4DB7	SHA256:913A66F0BAC65D27FCE3AC0BCC513D282E55A13A02EA7CFD46FAA635F9BE47AF
3608	dnsx.exe	C:\Users\admin\AppData\Local\Temp\hm483432311\LOG		text
		MD5:0E0AEC416E31E8A2E933F07D3FD56D54	SHA256:623211E9509DE649C0C96A11B2BB0ADE0F9826A865B8BB4BF224482B470BDA38
3608	dnsx.exe	C:\Users\admin\AppData\Local\Temp\hm483432311\CURRENT.0		text
		MD5:6159AC332FBA78E3046D9F75EDB5E396	SHA256:179AEE986B08DD1C9B42165766A9F86BE710E30D130C79FF234C4F8FBFB85F76
5284	findstr.exe	C:\Users\admin\AppData\Local\Temp\Adobe Temp\hosts.txt		text
		MD5:E7BFD0CDF966BDACD980136C384017FC	SHA256:78D25EAEB9F09DBE8108E76A3A6236E757135368B8A94B080B5DAE2DEE6A5EE3
3608	dnsx.exe	C:\Users\admin\AppData\Local\Temp\hm483432311\CURRENT		text
		MD5:6159AC332FBA78E3046D9F75EDB5E396	SHA256:179AEE986B08DD1C9B42165766A9F86BE710E30D130C79FF234C4F8FBFB85F76
3608	dnsx.exe	C:\Users\admin\AppData\Local\Temp\hm483432311\MANIFEST-000000		binary
		MD5:CBA3CA9834B7BB57A118F54D112359DA	SHA256:135E8BB0B3D297C61E0B989D02D4445D9A16A7D4FFD1C66FCFF7B42E1BCC53AC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

5

TCP/UDP connections

24

DNS requests

2 312

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4168	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6896	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6896	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3964	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4116	wget.exe	104.21.96.1:443	a.dove.isdumb.one	CLOUDFLARENET	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2336	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4168	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4168	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	18.244.18.129 18.244.18.102 18.244.18.81 18.244.18.46 4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.184.206	whitelisted
2.100.168.192.in-addr.arpa	—	whitelisted
ic.adobe.io	—	whitelisted
a.dove.isdumb.one	104.21.96.1 104.21.16.1 104.21.112.1 104.21.64.1 104.21.80.1 104.21.48.1 104.21.32.1	unknown
00nllmoilmti.p5jr3.adobestats.io	52.222.214.67 52.222.214.120 52.222.214.97 52.222.214.14	unknown
107e9rfdvs.adobestats.io	108.138.26.44 108.138.26.79 108.138.26.31 108.138.26.58	unknown
1ab6xx65dy.adobestats.io	52.222.236.48 52.222.236.99 52.222.236.128 52.222.236.2	unknown
019n8v7a8f.adobestats.io	13.32.121.40 13.32.121.102 13.32.121.107 13.32.121.43	unknown
1rafqqfrls.4p4bv.adobestats.io	18.245.31.51 18.245.31.113 18.245.31.96 18.245.31.74	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

setup.exe

9CD083C3DF1499E4E873C7271E3EC7EC

1245AE6A0383FAAC28673F1B81A81F2C3CB74D9F

0A44FE811CA83E09075B9166C362979A705A08155E24D1981DD2A222693A53A3

98304:xCrX8IqXt40x4IYoXgzxGbryVfVYGC0q1lupnVEkHi8rSHrQ835NA1R0iObMX/Tg:XGfor6a

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Application launched itself

Reads the date of Windows installation

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Executing commands from ".cmd" file

Uses NETSH.EXE to delete a firewall rule or allowed programs

Runs PING.EXE to delay simulation

Using 'findstr.exe' to search for text patterns in files and output

Hides command output

Uses NSLOOKUP.EXE to check DNS info

The executable file from the user directory is run by the CMD process

There is functionality for taking screenshot (YARA)

Process uses IPCONFIG to clear DNS cache

Uses NETSH.EXE to add a firewall rule or allowed programs

INFO

Process checks computer location settings

Reads the computer name

Create files in a temporary directory

Checks supported languages

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings