File name:

Claude Setup.exe

Full analysis: https://app.any.run/tasks/531c8524-452f-4bfa-bd55-2ca06ded2b8a
Verdict: Malicious activity
Analysis date: March 30, 2026, 21:26:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
golang
anti-evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

B7827300C98A339B6C8FD7976115144A

SHA1:

9BD99B6BE3D790DAD9F901562ED4C34815618718

SHA256:

110856A9B88672D473452909A7A2B3746B68EFF4A88D19EF2A212EC6E2A66C61

SSDEEP:

98304:2PofJtT63xXattiXZwrBYF7LaOhvGrA5CsTTf/qTaofJ52K5ZSC3p:h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • Claude Setup.exe (PID: 7484)
      • claude.exe (PID: 6556)

    • Reads the date of Windows installation

      • Claude Setup.exe (PID: 7484)

    • The process checks if it is being run in the virtual environment

      • cowork-svc.exe (PID: 7836)

    • The process executes files with name similar to system file names

      • Claude Setup.exe (PID: 4260)

    • Executes as Windows Service

      • cowork-svc.exe (PID: 7836)

    • Reads settings of System Certificates

      • cowork-svc.exe (PID: 7836)
      • claude.exe (PID: 6556)

    • The process creates files with name similar to system file names

      • claude.exe (PID: 6556)

    • Executable content was dropped or overwritten

      • claude.exe (PID: 6556)

  • INFO

    • The sample compiled with english language support

      • Claude Setup.exe (PID: 7484)

    • Reads the machine GUID from the registry

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)
      • cowork-svc.exe (PID: 7836)
      • claude.exe (PID: 6556)

    • Reads Environment values

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)
      • claude.exe (PID: 6556)

    • Reads the computer name

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)
      • cowork-svc.exe (PID: 7836)
      • claude.exe (PID: 6556)
      • claude.exe (PID: 4324)
      • claude.exe (PID: 3112)

    • Checks supported languages

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)
      • cowork-svc.exe (PID: 7836)
      • claude.exe (PID: 4324)
      • claude.exe (PID: 8020)
      • claude.exe (PID: 6556)
      • claude.exe (PID: 3112)
      • claude.exe (PID: 4680)
      • claude.exe (PID: 8052)
      • claude.exe (PID: 4944)
      • claude.exe (PID: 6684)

    • Create files in a temporary directory

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)
      • claude.exe (PID: 6556)

    • Reads security settings of Internet Explorer

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)

    • Application based on Golang

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)

    • Detects GO elliptic curve encryption (YARA)

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)

    • There is functionality for taking screenshot (YARA)

      • Claude Setup.exe (PID: 7484)
      • Claude Setup.exe (PID: 4260)

    • Creates files or folders in the user directory

      • Claude Setup.exe (PID: 4260)
      • claude.exe (PID: 6556)
      • claude.exe (PID: 8020)
      • claude.exe (PID: 3112)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • Claude Setup.exe (PID: 4260)

    • Manual execution by a user

      • claude.exe (PID: 6556)

    • Reads product name

      • claude.exe (PID: 6556)

    • Reads CPU info

      • claude.exe (PID: 6556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 3109376
InitializedDataSize: 368128
UninitializedDataSize: -
EntryPoint: 0x77b60
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Anthropic, PBC
FileDescription: Claude Setup
FileVersion: 1.0.0.0
InternalName: ClaudeSetup
LegalCopyright: 2025 Anthropic PBC
OriginalFileName: ClaudeSetup.exe
ProductName: Claude
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
13
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start claude setup.exe claude setup.exe cowork-svc.exe explorer.exe no specs explorer.exe no specs claude.exe claude.exe no specs claude.exe no specs claude.exe claude.exe no specs claude.exe no specs claude.exe no specs claude.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1980C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
3112"C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\Claude.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Claude" --standard-schemes=operon-artifact,cowork-artifact,app --secure-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --bypasscsp-schemes=operon-artifact,sentry-ipc --cors-schemes=app,sentry-ipc --fetch-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --streaming-schemes=operon-artifact --field-trial-handle=1948,i,919923089779520837,16676280808607415666,262144 --enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=LocalNetworkAccessChecks,NetworkServiceSandbox,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2000 /prefetch:3C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
claude.exe
User:
admin
Company:
Anthropic
Integrity Level:
MEDIUM
Description:
Claude
Version:
1.1.9493
Modules
Images
c:\program files\windowsapps\claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
4260"C:\Users\admin\AppData\Local\Temp\Claude Setup.exe" --elevated --msix-path "C:\Users\admin\AppData\Local\Temp\Claude-217372536.msix" --log-path "C:\Users\admin\AppData\Local\Temp\ClaudeSetup.log"C:\Users\admin\AppData\Local\Temp\Claude Setup.exe
Claude Setup.exe
User:
admin
Company:
Anthropic, PBC
Integrity Level:
HIGH
Description:
Claude Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\claude setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
4324"C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\Claude.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Claude" --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,919923089779520837,16676280808607415666,262144 --enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=LocalNetworkAccessChecks,NetworkServiceSandbox,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=1940 /prefetch:2C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.execlaude.exe
User:
admin
Company:
Anthropic
Integrity Level:
LOW
Description:
Claude
Version:
1.1.9493
Modules
Images
c:\program files\windowsapps\claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
4680"C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\Claude.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Claude" --standard-schemes=operon-artifact,cowork-artifact,app --secure-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --bypasscsp-schemes=operon-artifact,sentry-ipc --cors-schemes=app,sentry-ipc --fetch-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --streaming-schemes=operon-artifact --app-path="C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\resources\app.asar" --enable-sandbox --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1774905062597785 --launch-time-ticks=940997218 --field-trial-handle=1948,i,919923089779520837,16676280808607415666,262144 --enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=LocalNetworkAccessChecks,NetworkServiceSandbox,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2816 /prefetch:1C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.execlaude.exe
User:
admin
Company:
Anthropic
Integrity Level:
LOW
Description:
Claude
Version:
1.1.9493
Modules
Images
c:\program files\windowsapps\claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
4944"C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\Claude.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Claude" --standard-schemes=operon-artifact,cowork-artifact,app --secure-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --bypasscsp-schemes=operon-artifact,sentry-ipc --cors-schemes=app,sentry-ipc --fetch-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --streaming-schemes=operon-artifact --app-path="C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\resources\app.asar" --enable-sandbox --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1774905062597785 --launch-time-ticks=941022798 --field-trial-handle=1948,i,919923089779520837,16676280808607415666,262144 --enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=LocalNetworkAccessChecks,NetworkServiceSandbox,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3080 --desktop-features="{\"nativeQuickEntry\":{\"status\":\"unavailable\"},\"quickEntryDictation\":{\"status\":\"unavailable\"},\"customQuickEntryDictationShortcut\":{\"status\":\"supported\"},\"plushRaccoon\":{\"status\":\"unavailable\"},\"quietPenguin\":{\"status\":\"unavailable\"},\"chillingSlothFeat\":{\"status\":\"unavailable\"},\"chillingSlothEnterprise\":{\"status\":\"supported\"},\"chillingSlothLocal\":{\"status\":\"supported\"},\"yukonSilver\":{\"status\":\"unsupported\",\"reason\":\"Missing HCS services: HNS, vmcompute\",\"unsupportedCode\":\"hcs_not_available\"},\"yukonSilverGems\":{\"status\":\"unsupported\",\"reason\":\"Missing HCS services: HNS, vmcompute\",\"unsupportedCode\":\"hcs_not_available\"},\"yukonSilverGemsCache\":{\"status\":\"unsupported\",\"reason\":\"Missing HCS services: HNS, vmcompute\",\"unsupportedCode\":\"hcs_not_available\"},\"wakeScheduler\":{\"status\":\"unavailable\"},\"operon\":{\"status\":\"unavailable\"},\"desktopTopBar\":{\"status\":\"supported\"},\"ccdPlugins\":{\"status\":\"supported\"},\"floatingAtoll\":{\"status\":\"unavailable\"}}" /prefetch:1C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.execlaude.exe
User:
admin
Company:
Anthropic
Integrity Level:
LOW
Description:
Claude
Exit code:
0
Version:
1.1.9493
Modules
Images
c:\program files\windowsapps\claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
5708explorer.exe shell:AppsFolder\Claude_pzs8sxrjxfjjc!ClaudeC:\Windows\explorer.exeClaude Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
6556"C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\Claude.exe" C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
explorer.exe
User:
admin
Company:
Anthropic
Integrity Level:
MEDIUM
Description:
Claude
Version:
1.1.9493
Modules
Images
c:\program files\windowsapps\claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\winspool.drv
6684"C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\Claude.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Claude" --standard-schemes=operon-artifact,cowork-artifact,app --secure-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --bypasscsp-schemes=operon-artifact,sentry-ipc --cors-schemes=app,sentry-ipc --fetch-schemes=operon-artifact,cowork-artifact,app,sentry-ipc --streaming-schemes=operon-artifact --app-path="C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\resources\app.asar" --enable-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1774905062597785 --launch-time-ticks=941326647 --field-trial-handle=1948,i,919923089779520837,16676280808607415666,262144 --enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=LocalNetworkAccessChecks,NetworkServiceSandbox,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708992871164437 --mojo-platform-channel-handle=3700 --desktop-features="{\"nativeQuickEntry\":{\"status\":\"unavailable\"},\"quickEntryDictation\":{\"status\":\"unavailable\"},\"customQuickEntryDictationShortcut\":{\"status\":\"supported\"},\"plushRaccoon\":{\"status\":\"unavailable\"},\"quietPenguin\":{\"status\":\"unavailable\"},\"chillingSlothFeat\":{\"status\":\"unavailable\"},\"chillingSlothEnterprise\":{\"status\":\"supported\"},\"chillingSlothLocal\":{\"status\":\"supported\"},\"yukonSilver\":{\"status\":\"unsupported\",\"reason\":\"Missing HCS services: HNS, vmcompute\",\"unsupportedCode\":\"hcs_not_available\"},\"yukonSilverGems\":{\"status\":\"unsupported\",\"reason\":\"Missing HCS services: HNS, vmcompute\",\"unsupportedCode\":\"hcs_not_available\"},\"yukonSilverGemsCache\":{\"status\":\"unsupported\",\"reason\":\"Missing HCS services: HNS, vmcompute\",\"unsupportedCode\":\"hcs_not_available\"},\"wakeScheduler\":{\"status\":\"unavailable\"},\"operon\":{\"status\":\"unavailable\"},\"desktopTopBar\":{\"status\":\"supported\"},\"ccdPlugins\":{\"status\":\"supported\"},\"floatingAtoll\":{\"status\":\"unavailable\"}}" /prefetch:1C:\Program Files\WindowsApps\Claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.execlaude.exe
User:
admin
Company:
Anthropic
Integrity Level:
LOW
Description:
Claude
Version:
1.1.9493
Modules
Images
c:\program files\windowsapps\claude_1.1.9493.0_x64__pzs8sxrjxfjjc\app\claude.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
7484"C:\Users\admin\AppData\Local\Temp\Claude Setup.exe" C:\Users\admin\AppData\Local\Temp\Claude Setup.exe
explorer.exe
User:
admin
Company:
Anthropic, PBC
Integrity Level:
MEDIUM
Description:
Claude Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\claude setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
Total events
14 512
Read events
14 488
Write events
6
Delete events
18

Modification events

(PID) Process:(7836) cowork-svc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\CoworkVMService
Operation:writeName:CustomSource
Value:
1
(PID) Process:(7836) cowork-svc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\CoworkVMService
Operation:writeName:EventMessageFile
Value:
%SystemRoot%\System32\EventCreate.exe
(PID) Process:(7836) cowork-svc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\CoworkVMService
Operation:writeName:TypesSupported
Value:
7
(PID) Process:(1980) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1980) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{A9249952-F4C6-4BCD-9B44-6A5BA9B5209E} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
Value:
0100000000000000D28A47E68BC0DC01
(PID) Process:(6556) claude.exeKey:HKEY_CLASSES_ROOT\claude
Operation:writeName:URL Protocol
Value:
(PID) Process:(6556) claude.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en-US
Value:
(PID) Process:(6556) claude.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en
Value:
(PID) Process:(6556) claude.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Spelling\Dictionaries
Operation:delete valueName:_Global_
Value:
Executable files
1
Suspicious files
102
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
7484Claude Setup.exeC:\Users\admin\AppData\Local\Temp\Claude-217372536.msix.downloading
MD5:
SHA256:
7484Claude Setup.exeC:\Users\admin\AppData\Local\Temp\Claude-217372536.msix
MD5:
SHA256:
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.syqjgqb72mx_z66gadhd19fbh.tmpbinary
MD5:A7F16D81B324C81FF6088B692733937F
SHA256:C733B207DBA7FA8C4E1546AC50D11A3B5C6F7E0C3D347C6FBB32992BBF8826CD
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.1b7sakmwldex3dgkcwq97bwpg.tmpxml
MD5:0B74576307D2E1424339D9EB5BFF71A9
SHA256:AA32F6447E43AD72AC691D2F5DE03142BDAF83DC4EF56068E26A9C861E94DE3A
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.bdywtjm56y_4dpbqr24j9t3ed.tmpxml
MD5:6D3EEE9F3B3397CBBAF4F685EB0B2D70
SHA256:8AFFCA0AA01C685645B0C437A6234729D0DCD8F2A87E945E0465AEFF060DF7C8
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.5uczg8xwr6i0v7h_l9tw1n4kb.tmpbinary
MD5:A7F16D81B324C81FF6088B692733937F
SHA256:C733B207DBA7FA8C4E1546AC50D11A3B5C6F7E0C3D347C6FBB32992BBF8826CD
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.b18xis730ppvugnk84zbn4e8f.tmpxml
MD5:6D3EEE9F3B3397CBBAF4F685EB0B2D70
SHA256:8AFFCA0AA01C685645B0C437A6234729D0DCD8F2A87E945E0465AEFF060DF7C8
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.kr4u1daqo3od4irqqyqerme0b.tmpbinary
MD5:A7F16D81B324C81FF6088B692733937F
SHA256:C733B207DBA7FA8C4E1546AC50D11A3B5C6F7E0C3D347C6FBB32992BBF8826CD
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.5kqax6ksdjig3dvcac_92dqye.tmpxml
MD5:6D3EEE9F3B3397CBBAF4F685EB0B2D70
SHA256:8AFFCA0AA01C685645B0C437A6234729D0DCD8F2A87E945E0465AEFF060DF7C8
4260Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.lhgdlyr8cynn9aommgf2e05qb.tmpxml
MD5:0B74576307D2E1424339D9EB5BFF71A9
SHA256:AA32F6447E43AD72AC691D2F5DE03142BDAF83DC4EF56068E26A9C861E94DE3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
48
DNS requests
35
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
3320
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3320
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
3320
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
3320
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
680
svchost.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
313 b
whitelisted
5316
svchost.exe
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
680
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
680
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.53:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7484
Claude Setup.exe
160.79.104.10:443
api.anthropic.com
ANTHROPIC
US
whitelisted
7484
Claude Setup.exe
35.190.46.17:443
downloads.claude.ai
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
www.bing.com
  • 92.123.104.53
  • 92.123.104.52
  • 92.123.104.61
  • 92.123.104.51
  • 92.123.104.50
  • 92.123.104.64
  • 92.123.104.59
  • 92.123.104.63
  • 92.123.104.58
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 192.178.183.138
  • 192.178.183.101
  • 192.178.183.113
  • 192.178.183.102
  • 192.178.183.139
  • 192.178.183.100
whitelisted
api.anthropic.com
  • 160.79.104.10
whitelisted
downloads.claude.ai
  • 35.190.46.17
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.129
  • 20.190.159.4
  • 20.190.159.0
  • 40.126.31.0
  • 40.126.31.3
  • 20.190.159.64
  • 20.190.159.131
  • 20.190.159.2
whitelisted

Threats

PID
Process
Class
Message
5276
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Claude Setup.exe