File name:

v1_Setup.exe

Full analysis: https://app.any.run/tasks/4b463341-7668-4465-98e5-16e5a153e560
Verdict: Malicious activity
Analysis date: May 15, 2025, 15:46:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

13E8D2FE3BDAEA0AC1F995521E7DB46A

SHA1:

311CC891AB92F65D2AEBDC1BEC5E624803A682C1

SHA256:

15B41D9D41412444CD5E2DD33D657509E84D2A5C6A260383ACB50695D1DDF2FD

SSDEEP:

98304:zjE0dmFObTi+xC2LiaUn99n2gbvQxBsbQWlQMZdQxsAaVz7kHkpabgsHllZPmxSq:e7saExOZgjd4ZTOSdCEqZKJDVebeua

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5436)

    • Create files in the Startup directory

      • cmd.exe (PID: 7456)

    • AutoIt loader has been detected (YARA)

      • Florence.com (PID: 1388)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • v1_Setup.exe (PID: 7524)
      • cmd.exe (PID: 7588)

    • The executable file from the user directory is run by the CMD process

      • Florence.com (PID: 1388)

    • Reads security settings of Internet Explorer

      • v1_Setup.exe (PID: 7524)

    • Executing commands from a ".bat" file

      • v1_Setup.exe (PID: 7524)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7588)

    • Get information on the list of running processes

      • cmd.exe (PID: 7588)

    • Application launched itself

      • cmd.exe (PID: 7588)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7588)
      • wscript.exe (PID: 7860)

    • Executable content was dropped or overwritten

      • Florence.com (PID: 1388)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7588)
      • wscript.exe (PID: 7860)

    • There is functionality for taking screenshot (YARA)

      • Florence.com (PID: 1388)
      • v1_Setup.exe (PID: 7524)

    • The process executes via Task Scheduler

      • wscript.exe (PID: 7860)

  • INFO

    • Reads the computer name

      • v1_Setup.exe (PID: 7524)
      • extrac32.exe (PID: 7960)
      • Florence.com (PID: 1388)

    • Checks supported languages

      • extrac32.exe (PID: 7960)
      • v1_Setup.exe (PID: 7524)
      • Florence.com (PID: 1388)

    • Create files in a temporary directory

      • v1_Setup.exe (PID: 7524)
      • extrac32.exe (PID: 7960)

    • Creates a new folder

      • cmd.exe (PID: 7908)

    • Reads mouse settings

      • Florence.com (PID: 1388)

    • Creates files or folders in the user directory

      • Florence.com (PID: 1388)

    • Manual execution by a user

      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 7456)
      • Taskmgr.exe (PID: 4892)
      • firefox.exe (PID: 7884)
      • Taskmgr.exe (PID: 6712)

    • The sample compiled with english language support

      • Florence.com (PID: 1388)

    • Application launched itself

      • firefox.exe (PID: 7884)
      • firefox.exe (PID: 7852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
36
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start v1_setup.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs florence.com cmd.exe no specs conhost.exe no specs cmd.exe choice.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe taskmgr.exe no specs taskmgr.exe rundll32.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs wscript.exe no specs medusascan.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1388Florence.com b C:\Users\admin\AppData\Local\Temp\378090\Florence.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\378090\florence.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2616"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1904 -parentBuildID 20240213221259 -prefsHandle 1844 -prefMapHandle 1832 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ed4557d-6f36-419c-a5fd-4374eb8cd88e} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 17fce1ed710 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
3016"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -childID 6 -isForBrowser -prefsHandle 4964 -prefMapHandle 5116 -prefsLen 38270 -prefMapSize 244583 -jsInitHandle 1460 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3895b62-ef7c-4971-8375-7abedbaa4a69} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 17fd6c2d690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
4228C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4336C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4688"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -childID 2 -isForBrowser -prefsHandle 4324 -prefMapHandle 4320 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1460 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29e29000-4d22-4441-aa00-1d09ce2b73eb} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 17fd552bd90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
4692"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1460 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {058f8ecf-55da-46ce-87d3-b5d3b308372b} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 17fd8e5c310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4892"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
5072"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4900 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {077f704e-18bf-4caa-9c1f-62dd0ebe3ee1} 7852 "\\.\pipe\gecko-crash-server-pipe.7852" 17fd750bb10 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
15 804
Read events
15 792
Write events
11
Delete events
1

Modification events

(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AA043AF67F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AA043AF67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AA043AF67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AA043AF67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000AB043AF67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028AB043AF67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050AB043AF67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AA043AF67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070AB043AF67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088AB043AF67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8AB043AF67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8AB043AF67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0AB043AF67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010AC043AF67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AA043AF67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040AC043AF67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068AC043AF67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090AC043AF67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8AC043AF67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8AC043AF67F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8AC043AF67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028AB043AF67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020AD043AF67F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040AD043AF67F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068AD043AF67F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050AB043AF67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AA043AF67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070AB043AF67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088AB043AF67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8AB043AF67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8AB043AF67F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AA043AF67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AE043AF67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AE043AF67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:CCleaner Smart Cleaning
Value:
03000000388271EEFD58DA01
(PID) Process:(6712) Taskmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32
Operation:writeName:SunJavaUpdateSched
Value:
030000006B0EA3ECFD58DA01
(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
Operation:writeName:MedusaScan.url
Value:
020000000000000000000000
(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
030000002B498EF9C8B7D801
(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:OneDrive
Value:
03000000A31484EEAAD7D301
(PID) Process:(6712) Taskmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:SoundMan
Value:
030000009F7A12EAC6B7D801
(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
Operation:writeName:Send to OneNote.lnk
Value:
030000004443A9558E3CD901
(PID) Process:(6712) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:Skype for Desktop
Value:
03000000FD1CB01610C7D901
Executable files
2
Suspicious files
177
Text files
23
Unknown types
1

Dropped files

PID
Process
Filename
Type
7524v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Notifications.cabbinary
MD5:38A27B0D6DAE6F0E689B627C05986A47
SHA256:7FC26D0F2FAFBB6D757DA3F3062ED68943247BAD561180222BDC1ADE4411739A
7960extrac32.exeC:\Users\admin\AppData\Local\Temp\Energybinary
MD5:F8057453B05F410322C49E4DC86F839F
SHA256:A4F88D22843F847FC8AF87FAF35ABE376E3A25F2CDD5EB880E60679128DA2E97
7960extrac32.exeC:\Users\admin\AppData\Local\Temp\Pharmaceuticalbinary
MD5:C00000EF6641651F6AFE8F65F961FC4B
SHA256:B168D8C8FBBA4BF8AA3DABCC5C5B4E330EB52BF7F3522C03F674AE2C46E7E020
7524v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Obligation.cabtext
MD5:471264315F37B26F13ECC1CFB3DD6270
SHA256:87B4AB64B69976B9618C9AACFE746E9AF14FF70D437BEEF88A9556BD866F7CFE
7524v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Feelings.cabcompressed
MD5:82CBC817725066A8196482217E903EEC
SHA256:1E09AEA02B17E72486D5FB0FC8B1F20616A10F1B9302335BE3EC1329E80AAE77
7524v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Videos.cabbinary
MD5:C2897A59CED54A6F76962A19E63E9B3B
SHA256:2FA7CEEED0CD9B4412AA7AB8106258ED41BF9A535BB73A0C7C802A8FDB7B6F62
7524v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Out.cabbinary
MD5:299863C7CCA73D2038937951EB08B94C
SHA256:902102AAEFF0A3C3693FA156F80CC1BED61964E275CC4A901BF1BA171005DADC
7524v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Busy.cabbinary
MD5:15EBA16AF5A4AA7C7660D82C859231E8
SHA256:70771A60A87534C27B34EE35CB71545AB60869F8A98A239734A62E3B6873B6BC
7524v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Healing.cabbinary
MD5:5C05D82250985BBC75D9152499E2D5A2
SHA256:40D2B6375091AB044562849B612F3538AEA4368E86038A92649766EDA5341F21
7960extrac32.exeC:\Users\admin\AppData\Local\Temp\Actsbinary
MD5:0485ED0AC16C994CB3BBD1490474F7C1
SHA256:0318656428F0D117CC6B93BE1FF8B59AFE0E35A7EA0C4A88CE3DFBC9D89F95E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
65
DNS requests
89
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1164
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1164
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7852
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
7852
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
7852
firefox.exe
POST
200
184.25.51.16:80
http://r11.o.lencr.org/
unknown
whitelisted
7852
firefox.exe
POST
184.25.51.16:80
http://r11.o.lencr.org/
unknown
whitelisted
7852
firefox.exe
POST
200
184.25.51.16:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6480
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.250.186.46
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.169
  • 23.48.23.158
  • 23.48.23.164
  • 23.48.23.153
  • 23.48.23.146
  • 23.48.23.159
  • 23.48.23.141
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.4
  • 40.126.32.72
  • 20.190.160.132
  • 40.126.32.140
  • 20.190.160.3
  • 40.126.32.134
  • 20.190.160.67
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
oIsyNkEjepZp.oIsyNkEjepZp
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
v1_Setup.exe