File name:

v1_Setup.exe

Full analysis: https://app.any.run/tasks/84ab5c35-c87d-420f-abe2-52fe469b884e
Verdict: Malicious activity
Analysis date: May 15, 2025, 15:32:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
auto-startup
auto-sch
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

13E8D2FE3BDAEA0AC1F995521E7DB46A

SHA1:

311CC891AB92F65D2AEBDC1BEC5E624803A682C1

SHA256:

15B41D9D41412444CD5E2DD33D657509E84D2A5C6A260383ACB50695D1DDF2FD

SSDEEP:

98304:zjE0dmFObTi+xC2LiaUn99n2gbvQxBsbQWlQMZdQxsAaVz7kHkpabgsHllZPmxSq:e7saExOZgjd4ZTOSdCEqZKJDVebeua

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6372)

    • Create files in the Startup directory

      • cmd.exe (PID: 6272)

    • AutoIt loader has been detected (YARA)

      • Florence.com (PID: 5556)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • v1_Setup.exe (PID: 5596)

    • Starts CMD.EXE for commands execution

      • v1_Setup.exe (PID: 5596)
      • cmd.exe (PID: 5528)

    • Reads security settings of Internet Explorer

      • v1_Setup.exe (PID: 5596)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5528)

    • Get information on the list of running processes

      • cmd.exe (PID: 5528)

    • Application launched itself

      • cmd.exe (PID: 5528)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5528)

    • Executable content was dropped or overwritten

      • Florence.com (PID: 5556)

    • There is functionality for taking screenshot (YARA)

      • v1_Setup.exe (PID: 5596)
      • Florence.com (PID: 5556)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 5528)

    • The executable file from the user directory is run by the CMD process

      • Florence.com (PID: 5556)

  • INFO

    • Reads the computer name

      • v1_Setup.exe (PID: 5596)
      • extrac32.exe (PID: 1056)
      • Florence.com (PID: 5556)

    • Checks supported languages

      • v1_Setup.exe (PID: 5596)
      • extrac32.exe (PID: 1056)
      • Florence.com (PID: 5556)

    • Process checks computer location settings

      • v1_Setup.exe (PID: 5596)

    • Creates a new folder

      • cmd.exe (PID: 1164)

    • Creates files or folders in the user directory

      • Florence.com (PID: 5556)

    • The sample compiled with english language support

      • Florence.com (PID: 5556)

    • Manual execution by a user

      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 6372)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 6372)

    • Auto-launch of the file from Startup directory

      • cmd.exe (PID: 6272)

    • Create files in a temporary directory

      • extrac32.exe (PID: 1056)

    • Reads mouse settings

      • Florence.com (PID: 5556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
20
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start v1_setup.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs florence.com choice.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1056extrac32 /Y /E Feelings.cabC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1164cmd /c md 378090C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1300cmd /c copy /b 378090\Florence.com + Accuracy + Dvds + Acts + Everything + Rebecca + Mega + Borders + Pharmaceutical + Frozen + Corruption + Energy 378090\Florence.comC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2096cmd /c copy /b ..\Notifications.cab + ..\Paths.cab + ..\Videos.cab + ..\Busy.cab + ..\Healing.cab + ..\Out.cab + ..\Picture.cab + ..\Senator.cab b C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2552C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4756schtasks.exe /create /tn "Bat" /tr "wscript //B 'C:\Users\admin\AppData\Local\RapidScan Tech\MedusaScan.js'" /sc minute /mo 5 /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5216findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5404findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 240
Read events
1 240
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
22
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
5596v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Busy.cabbinary
MD5:15EBA16AF5A4AA7C7660D82C859231E8
SHA256:70771A60A87534C27B34EE35CB71545AB60869F8A98A239734A62E3B6873B6BC
5596v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Picture.cabbinary
MD5:FF4D079B19E7CE677FEFF2A7B6C46CCA
SHA256:4E6630DF6761C7596B589B5BB640C18E237B7DFCB07CDFB21A43A4A2B5935646
5596v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Videos.cabbinary
MD5:C2897A59CED54A6F76962A19E63E9B3B
SHA256:2FA7CEEED0CD9B4412AA7AB8106258ED41BF9A535BB73A0C7C802A8FDB7B6F62
5596v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Obligation.cabtext
MD5:471264315F37B26F13ECC1CFB3DD6270
SHA256:87B4AB64B69976B9618C9AACFE746E9AF14FF70D437BEEF88A9556BD866F7CFE
5596v1_Setup.exeC:\Users\admin\AppData\Local\Temp\Out.cabbinary
MD5:299863C7CCA73D2038937951EB08B94C
SHA256:902102AAEFF0A3C3693FA156F80CC1BED61964E275CC4A901BF1BA171005DADC
1056extrac32.exeC:\Users\admin\AppData\Local\Temp\Actsbinary
MD5:0485ED0AC16C994CB3BBD1490474F7C1
SHA256:0318656428F0D117CC6B93BE1FF8B59AFE0E35A7EA0C4A88CE3DFBC9D89F95E0
5528cmd.exeC:\Users\admin\AppData\Local\Temp\Obligation.cab.battext
MD5:471264315F37B26F13ECC1CFB3DD6270
SHA256:87B4AB64B69976B9618C9AACFE746E9AF14FF70D437BEEF88A9556BD866F7CFE
1056extrac32.exeC:\Users\admin\AppData\Local\Temp\Accuracybinary
MD5:02F3A0354494198C8EC30C2F1A1D0524
SHA256:AC17350856EB10B2F22FBA9EF28BBED16B4324967C40E7C647A9FFF583516DF0
1056extrac32.exeC:\Users\admin\AppData\Local\Temp\Pharmaceuticalbinary
MD5:C00000EF6641651F6AFE8F65F961FC4B
SHA256:B168D8C8FBBA4BF8AA3DABCC5C5B4E330EB52BF7F3522C03F674AE2C46E7E020
1056extrac32.exeC:\Users\admin\AppData\Local\Temp\Rebeccabinary
MD5:C1BA2C7A8AD4C99A68F554532B59ED5E
SHA256:3C3D72FB58BAF41F310233AD564AB604B5D5C20C9921D21C689DB7BCF3B25049
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.146:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1164
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1164
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.146:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1164
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.146
  • 23.48.23.193
  • 23.48.23.145
  • 23.48.23.188
  • 23.48.23.156
  • 23.48.23.141
  • 23.48.23.155
  • 23.48.23.153
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
oIsyNkEjepZp.oIsyNkEjepZp
unknown
login.live.com
  • 20.190.160.67
  • 20.190.160.130
  • 20.190.160.66
  • 40.126.32.68
  • 20.190.160.128
  • 20.190.160.5
  • 20.190.160.17
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.111.227.11
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
v1_Setup.exe