File name:

installer.exe

Full analysis: https://app.any.run/tasks/1264e365-62f0-406e-8308-4c461b579b28
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 02:26:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
sality
sainbox
rat
auto-reg
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

51E9B821CE8513D70C7D3B6D73E291F9

SHA1:

8AF8994821265C2AB4187F579342B5C3D29625C3

SHA256:

1AB6A9B905919DA22FA5AD75F331B78D2FEEFFE07D011AE2C339EE6EAF37E896

SSDEEP:

24576:FUxFiNMHDfdcdHdEIdcEMHDfdcdHdEIdc:FUxFiNMHDfdcdHdEIdMHDfdcdHdEI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • INSTALIER.EXE (PID: 7868)

    • Changes the autorun value in the registry

      • INSTALIER.EXE (PID: 7868)
      • operagxtmp.exe (PID: 7188)
      • operagxtmp.exe (PID: 7504)

    • UAC/LUA settings modification

      • nQWoipI.exe (PID: 8056)

    • Disables Windows firewall

      • nQWoipI.exe (PID: 8056)

    • SALITY mutex has been found

      • nQWoipI.exe (PID: 8056)
      • aHjbdDt.exe (PID: 8096)
      • hkhXZtt.exe (PID: 8072)
      • INSTALLER.EXE (PID: 7876)
      • INSTALIER.EXE (PID: 7868)
      • FileCoAuth.exe (PID: 5964)
      • operagxtmp.exe (PID: 7188)
      • ielowutil.exe (PID: 644)

    • Changes firewall settings

      • nQWoipI.exe (PID: 8056)

    • SAINBOX has been detected

      • nQWoipI.exe (PID: 8056)

    • Changes Security Center notification settings

      • nQWoipI.exe (PID: 8056)

    • Runs injected code in another process

      • nQWoipI.exe (PID: 8056)

    • Application was injected by another process

      • FileCoAuth.exe (PID: 5964)

    • Scans artifacts that could help determine the target

      • dw20.exe (PID: 960)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • installer.exe (PID: 7716)
      • INSTALLER.EXE (PID: 7876)
      • INSTALLER.EXE (PID: 7988)
      • hkhXZtt.exe (PID: 8072)
      • nQWoipI.exe (PID: 8056)
      • ShellExperienceHost.exe (PID: 6068)
      • INSTALLER.EXE (PID: 7948)

    • Executable content was dropped or overwritten

      • installer.exe (PID: 7716)
      • INSTALLER.EXE (PID: 7988)
      • INSTALIER.EXE (PID: 7868)
      • INSTALLER.EXE (PID: 7876)
      • INSTALLER.EXE (PID: 7948)
      • nQWoipI.exe (PID: 8056)

    • Reads the date of Windows installation

      • INSTALLER.EXE (PID: 7988)
      • dw20.exe (PID: 7360)
      • dw20.exe (PID: 960)

    • Connects to unusual port

      • INSTALIER.EXE (PID: 7868)
      • operagxtmp.exe (PID: 7188)
      • operagxtmp.exe (PID: 7504)

    • Creates file in the systems drive root

      • iexplore.exe (PID: 7676)
      • iexplore.exe (PID: 2432)
      • nQWoipI.exe (PID: 8056)
      • hkhXZtt.exe (PID: 8072)
      • iexplore.exe (PID: 7380)

    • Process drops legitimate windows executable

      • nQWoipI.exe (PID: 8056)

  • INFO

    • Reads the computer name

      • installer.exe (PID: 7716)
      • INSTALLER.EXE (PID: 7876)
      • INSTALLER.EXE (PID: 7988)
      • INSTALIER.EXE (PID: 7868)
      • dw20.exe (PID: 7360)
      • hkhXZtt.exe (PID: 8072)
      • nQWoipI.exe (PID: 8056)
      • ShellExperienceHost.exe (PID: 6068)
      • operagxtmp.exe (PID: 7188)
      • ielowutil.exe (PID: 644)
      • operagxtmp.exe (PID: 7504)
      • INSTALLER.EXE (PID: 7948)
      • INSTALLER.EXE (PID: 2384)
      • dw20.exe (PID: 960)

    • Checks supported languages

      • installer.exe (PID: 7716)
      • INSTALIER.EXE (PID: 7868)
      • INSTALLER.EXE (PID: 7876)
      • INSTALLER.EXE (PID: 7988)
      • hkhXZtt.exe (PID: 8072)
      • nQWoipI.exe (PID: 8056)
      • dw20.exe (PID: 7360)
      • aHjbdDt.exe (PID: 8096)
      • ShellExperienceHost.exe (PID: 6068)
      • operagxtmp.exe (PID: 7188)
      • ielowutil.exe (PID: 644)
      • operagxtmp.exe (PID: 7504)
      • INSTALLER.EXE (PID: 7948)
      • INSTALLER.EXE (PID: 2384)
      • dw20.exe (PID: 960)

    • Creates files in the program directory

      • installer.exe (PID: 7716)
      • dw20.exe (PID: 7360)
      • dw20.exe (PID: 960)

    • Process checks computer location settings

      • installer.exe (PID: 7716)
      • INSTALLER.EXE (PID: 7876)
      • INSTALLER.EXE (PID: 7988)
      • dw20.exe (PID: 7360)
      • INSTALLER.EXE (PID: 7948)
      • dw20.exe (PID: 960)

    • Reads the machine GUID from the registry

      • INSTALIER.EXE (PID: 7868)
      • INSTALLER.EXE (PID: 7876)
      • dw20.exe (PID: 7360)
      • operagxtmp.exe (PID: 7188)
      • operagxtmp.exe (PID: 7504)
      • dw20.exe (PID: 960)

    • Create files in a temporary directory

      • INSTALIER.EXE (PID: 7868)
      • INSTALLER.EXE (PID: 7876)
      • INSTALLER.EXE (PID: 7948)
      • nQWoipI.exe (PID: 8056)

    • Auto-launch of the file from Registry key

      • INSTALIER.EXE (PID: 7868)
      • operagxtmp.exe (PID: 7188)
      • operagxtmp.exe (PID: 7504)

    • Auto-launch of the file from Startup directory

      • INSTALIER.EXE (PID: 7868)

    • Creates files or folders in the user directory

      • INSTALLER.EXE (PID: 7876)
      • INSTALIER.EXE (PID: 7868)
      • INSTALLER.EXE (PID: 7948)

    • Reads product name

      • dw20.exe (PID: 7360)
      • dw20.exe (PID: 960)

    • Checks proxy server information

      • hkhXZtt.exe (PID: 8072)
      • nQWoipI.exe (PID: 8056)
      • dw20.exe (PID: 7360)
      • dw20.exe (PID: 960)
      • slui.exe (PID: 7756)

    • Reads the software policy settings

      • dw20.exe (PID: 7360)
      • dw20.exe (PID: 960)
      • slui.exe (PID: 7756)

    • Reads CPU info

      • dw20.exe (PID: 7360)
      • dw20.exe (PID: 960)

    • Manual execution by a user

      • operagxtmp.exe (PID: 7188)
      • operagxtmp.exe (PID: 7504)
      • INSTALLER.EXE (PID: 7948)

    • Reads Environment values

      • dw20.exe (PID: 7360)
      • dw20.exe (PID: 960)

    • The sample compiled with english language support

      • nQWoipI.exe (PID: 8056)

    • UPX packer has been detected

      • hkhXZtt.exe (PID: 8072)
      • nQWoipI.exe (PID: 8056)

    • Local mutex for internet shortcut management

      • iexplore.exe (PID: 7472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:07:03 09:05:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 31232
InitializedDataSize: 901632
UninitializedDataSize: -
EntryPoint: 0x3248
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
23
Malicious processes
11
Suspicious processes
2

Behavior graph

Click at the process to see the details
start installer.exe #SALITY instalier.exe #SALITY installer.exe installer.exe #SALITY nqwoipi.exe #SALITY hkhxztt.exe no specs #SALITY ahjbddt.exe dw20.exe shellexperiencehost.exe no specs #SALITY operagxtmp.exe #SALITY ielowutil.exe no specs iexplore.exe operagxtmp.exe iexplore.exe iexplore.exe installer.exe installer.exe no specs dw20.exe #SALITY filecoauth.exe iexplore.exe iexplore.exe slui.exe installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
644"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -EmbeddingC:\Program Files (x86)\Internet Explorer\ielowutil.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Low-Mic Utility Tool
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\ielowutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
960dw20.exe -x -s 1564C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
INSTALLER.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2384"C:\Users\admin\AppData\Local\Temp\INSTALLER.EXE" C:\Users\admin\AppData\Local\Temp\INSTALLER.EXEINSTALLER.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2432"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5956 CREDAT:82948 /prefetch:2C:\Program Files (x86)\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5956"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5964C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6068"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
7188"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\operagxtmp.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\operagxtmp.exe
explorer.exe
User:
admin
Company:
TP Loader
Integrity Level:
MEDIUM
Description:
TP Loader
Version:
1.1.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\operagxtmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7360dw20.exe -x -s 852C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
aHjbdDt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7380"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7472 CREDAT:17410 /prefetch:2C:\Program Files (x86)\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
32 995
Read events
32 747
Write events
234
Delete events
14

Modification events

(PID) Process:(7868) INSTALIER.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:b594996374aa09b5869f6b97a8c7d974
Value:
C:\Users\admin\AppData\Local\Temp\Microsoft\operagxtmp.exe
(PID) Process:(7876) INSTALLER.EXEKey:HKEY_CURRENT_USER\SOFTWARE\ShortCutInfection
Operation:writeName:BlacHacker
Value:
True
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile\ahjbddt.exe|528d8577768e6c9d
Operation:writeName:ProgramId
Value:
0006539b3c71cf29ce3a8a6e6230554dfd3f00000000
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile\ahjbddt.exe|528d8577768e6c9d
Operation:writeName:FileId
Value:
0000d139feb95ef22f87a200fe11c398d1646f0b5d8e
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile\ahjbddt.exe|528d8577768e6c9d
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\music\ahjbddt.exe
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile\ahjbddt.exe|528d8577768e6c9d
Operation:writeName:LongPathHash
Value:
ahjbddt.exe|528d8577768e6c9d
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile\ahjbddt.exe|528d8577768e6c9d
Operation:writeName:Name
Value:
aHjbdDt.exe
(PID) Process:(7360) dw20.exeKey:\REGISTRY\A\{af36093d-09d6-22c7-64ec-96eb5a1a5f0f}\Root\InventoryApplicationFile\ahjbddt.exe|528d8577768e6c9d
Operation:writeName:OriginalFileName
Value:
windowsapplication35.exe
Executable files
66
Suspicious files
18
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7716installer.exeC:\Program Files (x86)\INSTALIER.EXEexecutable
MD5:CEF6BF659392F13CA555FE6638C8739D
SHA256:25457401F68B259D826D936D31B24AFAEC3B29CFE65ECF2726226E8E9E442467
7868INSTALIER.EXEC:\Users\admin\AppData\Local\Temp\Microsoft\operagxtmp.exeexecutable
MD5:CEF6BF659392F13CA555FE6638C8739D
SHA256:25457401F68B259D826D936D31B24AFAEC3B29CFE65ECF2726226E8E9E442467
7716installer.exeC:\Program Files (x86)\INSTALLER.EXEexecutable
MD5:D901F276E1E0FE142619D3225212A34B
SHA256:70680CD71138F4D171543FDDD70CE1D3889471048A14AC5A4E53A58521EFD1E2
7876INSTALLER.EXEC:\Users\admin\Downloads\INSTALLER.EXEexecutable
MD5:D901F276E1E0FE142619D3225212A34B
SHA256:70680CD71138F4D171543FDDD70CE1D3889471048A14AC5A4E53A58521EFD1E2
7876INSTALLER.EXEC:\Users\admin\AppData\Local\Temp\INSTALLER.EXEexecutable
MD5:8447D13320BAE5CF62EC4A6BC936D948
SHA256:44A31A08DD6EBD63A5615F5BB4CD9B9AF34A873CB45C6B25CA71BA2B5558F861
7876INSTALLER.EXEC:\Users\admin\Links\INSTALLER.EXEexecutable
MD5:D901F276E1E0FE142619D3225212A34B
SHA256:70680CD71138F4D171543FDDD70CE1D3889471048A14AC5A4E53A58521EFD1E2
7876INSTALLER.EXEC:\Users\admin\3D Objects\INSTALLER.EXEexecutable
MD5:D901F276E1E0FE142619D3225212A34B
SHA256:70680CD71138F4D171543FDDD70CE1D3889471048A14AC5A4E53A58521EFD1E2
7876INSTALLER.EXEC:\Users\admin\.ms-ad\INSTALLER.EXEexecutable
MD5:D901F276E1E0FE142619D3225212A34B
SHA256:70680CD71138F4D171543FDDD70CE1D3889471048A14AC5A4E53A58521EFD1E2
7868INSTALIER.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\operagxtmp.exeexecutable
MD5:CEF6BF659392F13CA555FE6638C8739D
SHA256:25457401F68B259D826D936D31B24AFAEC3B29CFE65ECF2726226E8E9E442467
7876INSTALLER.EXEC:\Users\admin\AppData\Roaming\INSTALLER.EXEexecutable
MD5:D901F276E1E0FE142619D3225212A34B
SHA256:70680CD71138F4D171543FDDD70CE1D3889471048A14AC5A4E53A58521EFD1E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
40
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6436
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6436
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7676
iexplore.exe
POST
404
185.159.179.73:80
http://www.pardise.net/freeemail/email.asp
unknown
unknown
2432
iexplore.exe
POST
404
185.159.179.73:80
http://www.pardise.net/freeemail/email.asp
unknown
unknown
7380
iexplore.exe
POST
404
185.159.179.73:80
http://www.pardise.net/freeemail/email.asp
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6436
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6436
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6436
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7868
INSTALIER.EXE
66.113.31.17:7547
STRATUSIQ
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
watson.events.data.microsoft.com
  • 20.42.65.92
whitelisted
www.pardise.net
  • 185.159.179.73
unknown
iecvlist.microsoft.com
  • 52.239.160.33
whitelisted
c.urs.microsoft.com
  • 172.205.80.42
whitelisted
t.urs.microsoft.com
  • 20.191.45.158
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7868
INSTALIER.EXE
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
7188
operagxtmp.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
7504
operagxtmp.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
7188
operagxtmp.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
7188
operagxtmp.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
installer.exe