File name:

f5epi_setup.exe

Full analysis: https://app.any.run/tasks/a0d6b128-b9d3-471e-b799-7bf1fb95da38
Verdict: Malicious activity
Analysis date: June 12, 2024, 14:39:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

33CCEB813D55B041895CD6882E5EB782

SHA1:

7D0176EB8218A8E3982ACCA14BDC171740D94E45

SHA256:

24595EE7C0C56CF482AD3DAA173D060F5E9410CFC14118DFF2A9D2B40BEF03D4

SSDEEP:

98304:wzclPocfoqyqX5VvywhIcYuMiFXDfD7Np/3iiFE2yi5DVmtqXrR2O8Zz5OJnrKgb:wbQIjHf2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • f5epi_setup.exe (PID: 3980)
      • f5unistall.exe (PID: 1872)
      • cabinstaller.exe (PID: 1036)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • f5epi_setup.exe (PID: 3980)

    • Executable content was dropped or overwritten

      • f5epi_setup.exe (PID: 3980)
      • cabinstaller.exe (PID: 1036)
      • f5unistall.exe (PID: 1872)

    • Reads security settings of Internet Explorer

      • cabinstaller.exe (PID: 1036)
      • cabinstaller.exe (PID: 4012)

    • Checks Windows Trust Settings

      • cabinstaller.exe (PID: 1036)

    • Reads settings of System Certificates

      • cabinstaller.exe (PID: 1036)

    • Adds/modifies Windows certificates

      • cabinstaller.exe (PID: 1036)

    • Reads the Internet Settings

      • cabinstaller.exe (PID: 4012)
      • cabinstaller.exe (PID: 1036)

    • Application launched itself

      • cabinstaller.exe (PID: 4012)

    • Creates/Modifies COM task schedule object

      • F5InstH.exe (PID: 2044)
      • cabinstaller.exe (PID: 1036)

    • The process creates files with name similar to system file names

      • cabinstaller.exe (PID: 1036)

    • Creates a software uninstall entry

      • f5unistall.exe (PID: 1872)

  • INFO

    • Create files in a temporary directory

      • cabinstaller.exe (PID: 4012)
      • f5epi_setup.exe (PID: 3980)
      • cabinstaller.exe (PID: 1036)

    • Checks supported languages

      • f5epi_setup.exe (PID: 3980)
      • cabinstaller.exe (PID: 4012)
      • cabinstaller.exe (PID: 1036)
      • f5unistall.exe (PID: 1872)
      • f5epi.exe (PID: 1440)
      • F5PolicyServer.exe (PID: 1184)
      • F5InstH.exe (PID: 2044)

    • Reads product name

      • cabinstaller.exe (PID: 4012)
      • cabinstaller.exe (PID: 1036)

    • Reads Environment values

      • cabinstaller.exe (PID: 4012)
      • cabinstaller.exe (PID: 1036)

    • Reads the computer name

      • cabinstaller.exe (PID: 4012)
      • cabinstaller.exe (PID: 1036)

    • Reads the machine GUID from the registry

      • cabinstaller.exe (PID: 1036)

    • Reads the software policy settings

      • cabinstaller.exe (PID: 1036)

    • Checks proxy server information

      • cabinstaller.exe (PID: 1036)

    • Creates files in the program directory

      • f5unistall.exe (PID: 1872)

    • Manual execution by a user

      • chrome.exe (PID: 2012)

    • Application launched itself

      • chrome.exe (PID: 2012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:15 14:00:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 107520
InitializedDataSize: 20992
UninitializedDataSize: -
EntryPoint: 0x19d0c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 22.1.0.0
ProductVersionNumber: 22.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 22.01
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2022 Igor Pavlov
OriginalFileName: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 22.01
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start f5epi_setup.exe cabinstaller.exe no specs cabinstaller.exe f5insth.exe no specs f5unistall.exe f5policyserver.exe no specs f5epi.exe no specs PhotoViewer.dll no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1036"C:\Users\admin\AppData\Local\Temp\7zSC8FD7B10\cabinstaller.exe" C:\Users\admin\AppData\Local\Temp\7zSC8FD7B10\cabinstaller.exe
cabinstaller.exe
User:
admin
Company:
F5 Networks, Inc.
Integrity Level:
HIGH
Description:
F5 Networks Package installer
Exit code:
0
Version:
7242, 2023, 0428, 0523
Modules
Images
c:\users\admin\appdata\local\temp\7zsc8fd7b10\cabinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
1184"C:\Windows\Downloaded Program Files\F5PolicyServer.exe" /RegServerC:\Windows\Downloaded Program Files\F5PolicyServer.execabinstaller.exe
User:
admin
Company:
F5 Networks, Inc.
Integrity Level:
HIGH
Description:
F5 Networks Client Policy Server
Exit code:
0
Version:
7242, 2023, 0428, 0523
Modules
Images
c:\windows\downloaded program files\f5policyserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1284"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6e058b38,0x6e058b48,0x6e058b54C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1440"C:\Windows\Downloaded Program Files\f5epi.exe" /RegServerC:\Windows\Downloaded Program Files\f5epi.execabinstaller.exe
User:
admin
Company:
F5 Networks, Inc.
Integrity Level:
HIGH
Description:
F5 Networks Endpoint Inspector
Exit code:
0
Version:
7242, 2023, 0428, 0523
Modules
Images
c:\windows\downloaded program files\f5epi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1580C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1872"C:\Windows\Downloaded Program Files\f5unistall.exe" /createshortcutC:\Windows\Downloaded Program Files\f5unistall.exe
cabinstaller.exe
User:
admin
Company:
F5 Networks, Inc.
Integrity Level:
HIGH
Description:
F5 Networks Components Troubleshooting
Exit code:
0
Version:
7242, 2023, 0428, 0523
Modules
Images
c:\windows\downloaded program files\f5unistall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1884"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1616 --field-trial-handle=1136,i,6255025830239531323,1639194313995039789,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2012"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2044"C:\Windows\Downloaded Program Files\F5InstH.exe" /RegServerC:\Windows\Downloaded Program Files\F5InstH.execabinstaller.exe
User:
admin
Company:
F5 Networks, Inc.
Integrity Level:
HIGH
Description:
F5 Networks InstallerHelper Module
Exit code:
0
Version:
7242, 2023, 0428, 0523
Modules
Images
c:\windows\downloaded program files\f5insth.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2272"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1340 --field-trial-handle=1136,i,6255025830239531323,1639194313995039789,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
9 402
Read events
9 254
Write events
136
Delete events
12

Modification events

(PID) Process:(4012) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4012) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4012) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4012) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1036) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1036) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1036) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1036) cabinstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1036) cabinstaller.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1036) cabinstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
Executable files
24
Suspicious files
6
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
1036cabinstaller.exeC:\Users\admin\AppData\Local\Temp\F5_TMP_18294131996318232235\f5instd.exeexecutable
MD5:C451585C92CBDB08B02F7F9F8B47FB79
SHA256:CC5AD56882B77C0D2859BDC92DA8479B482E464ABD104C462C26AEE6F2A6EF3A
3980f5epi_setup.exeC:\Users\admin\AppData\Local\Temp\7zSC8FD7B10\uregsvr.exeexecutable
MD5:290D1BA6ADEADF03D0F3D04D26956D0A
SHA256:5EEC4212F157FBBA420331FC4C71505F78990FD99C64B2DE39320687B75E99EB
1036cabinstaller.exeC:\Users\admin\AppData\Local\Temp\F5_TMP_18294131996318232235\F5InstH.exeexecutable
MD5:6527CC32ECAD96BA796CBFE7CF8591BC
SHA256:92C0A1C7D00F408EE580DFF2A05C38ABE3E2A8FE1412B977904B2619359DA98B
3980f5epi_setup.exeC:\Users\admin\AppData\Local\Temp\7zSC8FD7B10\setup.inftext
MD5:55C70C470A2BFC0EF22130122167A927
SHA256:CAB189E3BEF7166E8381DC5D0274071E8DD4479A0C964013BB8494693C418C9A
1036cabinstaller.exeC:\Users\admin\AppData\Local\Temp\F5_TMP_18294131996318232235\f5unistall.exeexecutable
MD5:14A966B55C7706E35F602E229FAF47B2
SHA256:563FEA0CFA2748265A8281D3437BACD5C58B0EAC402280CACC304ACD4DBD00B8
3980f5epi_setup.exeC:\Users\admin\AppData\Local\Temp\7zSC8FD7B10\cabinstaller.exeexecutable
MD5:F4CD1E2275BA8F1D68A748218CDA8292
SHA256:9AAF2C27509E85FF84039EB3830E81274DBEA4B182DE17127808E533F622ED2B
1036cabinstaller.exeC:\Users\admin\AppData\Local\Temp\F5_TMP_18294131996318232235\InstallerControl.cabcompressed
MD5:E610B7BCD64D109F1393F58CDE9E5928
SHA256:7733C43DEC66D94DAD70749B308119CA3D1999116C2F084D818585DF063CB3BE
1036cabinstaller.exeC:\Users\admin\AppData\Local\Temp\F5_TMP_18294131996318232235\InstallerControl.dllexecutable
MD5:AF27E9033157B41B347BEB18F0B79694
SHA256:A2F334269297EC46F321B51F98BEC49659582E0B5B613A8C962BF7C5BF7399A3
1036cabinstaller.exeC:\Users\admin\AppData\Local\Temp\F5_TMP_18294131996318232235\F5InstP.dllexecutable
MD5:5FA8DD1C55687779CC1E62E989E1A338
SHA256:04C2FA5507D72EB6544FBAAF69D31871935232CCFB538740C592F24839AC56DA
1036cabinstaller.exeC:\Users\admin\AppData\Local\Temp\F5_TMP_18294131996318232235\uregsvr.exeexecutable
MD5:290D1BA6ADEADF03D0F3D04D26956D0A
SHA256:5EEC4212F157FBBA420331FC4C71505F78990FD99C64B2DE39320687B75E99EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f5epi_setup.exe