File name:

startup.exe

Full analysis: https://app.any.run/tasks/a1c7aa8b-fcfa-4a57-b713-6c0b45b035f2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 10, 2024, 00:20:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B97D7A510D138D0562AAD0FF55136B87

SHA1:

6BD6FC592082BC2DAF74760141AE687F63F2EE7D

SHA256:

55E9A9C430CF3026C009159AA47946F2BE6E339F67DB8960652BE3B0FB031B5C

SSDEEP:

98304:SX7/D8B5Q/wlOtq/CqlxG0vKImzCebTNs+Ct3iJRamaUol2CWROYLcuFnLIw7+Tp:Mc3Dqgx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Executable content was dropped or overwritten

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

    • Checks Windows Trust Settings

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Reads the date of Windows installation

      • startup.exe (PID: 6296)

    • Application launched itself

      • startup.exe (PID: 6296)

    • Starts itself from another location

      • startup.exe (PID: 6780)

    • The process verifies whether the antivirus software is installed

      • startup.exe (PID: 6804)

    • Adds/modifies Windows certificates

      • startup.exe (PID: 6804)

  • INFO

    • Reads the computer name

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

    • Checks supported languages

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

    • Checks proxy server information

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Create files in a temporary directory

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Reads the machine GUID from the registry

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Checks for the presence of KasperskyLab

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Process checks whether UAC notifications are on

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Reads the software policy settings

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Creates files in the program directory

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Process checks computer location settings

      • startup.exe (PID: 6296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1974:10:23 09:08:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 243200
InitializedDataSize: 4315136
UninitializedDataSize: -
EntryPoint: 0x4200
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 21.17.7.539
ProductVersionNumber: 21.17.7.539
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Kaspersky
FileDescription: Kaspersky [21.17.7.539.0.146.0]
FileVersion: 21.17.7.539
LegalCopyright: © 2024 AO Kaspersky Lab
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
ProductName: Kaspersky
ProductVersion: 21.17.7.539
InternalName: Setup
OriginalFileName: Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start startup.exe startup.exe startup.exe

Process information

PID
CMD
Path
Indicators
Parent process
6296"C:\Users\admin\Desktop\startup.exe" C:\Users\admin\Desktop\startup.exe
explorer.exe
User:
admin
Company:
Kaspersky
Integrity Level:
MEDIUM
Description:
Kaspersky [21.17.7.539.0.146.0]
Version:
21.17.7.539
Modules
Images
c:\users\admin\desktop\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
6780"C:\Users\admin\Desktop\startup.exe" /-elevated=;"C:\Users\admin\Desktop\startup.exe"C:\Users\admin\Desktop\startup.exe
startup.exe
User:
admin
Company:
Kaspersky
Integrity Level:
HIGH
Description:
Kaspersky [21.17.7.539.0.146.0]
Version:
21.17.7.539
Modules
Images
c:\users\admin\desktop\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
6804"C:\WINDOWS\temp\D67C77B4FB62FE114B0E817F87F669EE\startup.exe" /-elevated=;"C:\Users\admin\Desktop\startup.exe"C:\Windows\Temp\D67C77B4FB62FE114B0E817F87F669EE\startup.exe
startup.exe
User:
admin
Company:
Kaspersky
Integrity Level:
HIGH
Description:
Kaspersky [21.17.7.539.0.146.0]
Version:
21.17.7.539
Modules
Images
c:\windows\temp\d67c77b4fb62fe114b0e817f87f669ee\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
Total events
15 898
Read events
15 739
Write events
155
Delete events
4

Modification events

(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedType
Value:
-1
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedProductTier
Value:
0
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedStartupScenario
Value:
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedType
Value:
4
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedProductTier
Value:
230
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedStartupScenario
Value:
Free
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:PreferredUI
Value:
0
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:PreferredUI
Value:
1
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
33
Suspicious files
21
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
6296startup.exeC:\Users\admin\AppData\Local\Temp\4076D8C6-26BF-11EF-B4E0-18F7786F96EE\downloader_neutral.initext
MD5:A6733D50023C6F150B88512E54A27DE1
SHA256:1DDD2E879EAABFF2FE2A8490449E9987F9D4335CEB13A097B90C5A95804902E8
6296startup.exeC:\Users\admin\AppData\Local\Temp\4076D8C6-26BF-11EF-B4E0-18F7786F96EE\GuiStrings_KFA.loctext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.setup.ui.dllexecutable
MD5:1BEBC399A1B31EABC3361169DF0316D1
SHA256:894914E74DA8C8FAF8BB9B34E0F9B586DB3CB248C3F6EDB715A7CB8C930DD66B
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.setup.ui.core.dllexecutable
MD5:2C8F5EC07CB84D844E3FDEE32B2A8E00
SHA256:8D5BD8184FBC3F79EA9EDC2C25E1A5A935514518C3FBA89BDE308C06722375F9
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.setup.ui.visuals.dllexecutable
MD5:6181240BC579D2DFB176A1CA260F5A90
SHA256:B07C4D99D4CBB62B31A425E60C993B809C7043518A9EF0B7B561ABD180A1B768
6296startup.exeC:\Users\admin\AppData\Local\Temp\4076D8C6-26BF-11EF-B4E0-18F7786F96EE\downloader_neutral_KFA.initext
MD5:2E10B2D4181D2F07D2DD305BD4285BD5
SHA256:CBB72CDC1E461226C7D0E49E7EF955F77DFEEF4F7FE12D0D8A8D0CF9658EDC78
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.ui.framework.dllexecutable
MD5:2AD2AB4F8517DA8E2EFDFED22AD49F1E
SHA256:6EFE8EFC6701C80D59AD33BD139AECA1B47A27F49D3CCC16ED01A49DA9BFC2E7
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.ui.framework.localization.dllexecutable
MD5:079AC68D4BEB2AB9602D754B09FF652B
SHA256:9377C35B19C30EE75C010B1E592796DAF1D3493B397EF9D61A1C63A5AB30A88E
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.ui.framework.uikit.dllodttf
MD5:18DEFB1E3B7460F592A8CA61E4B40FF0
SHA256:02A884BABC5584FEC80B227EB1C52DC800C516F1117FF9637617AD84C632DA9D
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.ui.framework.uikit.b2c.dllexecutable
MD5:445E34AA976419CAE54E13EDE8D41CE5
SHA256:A255BB5DFAA685D7443DBC8BB7FCA71417C8F0B1F617ADE7077EE437A23A9B24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
33
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
23.72.36.88:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5612
svchost.exe
GET
200
23.72.36.88:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.17.0.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
130.117.190.147:443
https://dm.s.kaspersky-labs.com/bases/kavkis2021mr17/kaspersky4win/index-bases-x64-2.txt
unknown
unknown
GET
200
80.239.169.147:443
https://dm.s.kaspersky-labs.com/bases/kavkis2021mr17/Kaspersky4Win/kdscrl.rdb.z
unknown
5.85 Kb
unknown
GET
200
195.122.169.10:443
https://dm.s.kaspersky-labs.com/en-US-xnotgdpr_es-US-xnotgdpr/Kaspersky4Win/21.17.7.539/x64/index2.txt
unknown
text
6.44 Kb
unknown
GET
200
195.122.169.10:443
https://dm.s.kaspersky-labs.com/kleaner/kavkis_21.17/global/index-kleaner-2.txt
unknown
text
4.03 Kb
unknown
GET
200
82.202.185.148:443
https://ds.kaspersky.com/cfg/107/21.17.7.539.0.146.0
unknown
binary
30.3 Kb
unknown
GET
200
130.117.190.147:443
https://dm.s.kaspersky-labs.com/en-US-xnotgdpr_es-US-xnotgdpr/Kaspersky4Win/21.17.7.539/x64/index2.txt
unknown
text
6.44 Kb
unknown
GET
200
80.239.169.147:443
https://dm.s.kaspersky-labs.com/kleaner/kavkis_21.17/global/index-kleaner-2.txt
unknown
text
4.03 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5612
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
unknown
4708
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
23.72.36.88:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
5612
svchost.exe
23.72.36.88:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
5140
MoUsoCoreWorker.exe
2.17.0.227:80
www.microsoft.com
AKAMAI-AS
DK
unknown
6296
startup.exe
82.202.185.148:443
ds.kaspersky.com
Kaspersky Lab Switzerland GmbH
CH
unknown
5612
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.72.36.88
whitelisted
www.microsoft.com
  • 2.17.0.227
whitelisted
ds.kaspersky.com
  • 82.202.185.148
  • 130.117.190.228
  • 81.19.104.172
  • 82.202.185.146
  • 82.202.184.184
  • 82.202.184.193
  • 62.67.238.152
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
dm.s.kaspersky-labs.com
  • 195.122.169.10
  • 80.239.169.147
  • 130.117.190.147
unknown
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

No threats detected
Process
Message
startup.exe
LocalizationEngine Making localization parameters
startup.exe
startup.exe Information: 0 :
startup.exe
startup.exe Information: 0 :
startup.exe
Core DisplayCulture = en-US DisplayCulture.FullLocalization = en-US-xnotgdpr FormatCulture = en-US
startup.exe
Interactivity Trigger[64763142] attached to MainWindow
startup.exe
Interactivity Trigger[50297887] attached to MainWindow
startup.exe
Interactivity Trigger[60899290] attached to MainWindow
startup.exe
Core MainWindow FlowDirection: LeftToRight, Language: en-us
startup.exe
startup.exe Information: 0 :
startup.exe
startup.exe Information: 0 :
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
startup.exe