File name:

startup.exe

Full analysis: https://app.any.run/tasks/a1c7aa8b-fcfa-4a57-b713-6c0b45b035f2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 10, 2024, 00:20:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B97D7A510D138D0562AAD0FF55136B87

SHA1:

6BD6FC592082BC2DAF74760141AE687F63F2EE7D

SHA256:

55E9A9C430CF3026C009159AA47946F2BE6E339F67DB8960652BE3B0FB031B5C

SSDEEP:

98304:SX7/D8B5Q/wlOtq/CqlxG0vKImzCebTNs+Ct3iJRamaUol2CWROYLcuFnLIw7+Tp:Mc3Dqgx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Executable content was dropped or overwritten

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

    • Checks Windows Trust Settings

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Reads the date of Windows installation

      • startup.exe (PID: 6296)

    • Application launched itself

      • startup.exe (PID: 6296)

    • Starts itself from another location

      • startup.exe (PID: 6780)

    • Adds/modifies Windows certificates

      • startup.exe (PID: 6804)

    • The process verifies whether the antivirus software is installed

      • startup.exe (PID: 6804)

  • INFO

    • Checks supported languages

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

    • Create files in a temporary directory

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Reads the computer name

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6780)
      • startup.exe (PID: 6804)

    • Reads the machine GUID from the registry

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Checks proxy server information

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Checks for the presence of KasperskyLab

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Process checks whether UAC notifications are on

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Creates files in the program directory

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Reads the software policy settings

      • startup.exe (PID: 6296)
      • startup.exe (PID: 6804)

    • Process checks computer location settings

      • startup.exe (PID: 6296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1974:10:23 09:08:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 243200
InitializedDataSize: 4315136
UninitializedDataSize: -
EntryPoint: 0x4200
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 21.17.7.539
ProductVersionNumber: 21.17.7.539
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Kaspersky
FileDescription: Kaspersky [21.17.7.539.0.146.0]
FileVersion: 21.17.7.539
LegalCopyright: © 2024 AO Kaspersky Lab
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
ProductName: Kaspersky
ProductVersion: 21.17.7.539
InternalName: Setup
OriginalFileName: Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start startup.exe startup.exe startup.exe

Process information

PID
CMD
Path
Indicators
Parent process
6296"C:\Users\admin\Desktop\startup.exe" C:\Users\admin\Desktop\startup.exe
explorer.exe
User:
admin
Company:
Kaspersky
Integrity Level:
MEDIUM
Description:
Kaspersky [21.17.7.539.0.146.0]
Version:
21.17.7.539
Modules
Images
c:\users\admin\desktop\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
6780"C:\Users\admin\Desktop\startup.exe" /-elevated=;"C:\Users\admin\Desktop\startup.exe"C:\Users\admin\Desktop\startup.exe
startup.exe
User:
admin
Company:
Kaspersky
Integrity Level:
HIGH
Description:
Kaspersky [21.17.7.539.0.146.0]
Version:
21.17.7.539
Modules
Images
c:\users\admin\desktop\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
6804"C:\WINDOWS\temp\D67C77B4FB62FE114B0E817F87F669EE\startup.exe" /-elevated=;"C:\Users\admin\Desktop\startup.exe"C:\Windows\Temp\D67C77B4FB62FE114B0E817F87F669EE\startup.exe
startup.exe
User:
admin
Company:
Kaspersky
Integrity Level:
HIGH
Description:
Kaspersky [21.17.7.539.0.146.0]
Version:
21.17.7.539
Modules
Images
c:\windows\temp\d67c77b4fb62fe114b0e817f87f669ee\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
Total events
15 898
Read events
15 739
Write events
155
Delete events
4

Modification events

(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedType
Value:
-1
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedProductTier
Value:
0
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedStartupScenario
Value:
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedType
Value:
4
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedProductTier
Value:
230
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:cp_storedResolvedStartupScenario
Value:
Free
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:PreferredUI
Value:
0
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.17.7.539.0.146.0\volatile
Operation:writeName:PreferredUI
Value:
1
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6296) startup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
33
Suspicious files
21
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
6296startup.exeC:\Users\admin\AppData\Local\Temp\4076D8C6-26BF-11EF-B4E0-18F7786F96EE\GuiStrings.lochtml
MD5:09C4E9F41C4B8BFDB6BF8916AF730ECD
SHA256:57BF969D3C10D5BE0A4B31B8E530C1E005622C8DC809EE4FBD4C214F3B3E9A37
6296startup.exeC:\Users\admin\AppData\Local\Temp\kl-setup-2024-06-10-00-20-34_KAV.21.17.7.539.logtext
MD5:AF7A37C5ED751F81D688D19F5BE35D6B
SHA256:A45B759D7AC77A793496D05BCDDADBCA88D15D134BA31A4A2800FB2C7F79DA3A
6296startup.exeC:\Users\admin\AppData\Local\Temp\4076D8C6-26BF-11EF-B4E0-18F7786F96EE\downloader_neutral.initext
MD5:A6733D50023C6F150B88512E54A27DE1
SHA256:1DDD2E879EAABFF2FE2A8490449E9987F9D4335CEB13A097B90C5A95804902E8
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.setup.ui.dllexecutable
MD5:1BEBC399A1B31EABC3361169DF0316D1
SHA256:894914E74DA8C8FAF8BB9B34E0F9B586DB3CB248C3F6EDB715A7CB8C930DD66B
6296startup.exeC:\Users\admin\AppData\Local\Temp\kl-setup-2024-06-10-00-20-34_KFA.21.17.7.539.logtext
MD5:AF7A37C5ED751F81D688D19F5BE35D6B
SHA256:A45B759D7AC77A793496D05BCDDADBCA88D15D134BA31A4A2800FB2C7F79DA3A
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.ui.framework.localization.dllexecutable
MD5:079AC68D4BEB2AB9602D754B09FF652B
SHA256:9377C35B19C30EE75C010B1E592796DAF1D3493B397EF9D61A1C63A5AB30A88E
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.setup.ui.interoplayer.dllexecutable
MD5:BAF69D3C6977161E0C2B631B3F9958D4
SHA256:E6392D0CF3A5984034CA0B346476D7482243550DDD0C65A8C0FF2F03A15867BC
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.setup.ui.core.dllexecutable
MD5:2C8F5EC07CB84D844E3FDEE32B2A8E00
SHA256:8D5BD8184FBC3F79EA9EDC2C25E1A5A935514518C3FBA89BDE308C06722375F9
6296startup.exeC:\Users\admin\AppData\Local\Temp\5C8D6704FB62FE114B0E817F87F669EE\kl.setup.ui.visuals.dllexecutable
MD5:6181240BC579D2DFB176A1CA260F5A90
SHA256:B07C4D99D4CBB62B31A425E60C993B809C7043518A9EF0B7B561ABD180A1B768
6296startup.exeC:\Users\admin\AppData\Local\Temp\4076D8C6-26BF-11EF-B4E0-18F7786F96EE\GuiStrings_KFA.loctext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
33
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
23.72.36.88:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.17.0.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5612
svchost.exe
GET
200
23.72.36.88:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
130.117.190.147:443
https://dm.s.kaspersky-labs.com/bases/kavkis2021mr17/kaspersky4win/index-bases-x64-2.txt
unknown
GET
200
80.239.169.147:443
https://dm.s.kaspersky-labs.com/bases/kavkis2021mr17/Kaspersky4Win/kdscrl.rdb.z
unknown
5.85 Kb
GET
200
195.122.169.10:443
https://dm.s.kaspersky-labs.com/en-US-xnotgdpr_es-US-xnotgdpr/Kaspersky4Win/21.17.7.539/x64/index2.txt
unknown
text
6.44 Kb
GET
200
195.122.169.10:443
https://dm.s.kaspersky-labs.com/kleaner/kavkis_21.17/global/index-kleaner-2.txt
unknown
text
4.03 Kb
GET
200
130.117.190.147:443
https://dm.s.kaspersky-labs.com/en-US-xnotgdpr_es-US-xnotgdpr/Kaspersky4Win/21.17.7.539/x64/index2.txt
unknown
text
6.44 Kb
GET
200
80.239.169.147:443
https://dm.s.kaspersky-labs.com/kleaner/kavkis_21.17/global/index-kleaner-2.txt
unknown
text
4.03 Kb
GET
200
195.122.169.10:443
https://dm.s.kaspersky-labs.com/bases/kavkis2021mr17/kaspersky4win/index-bases-x64-2.txt
unknown
text
4.62 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5612
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
unknown
4708
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
23.72.36.88:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
5612
svchost.exe
23.72.36.88:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
5140
MoUsoCoreWorker.exe
2.17.0.227:80
www.microsoft.com
AKAMAI-AS
DK
unknown
6296
startup.exe
82.202.185.148:443
ds.kaspersky.com
Kaspersky Lab Switzerland GmbH
CH
unknown
5612
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.72.36.88
whitelisted
www.microsoft.com
  • 2.17.0.227
whitelisted
ds.kaspersky.com
  • 82.202.185.148
  • 130.117.190.228
  • 81.19.104.172
  • 82.202.185.146
  • 82.202.184.184
  • 82.202.184.193
  • 62.67.238.152
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
dm.s.kaspersky-labs.com
  • 195.122.169.10
  • 80.239.169.147
  • 130.117.190.147
unknown
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

No threats detected
Process
Message
startup.exe
LocalizationEngine Making localization parameters
startup.exe
startup.exe Information: 0 :
startup.exe
startup.exe Information: 0 :
startup.exe
Core DisplayCulture = en-US DisplayCulture.FullLocalization = en-US-xnotgdpr FormatCulture = en-US
startup.exe
Interactivity Trigger[64763142] attached to MainWindow
startup.exe
Interactivity Trigger[50297887] attached to MainWindow
startup.exe
Interactivity Trigger[60899290] attached to MainWindow
startup.exe
Core MainWindow FlowDirection: LeftToRight, Language: en-us
startup.exe
startup.exe Information: 0 :
startup.exe
startup.exe Information: 0 :
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
startup.exe