File name:

57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe

Full analysis: https://app.any.run/tasks/13d11e78-42cc-4b52-bc83-1b5abbedad9b
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 22, 2024, 16:09:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
innosetup
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8F6C8902178D973C43821CE9986AA974

SHA1:

0BD59C67D987DF79F2C764EC9815D3F954BDA086

SHA256:

57691768847F3D6B2356FC99C017E420BCE518981E4FF037352ABC97B9C6139C

SSDEEP:

98304:S+QqZ8fggf3myCvoM7UXZLXO4I5F8BWeuUGc03AKYCYlCreV6/bE3UuTMriquSU8:jIkxYbrfaYDjjEL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • INNOSETUP has been detected (SURICATA)

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Changes the autorun value in the registry

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Reads the Windows owner or organization settings

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • The process drops C-runtime libraries

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Process drops legitimate windows executable

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Potential Corporate Privacy Violation

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Access to an unwanted program domain was detected

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

  • INFO

    • Reads the computer name

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)
      • kglTool.exe (PID: 6588)
      • wekTool.exe (PID: 5208)

    • Checks supported languages

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)
      • kglTool.exe (PID: 6588)
      • wekTool.exe (PID: 5208)

    • Create files in a temporary directory

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Reads the machine GUID from the registry

      • kglTool.exe (PID: 6588)
      • wekTool.exe (PID: 5208)

    • Creates files or folders in the user directory

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Checks proxy server information

      • slui.exe (PID: 1544)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Reads the software policy settings

      • slui.exe (PID: 1544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:03 08:09:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 55296
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 3.9.6.0
ProductVersionNumber: 3.9.6.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Baixar Musicas Gratis Company
FileDescription: UnoTools Setup
FileVersion: 3.9.6.0
LegalCopyright: Copyright © 2022
OriginalFileName:
ProductName: UnoTools
ProductVersion: 3.9.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe #INNOSETUP 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp kgltool.exe wektool.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
528"C:\Users\admin\Desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe" C:\Users\admin\Desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe
explorer.exe
User:
admin
Company:
Baixar Musicas Gratis Company
Integrity Level:
MEDIUM
Description:
UnoTools Setup
Exit code:
0
Version:
3.9.6.0
Modules
Images
c:\users\admin\desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1544C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5208"C:\Users\admin\AppData\Local\UnoTools\wekTool.exe"C:\Users\admin\AppData\Local\UnoTools\wekTool.exe
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
User:
admin
Company:
wekTool LLC
Integrity Level:
MEDIUM
Description:
wekTool
Version:
1.2.1.1
Modules
Images
c:\users\admin\appdata\local\unotools\wektool.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\unotools\qtcore4.dll
5396"C:\Users\admin\AppData\Local\Temp\is-IUEVG.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp" /SL5="$401DC,9368577,797696,C:\Users\admin\Desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe" C:\Users\admin\AppData\Local\Temp\is-IUEVG.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe
User:
admin
Company:
Baixar Musicas Gratis Company
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-iuevg.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
6588"C:\Users\admin\AppData\Local\UnoTools\kglTool.exe"C:\Users\admin\AppData\Local\UnoTools\kglTool.exe
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
User:
admin
Company:
kglTool LLC
Integrity Level:
MEDIUM
Description:
kglTool
Version:
1.2.1.1
Modules
Images
c:\users\admin\appdata\local\unotools\kgltool.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 835
Read events
8 820
Write events
15
Delete events
0

Modification events

(PID) Process:(5396) 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:kglTool
Value:
C:\Users\admin\AppData\Local\UnoTools\kglTool.exe
(PID) Process:(5396) 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wekTool
Value:
C:\Users\admin\AppData\Local\UnoTools\wekTool.exe
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qgif4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qgif4.dll
Value:
2014-04-20T05:44:42
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qico4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qico4.dll
Value:
2014-04-20T05:44:58
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qjpeg4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qjpeg4.dll
Value:
2014-04-20T05:44:38
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qmng4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qmng4.dll
Value:
2014-04-20T05:44:46
Executable files
41
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-P3DJ3.tmpexecutable
MD5:28F9E745CA043CED589E7C3F7B75E377
SHA256:F80F6D3133A69055F20FFFC1BC88CA40934B90D0706FD1A7320FBD854D876474
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-18IJR.tmpexecutable
MD5:4511C2B465F05F433470839DE85214CA
SHA256:5627F762F509FE872DE8EE44834DBDFF4ABC527E00053F63CB4972C6DA32AA9E
52857691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exeC:\Users\admin\AppData\Local\Temp\is-IUEVG.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpexecutable
MD5:A7DB50AB169717D2F92E05A2BC0BEB5C
SHA256:419C2B3D4B5CDDBF9DC1E14C6DB7C5D7027E2B42D728583F725F453D6A464625
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\libeay32.dllexecutable
MD5:28F9E745CA043CED589E7C3F7B75E377
SHA256:F80F6D3133A69055F20FFFC1BC88CA40934B90D0706FD1A7320FBD854D876474
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\kglTool.exeexecutable
MD5:AE9E0EFFFABC84F9CA234A817A7E1500
SHA256:73DED0CBC78A2A8584F1746AF1FCFD4DC25020B514C136D40302F9047F6E4533
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-54QHU.tmpexecutable
MD5:D34A66DD6A6E3BA9AAFF5189E4F91D65
SHA256:7D8568FED87E195F9A5567D52A47DD9723B27189FF834AD35608D411C1E793D5
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\ssleay32.dllexecutable
MD5:4511C2B465F05F433470839DE85214CA
SHA256:5627F762F509FE872DE8EE44834DBDFF4ABC527E00053F63CB4972C6DA32AA9E
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\QtCore4.dllexecutable
MD5:B842748563CDF779D9D39A9635959AA9
SHA256:34824288464C540521C90438FE808CCCB1E50195222061C9EF38C852DC40233D
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\libcurl.dllexecutable
MD5:D34A66DD6A6E3BA9AAFF5189E4F91D65
SHA256:7D8568FED87E195F9A5567D52A47DD9723B27189FF834AD35608D411C1E793D5
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-D0KBK.tmpexecutable
MD5:B842748563CDF779D9D39A9635959AA9
SHA256:34824288464C540521C90438FE808CCCB1E50195222061C9EF38C852DC40233D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
36
DNS requests
33
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
GET
62.112.9.53:80
http://soundfrost.org/update/396/Baixar%20Musicas%20Gratis-updater.exe
unknown
unknown
5208
wekTool.exe
GET
217.23.10.44:80
http://downloadertt.com/s/1.php
unknown
unknown
6588
kglTool.exe
GET
217.23.10.44:80
http://downloadertt.com/u/u.php?ver=1
unknown
unknown
5208
wekTool.exe
GET
200
217.23.10.44:80
http://downloadertt.com/s/1.php
unknown
unknown
GET
301
67.20.76.172:443
https://giulianosgardena.com/
unknown
GET
64.91.238.47:443
https://1213plumbing.com/
unknown
GET
192.168.1.2:443
https://allsportsetc.com/
unknown
GET
301
34.149.87.45:443
https://capesandsinn.com/
unknown
GET
301
34.149.87.45:443
https://fureverfriendsdoggydaycaremt.com/
unknown
POST
401
4.209.32.67:443
https://licensing.mp.microsoft.com/v7.0/licenses/content
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3960
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6184
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.177:443
Akamai International B.V.
GB
unknown
4204
svchost.exe
4.209.32.198:443
licensing.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
6012
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
62.112.9.53:80
soundfrost.org
WorldStream B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
licensing.mp.microsoft.com
  • 4.209.32.198
whitelisted
soundfrost.org
  • 62.112.9.53
unknown
downloadertt.com
  • 217.23.10.44
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
modernresurface.com
unknown
painterwattersonparkky.com
unknown
greenflagflooring.com
  • 13.248.213.45
  • 76.223.67.189
unknown
cashmereblu.com
  • 209.182.197.222
unknown

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe