File name:

57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe

Full analysis: https://app.any.run/tasks/13d11e78-42cc-4b52-bc83-1b5abbedad9b
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 22, 2024, 16:09:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
innosetup
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8F6C8902178D973C43821CE9986AA974

SHA1:

0BD59C67D987DF79F2C764EC9815D3F954BDA086

SHA256:

57691768847F3D6B2356FC99C017E420BCE518981E4FF037352ABC97B9C6139C

SSDEEP:

98304:S+QqZ8fggf3myCvoM7UXZLXO4I5F8BWeuUGc03AKYCYlCreV6/bE3UuTMriquSU8:jIkxYbrfaYDjjEL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Changes the autorun value in the registry

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • INNOSETUP has been detected (SURICATA)

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Process drops legitimate windows executable

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Reads the Windows owner or organization settings

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Access to an unwanted program domain was detected

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • The process drops C-runtime libraries

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Potential Corporate Privacy Violation

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

  • INFO

    • Create files in a temporary directory

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Checks supported languages

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe (PID: 528)
      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)
      • kglTool.exe (PID: 6588)
      • wekTool.exe (PID: 5208)

    • Creates files or folders in the user directory

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)

    • Reads the computer name

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)
      • kglTool.exe (PID: 6588)
      • wekTool.exe (PID: 5208)

    • Checks proxy server information

      • 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp (PID: 5396)
      • slui.exe (PID: 1544)

    • Reads the machine GUID from the registry

      • wekTool.exe (PID: 5208)
      • kglTool.exe (PID: 6588)

    • Reads the software policy settings

      • slui.exe (PID: 1544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:03 08:09:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 55296
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 3.9.6.0
ProductVersionNumber: 3.9.6.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Baixar Musicas Gratis Company
FileDescription: UnoTools Setup
FileVersion: 3.9.6.0
LegalCopyright: Copyright © 2022
OriginalFileName:
ProductName: UnoTools
ProductVersion: 3.9.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe #INNOSETUP 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp kgltool.exe wektool.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
528"C:\Users\admin\Desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe" C:\Users\admin\Desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe
explorer.exe
User:
admin
Company:
Baixar Musicas Gratis Company
Integrity Level:
MEDIUM
Description:
UnoTools Setup
Exit code:
0
Version:
3.9.6.0
Modules
Images
c:\users\admin\desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1544C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5208"C:\Users\admin\AppData\Local\UnoTools\wekTool.exe"C:\Users\admin\AppData\Local\UnoTools\wekTool.exe
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
User:
admin
Company:
wekTool LLC
Integrity Level:
MEDIUM
Description:
wekTool
Version:
1.2.1.1
Modules
Images
c:\users\admin\appdata\local\unotools\wektool.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\unotools\qtcore4.dll
5396"C:\Users\admin\AppData\Local\Temp\is-IUEVG.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp" /SL5="$401DC,9368577,797696,C:\Users\admin\Desktop\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe" C:\Users\admin\AppData\Local\Temp\is-IUEVG.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe
User:
admin
Company:
Baixar Musicas Gratis Company
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-iuevg.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
6588"C:\Users\admin\AppData\Local\UnoTools\kglTool.exe"C:\Users\admin\AppData\Local\UnoTools\kglTool.exe
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
User:
admin
Company:
kglTool LLC
Integrity Level:
MEDIUM
Description:
kglTool
Version:
1.2.1.1
Modules
Images
c:\users\admin\appdata\local\unotools\kgltool.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 835
Read events
8 820
Write events
15
Delete events
0

Modification events

(PID) Process:(5396) 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:kglTool
Value:
C:\Users\admin\AppData\Local\UnoTools\kglTool.exe
(PID) Process:(5396) 57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wekTool
Value:
C:\Users\admin\AppData\Local\UnoTools\wekTool.exe
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qgif4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qgif4.dll
Value:
2014-04-20T05:44:42
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qico4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qico4.dll
Value:
2014-04-20T05:44:58
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qjpeg4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qjpeg4.dll
Value:
2014-04-20T05:44:38
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qmng4.dll
Value:
40806
(PID) Process:(5208) wekTool.exeKey:HKEY_CURRENT_USER\SOFTWARE\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\admin\AppData\Local\UnoTools\imageformats
Operation:writeName:qmng4.dll
Value:
2014-04-20T05:44:46
Executable files
41
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\QtWebKit4.dllexecutable
MD5:DC201FBC7755D35B68BF1D93BD98C0DF
SHA256:F128FBF01D8A35F58DE9243816D0B2F41B9CBE3470254D399F9E563FF72DE903
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\ssleay32.dllexecutable
MD5:4511C2B465F05F433470839DE85214CA
SHA256:5627F762F509FE872DE8EE44834DBDFF4ABC527E00053F63CB4972C6DA32AA9E
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-M908L.tmpexecutable
MD5:DC201FBC7755D35B68BF1D93BD98C0DF
SHA256:F128FBF01D8A35F58DE9243816D0B2F41B9CBE3470254D399F9E563FF72DE903
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-D0KBK.tmpexecutable
MD5:B842748563CDF779D9D39A9635959AA9
SHA256:34824288464C540521C90438FE808CCCB1E50195222061C9EF38C852DC40233D
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-3VNSC.tmpexecutable
MD5:987BAC907F89421F80D09C50200985B6
SHA256:BEAA9078D9430847A9B282B002CE4BA706FFE426013BFBA1C47C15FEA87E1FB0
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\kglTool.exeexecutable
MD5:AE9E0EFFFABC84F9CA234A817A7E1500
SHA256:73DED0CBC78A2A8584F1746AF1FCFD4DC25020B514C136D40302F9047F6E4533
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\imageformats\is-GGUU7.tmpexecutable
MD5:D1B538E4BC01CBE644BEBB0D875F53BC
SHA256:CAF8B7EC65444CFA25A512236B44B25D443094700C33109DFC07237F0E9E24BD
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\QtScript4.dllexecutable
MD5:6B7143E79846363ECC441FB4DDE89113
SHA256:4AB69E692F9992A44EC3972BB683E2CE6878BCE8EEA276475EE152DA943C087F
52857691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exeC:\Users\admin\AppData\Local\Temp\is-IUEVG.tmp\57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpexecutable
MD5:A7DB50AB169717D2F92E05A2BC0BEB5C
SHA256:419C2B3D4B5CDDBF9DC1E14C6DB7C5D7027E2B42D728583F725F453D6A464625
539657691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmpC:\Users\admin\AppData\Local\UnoTools\is-RNU18.tmpexecutable
MD5:DA051416DC20B309DEC04C3095DE71A3
SHA256:2D7F56E115CB77067D67D24AF27431AC75B979A19E6FA0E12B87AFCD4206580D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
36
DNS requests
33
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5208
wekTool.exe
GET
200
217.23.10.44:80
http://downloadertt.com/s/1.php
unknown
unknown
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
GET
62.112.9.53:80
http://soundfrost.org/update/396/Baixar%20Musicas%20Gratis-updater.exe
unknown
unknown
GET
301
67.20.76.172:443
https://giulianosgardena.com/
unknown
unknown
GET
64.91.238.47:443
https://1213plumbing.com/
unknown
unknown
GET
192.168.1.2:443
https://allsportsetc.com/
unknown
unknown
GET
301
34.149.87.45:443
https://capesandsinn.com/
unknown
unknown
GET
301
34.149.87.45:443
https://fureverfriendsdoggydaycaremt.com/
unknown
unknown
5208
wekTool.exe
GET
217.23.10.44:80
http://downloadertt.com/s/1.php
unknown
unknown
6588
kglTool.exe
GET
217.23.10.44:80
http://downloadertt.com/u/u.php?ver=1
unknown
unknown
POST
200
20.189.173.11:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3960
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6184
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.177:443
Akamai International B.V.
GB
unknown
4204
svchost.exe
4.209.32.198:443
licensing.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
6012
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
62.112.9.53:80
soundfrost.org
WorldStream B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
licensing.mp.microsoft.com
  • 4.209.32.198
whitelisted
soundfrost.org
  • 62.112.9.53
unknown
downloadertt.com
  • 217.23.10.44
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
modernresurface.com
unknown
painterwattersonparkky.com
unknown
greenflagflooring.com
  • 13.248.213.45
  • 76.223.67.189
unknown
cashmereblu.com
  • 209.182.197.222
unknown

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
5396
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
57691768847f3d6b2356fc99c017e420bce518981e4ff037352abc97b9c6139c.exe