| File name: | setup.exe |
| Full analysis: | https://app.any.run/tasks/9dbb5283-b4e2-4faa-a86f-d7c170a961b4 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | December 24, 2025, 23:19:50 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections |
| MD5: | D3D5D88EEB1E2C104803DA4479D3DBE0 |
| SHA1: | 06664A9779056210D8F09AC1A1AE855290DC59D8 |
| SHA256: | 747C2EB24F3141D84063779F2D63BA2C2601E47DD42DC845305094500878A38E |
| SSDEEP: | 98304:9H/SMPUQ+/uMLYOCFpAOLX46e/h//oShmxel+YxjyqcQmJQoUa2X8zJneB+peJNE:XRgmsSpSQ |
MALICIOUS
ADWARE has been detected (SURICATA)
- setup.tmp (PID: 7972)
SUSPICIOUS
Reads the Windows owner or organization settings
- setup.tmp (PID: 7972)
Executable content was dropped or overwritten
- setup.tmp (PID: 7972)
- setup.exe (PID: 7940)
Access to an unwanted program domain was detected
- setup.tmp (PID: 7972)
Process drops legitimate windows executable
- setup.tmp (PID: 7972)
There is functionality for taking screenshot (YARA)
- setup.tmp (PID: 7972)
Reads security settings of Internet Explorer
- setup.tmp (PID: 7972)
INFO
Checks supported languages
- setup.exe (PID: 7940)
- setup.tmp (PID: 7972)
- identity_helper.exe (PID: 7356)
- FlushFileCache.exe (PID: 7264)
- TextInputHost.exe (PID: 5148)
Reads the computer name
- setup.tmp (PID: 7972)
- FlushFileCache.exe (PID: 7264)
- TextInputHost.exe (PID: 5148)
- identity_helper.exe (PID: 7356)
Create files in a temporary directory
- setup.tmp (PID: 7972)
- setup.exe (PID: 7940)
The sample compiled with english language support
- setup.tmp (PID: 7972)
The sample compiled with russian language support
- setup.tmp (PID: 7972)
Detects InnoSetup installer (YARA)
- setup.exe (PID: 7940)
- setup.tmp (PID: 7972)
The sample compiled with chinese language support
- setup.tmp (PID: 7972)
Compiled with Borland Delphi (YARA)
- setup.exe (PID: 7940)
- setup.tmp (PID: 7972)
Checks proxy server information
- setup.tmp (PID: 7972)
- slui.exe (PID: 2416)
Application launched itself
- msedge.exe (PID: 7620)
- msedge.exe (PID: 4576)
- msedge.exe (PID: 3444)
- msedge.exe (PID: 2688)
Creates a software uninstall entry
- setup.tmp (PID: 7972)
Manual execution by a user
- msedge.exe (PID: 4576)
Reads Environment values
- identity_helper.exe (PID: 7356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:10:02 05:04:04+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 86016 |
| InitializedDataSize: | 53760 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16478 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | |
| FileDescription: | It Takes Two Setup |
| FileVersion: | |
| LegalCopyright: | FitGirl |
| ProductName: | It Takes Two |
| ProductVersion: |
Total processes
196
Monitored processes
50
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1868 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffd70b7f208,0x7ffd70b7f214,0x7ffd70b7f220 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2092 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://en.riotpixels.com/games/it-takes-two/ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2352 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5656,i,4081038262144604886,8165357803730895724,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2372 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6960,i,4081038262144604886,8165357803730895724,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2416 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2416 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4088,i,4081038262144604886,8165357803730895724,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2688 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://en.riotpixels.com/games/it-takes-two/ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | setup.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2752 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5080,i,4081038262144604886,8165357803730895724,262144 --variations-seed-version --mojo-platform-channel-handle=7156 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 3064 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6296,i,4081038262144604886,8165357803730895724,262144 --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 3104 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=7656,i,4081038262144604886,8165357803730895724,262144 --variations-seed-version --mojo-platform-channel-handle=7708 /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
Total events
5 434
Read events
5 408
Write events
26
Delete events
0
Modification events
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration |
| Operation: | write | Name: | Speaker Configuration |
Value: 4 | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | write | Name: | C:\Games\It Takes Two\Nuts\Binaries\Win64\ItTakesTwo.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | write | Name: | C:\Games\It Takes Two\Nuts\Binaries\Win64\ItTakesTwo.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\It Takes Two_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.5.1.ee2 (u) | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\It Takes Two_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Games\It Takes Two | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\It Takes Two_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Games\It Takes Two\ | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\It Takes Two_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Games\It Takes Two | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\It Takes Two_is1 |
| Operation: | write | Name: | Inno Setup: No Icons |
Value: 1 | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\It Takes Two_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
| (PID) Process: | (7972) setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\It Takes Two_is1 |
| Operation: | write | Name: | Inno Setup: Setup Type |
Value: custom | |||
Executable files
50
Suspicious files
193
Text files
321
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7940 | setup.exe | C:\Users\admin\AppData\Local\Temp\is-4GTHA.tmp\setup.tmp | executable | |
MD5:AE9890548F2FCAB56A4E9AE446F55B3F | SHA256:09AF8004B85478E1ECA09FA4CB5E3081DDDCB2F68A353F3EF6849D92BE47B449 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\cls-srep_x64.exe | executable | |
MD5:6AE2ADD85EC2B642D865FFAAA391D5BB | SHA256:ED8A485B9984997306EA6B5C6D98B5026A5B7903C1DF4C229BF93BF113C78EE9 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\cls-srep_x86.exe | executable | |
MD5:FC7DD2CA9F47D64EDD3B2061CD8DB1B3 | SHA256:4004BA624F8CE381C61C82ABA26E246D93E833357930C17CD4B02058EA31FAD4 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\idp.dll | executable | |
MD5:AF555AC9C073F88FE5BF0D677F085025 | SHA256:F4FC0187491A9CB89E233197FF72C2405B5EC02E8B8EA640EE68D034DDBC44BB | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\cls-magic2.dll | executable | |
MD5:9E1E200472D66356A4AE5D597B01DABC | SHA256:87DF573AC240E09EA4941E169FB2D15D5316A1B0E053446B8144E04B1154F061 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\cls-lollypop_x86.exe | executable | |
MD5:3527C6739C46F4EE1CFB6B48E1407883 | SHA256:724C6E07180E321298B4EA4405C3F7536C524D9826D24F5D6FC50BCB0EF8F723 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\cls-magic2l.dll | executable | |
MD5:9E1E200472D66356A4AE5D597B01DABC | SHA256:87DF573AC240E09EA4941E169FB2D15D5316A1B0E053446B8144E04B1154F061 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\cls-magic2l_x86.exe | executable | |
MD5:7CBE7DB7FC9258B6A43551140C343BB3 | SHA256:6EA07AA4F5565AC289402ADE3B2E52BF8089AD6185E0ECF0E1F36CEA39C091A9 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\wintb.dll | executable | |
MD5:9436DF49E08C83BAD8DDC906478C2041 | SHA256:1910537AA95684142250CA0C7426A0B5F082E39F6FBDBDBA649AECB179541435 | |||
| 7972 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-UQL02.tmp\FlushFileCache.exe | executable | |
MD5:DF77F2B6126F4F258F2E952B53B22879 | SHA256:A4CC6683393795F7B84D0B49EEA2D7D7FBE1392BB7612CF39896AF6832FFE0B8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
841
TCP/UDP connections
243
DNS requests
230
Threats
29
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6916 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.159.0:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | unknown |
— | — | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.159.73:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | unknown |
6640 | svchost.exe | POST | 200 | 20.190.159.73:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
— | — | POST | 200 | 20.190.159.0:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | unknown |
6640 | svchost.exe | POST | 200 | 20.190.159.73:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
7480 | SIHClient.exe | GET | 200 | 13.85.23.206:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.159.75:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
— | — | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6916 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 23.216.77.6:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 23.216.77.6:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6916 | svchost.exe | 72.246.29.11:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 72.246.29.11:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
6640 | svchost.exe | 20.190.159.73:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
download.visualstudio.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7972 | setup.tmp | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Inno Download Plugin UA |
7972 | setup.tmp | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Inno Download Plugin UA |
7972 | setup.tmp | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Inno Download Plugin UA |
7972 | setup.tmp | Misc activity | ET INFO EXE - Served Attached HTTP |
7972 | setup.tmp | Misc activity | ET INFO Packed Executable Download |
7972 | setup.tmp | Potentially Bad Traffic | ET INFO PE EXE or DLL Windows file download HTTP |
7972 | setup.tmp | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Inno Download Plugin UA |
8168 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com) |
8168 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com) |
8168 | msedge.exe | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] Possible Malicious CrossDomain (wayfarerorthodox .com) |