File name:

Claude Setup.exe

Full analysis: https://app.any.run/tasks/64a75137-2b74-4407-9f8c-e0f2931cc78f
Verdict: Malicious activity
Analysis date: May 20, 2026, 06:39:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
golang
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

BD585F8D165A6D09B0AF8767374124C4

SHA1:

AD43D0DBE9AEC56EFE48D99EEF88724F35752E8B

SHA256:

86C42BF48E8EAEA92C044C6457800E375C010B4A46F0623C120EA0BF1399AB02

SSDEEP:

98304:2caTqi2kBB7LQqIaNAknhYrF4NcgWDVgaOhPYR0ElpFDIPlZW8uXrbKZJZSCHgc/:w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • Claude Setup.exe (PID: 7188)

    • Reads the date of Windows installation

      • Claude Setup.exe (PID: 7188)

    • Executes as Windows Service

      • cowork-svc.exe (PID: 7476)

    • The process executes files with name similar to system file names

      • Claude Setup.exe (PID: 4308)

    • The process checks if it is being run in the virtual environment

      • cowork-svc.exe (PID: 7476)

    • Reads settings of System Certificates

      • cowork-svc.exe (PID: 7476)

  • INFO

    • The sample compiled with english language support

      • Claude Setup.exe (PID: 7188)

    • Create files in a temporary directory

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)

    • Reads the computer name

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)
      • cowork-svc.exe (PID: 7476)

    • Checks supported languages

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)
      • cowork-svc.exe (PID: 7476)

    • Reads Environment values

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)

    • Reads the machine GUID from the registry

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)
      • cowork-svc.exe (PID: 7476)

    • There is functionality for taking screenshot (YARA)

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)

    • Detects GO elliptic curve encryption (YARA)

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)

    • Application based on Golang

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)

    • Process checks computer location settings

      • Claude Setup.exe (PID: 7188)

    • Reads security settings of Internet Explorer

      • Claude Setup.exe (PID: 7188)
      • Claude Setup.exe (PID: 4308)

    • Creates files or folders in the user directory

      • Claude Setup.exe (PID: 4308)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • Claude Setup.exe (PID: 4308)

    • Manual execution by a user

      • claude.exe (PID: 7300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 3128320
InitializedDataSize: 373760
UninitializedDataSize: -
EntryPoint: 0x77b80
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Anthropic, PBC
FileDescription: Claude Setup
FileVersion: 1.0.0.0
InternalName: ClaudeSetup
LegalCopyright: 2025 Anthropic PBC
OriginalFileName: ClaudeSetup.exe
ProductName: Claude
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
6
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start claude setup.exe claude setup.exe cowork-svc.exe explorer.exe no specs explorer.exe no specs claude.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2420explorer.exe shell:AppsFolder\Claude_pzs8sxrjxfjjc!ClaudeC:\Windows\explorer.exeClaude Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
4308"C:\Users\admin\AppData\Local\Temp\Claude Setup.exe" --elevated --msix-path "C:\Users\admin\AppData\Local\Temp\Claude-680828452.msix" --log-path "C:\Users\admin\AppData\Local\Temp\ClaudeSetup.log"C:\Users\admin\AppData\Local\Temp\Claude Setup.exe
Claude Setup.exe
User:
admin
Company:
Anthropic, PBC
Integrity Level:
HIGH
Description:
Claude Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\claude setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
5220C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7188"C:\Users\admin\AppData\Local\Temp\Claude Setup.exe" C:\Users\admin\AppData\Local\Temp\Claude Setup.exe
explorer.exe
User:
admin
Company:
Anthropic, PBC
Integrity Level:
MEDIUM
Description:
Claude Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\claude setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
7300"C:\Program Files\WindowsApps\Claude_1.8089.1.0_x64__pzs8sxrjxfjjc\app\Claude.exe" C:\Program Files\WindowsApps\Claude_1.8089.1.0_x64__pzs8sxrjxfjjc\app\claude.exeexplorer.exe
User:
admin
Company:
Anthropic
Integrity Level:
MEDIUM
Description:
Claude
Version:
1.8089.1
7476"C:\Program Files\WindowsApps\Claude_1.8089.1.0_x64__pzs8sxrjxfjjc\app\resources\cowork-svc.exe"C:\Program Files\WindowsApps\Claude_1.8089.1.0_x64__pzs8sxrjxfjjc\app\resources\cowork-svc.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files\windowsapps\claude_1.8089.1.0_x64__pzs8sxrjxfjjc\app\resources\cowork-svc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
c:\windows\system32\ws2_32.dll
Total events
11 190
Read events
11 185
Write events
5
Delete events
0

Modification events

(PID) Process:(7476) cowork-svc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\CoworkVMService
Operation:writeName:CustomSource
Value:
1
(PID) Process:(7476) cowork-svc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\CoworkVMService
Operation:writeName:EventMessageFile
Value:
%SystemRoot%\System32\EventCreate.exe
(PID) Process:(7476) cowork-svc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\CoworkVMService
Operation:writeName:TypesSupported
Value:
7
(PID) Process:(5220) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5220) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{A9249952-F4C6-4BCD-9B44-6A5BA9B5209E} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
Value:
01000000000000009E27A69823E8DC01
Executable files
0
Suspicious files
19
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
7188Claude Setup.exeC:\Users\admin\AppData\Local\Temp\Claude-680828452.msix.downloading
MD5:
SHA256:
7188Claude Setup.exeC:\Users\admin\AppData\Local\Temp\Claude-680828452.msix
MD5:
SHA256:
4308Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.mnzzzcxkqa1y1272npqq_ntee.tmpbinary
MD5:D5210FC5D2E33EA20C02121694F5F36C
SHA256:4EC70AEC9FF833738FC306C3D2BC11BB1272B543DB1AE9793895D821CE75B908
4308Claude Setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:C79C24DBF0841CAC4AF48FEA29BC671B
SHA256:B317115857C3EE1998126D8CBBBD37186C920049C986149156E534DD18E36761
4308Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.vdfzlb_p__0dgntlsmhpe9an.tmpxml
MD5:9DA53A55D5E393D3FBE9EACC105431D9
SHA256:C366C38CA54A79B81E6A1FB50B9DBA133501554F34245B3FD8A05E7DD2A243DE
4308Claude Setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:88318CFF911AB4032D3E950B1179F94A
SHA256:21CF058E3327B5AF3BC08239C6A0D31C3352D7ADD5BACD326FC5308BCB1C9502
4308Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.kpbgb66yhpkfjfgg8umtuxfjg.tmpxml
MD5:9DA53A55D5E393D3FBE9EACC105431D9
SHA256:C366C38CA54A79B81E6A1FB50B9DBA133501554F34245B3FD8A05E7DD2A243DE
4308Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.w3vdaqwj2vl2vlzqraznkdj6e.tmpbinary
MD5:D5210FC5D2E33EA20C02121694F5F36C
SHA256:4EC70AEC9FF833738FC306C3D2BC11BB1272B543DB1AE9793895D821CE75B908
4308Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.ye6p28lwoeumhf3ydqc17m4gd.tmpxml
MD5:88BEDAB6A6EFED91991D67E9DA8BB6EA
SHA256:A5CD5983E6F55CB249655D41E63C161BAA534A369C35FD17817D75A0FD6CBA20
4308Claude Setup.exeC:\Users\admin\AppData\Local\Temp\APPX.1c6fdwdrpr4sc0v2_hvepuzud.tmpbinary
MD5:D5210FC5D2E33EA20C02121694F5F36C
SHA256:4EC70AEC9FF833738FC306C3D2BC11BB1272B543DB1AE9793895D821CE75B908
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
28
DNS requests
22
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
48.209.138.189:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
314 b
whitelisted
6732
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
6732
SIHClient.exe
GET
200
74.179.77.164:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
6732
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
6732
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAFUWohyJgUzPcAAAAAAAU%3D
US
binary
960 b
whitelisted
8044
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
8044
svchost.exe
GET
304
48.209.6.48:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
4308
Claude Setup.exe
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
NL
binary
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8044
svchost.exe
48.209.6.48:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.6.48:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.27:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.40.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7188
Claude Setup.exe
160.79.104.10:443
api.anthropic.com
ANTHROPIC
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7188
Claude Setup.exe
35.190.46.17:443
downloads.claude.ai
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 48.209.6.48
  • 48.209.138.168
  • 48.209.138.189
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.bing.com
  • 184.86.251.27
  • 184.86.251.4
  • 184.86.251.19
  • 184.86.251.22
  • 184.86.251.9
  • 184.86.251.16
  • 184.86.251.15
  • 184.86.251.7
  • 184.86.251.5
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 192.178.183.139
  • 192.178.183.138
  • 192.178.183.102
  • 192.178.183.100
  • 192.178.183.113
  • 192.178.183.101
whitelisted
api.anthropic.com
  • 160.79.104.10
whitelisted
downloads.claude.ai
  • 35.190.46.17
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted

Threats

PID
Process
Class
Message
5276
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Claude Setup.exe