File name:

sublime_text_build_4180_x64_setup.exe

Full analysis: https://app.any.run/tasks/260eeaaf-0a3b-4283-b277-8117285e6732
Verdict: Malicious activity
Analysis date: November 21, 2024, 08:40:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-html
arch-doc
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

AAF9512B5751E651B6A5888196CDC1C8

SHA1:

39C1A9790110E4DBCF17954C01E82E413C388AAB

SHA256:

99650270AA32E8997AEC2BDE30EBE0F2D79A6A83E629293CE4537C74975DD924

SSDEEP:

98304:pgkz9zTGvY7lIQQ9hbZwvu33GmHSIaYRqwSrhS2IMC0p8L0w5FN8BysIaCx5gbuj:JQ1ka0sjpREnmHS3l81fvkVndUzt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • sublime_text_build_4180_x64_setup.tmp (PID: 5880)

    • Executable content was dropped or overwritten

      • sublime_text_build_4180_x64_setup.exe (PID: 3620)
      • sublime_text_build_4180_x64_setup.exe (PID: 6060)
      • sublime_text_build_4180_x64_setup.tmp (PID: 3812)

    • The process drops C-runtime libraries

      • sublime_text_build_4180_x64_setup.tmp (PID: 3812)

    • Process drops legitimate windows executable

      • sublime_text_build_4180_x64_setup.tmp (PID: 3812)

  • INFO

    • Create files in a temporary directory

      • sublime_text_build_4180_x64_setup.exe (PID: 6060)

    • Checks supported languages

      • sublime_text_build_4180_x64_setup.exe (PID: 6060)
      • sublime_text_build_4180_x64_setup.tmp (PID: 5880)

    • Process checks computer location settings

      • sublime_text_build_4180_x64_setup.tmp (PID: 5880)

    • Reads the computer name

      • sublime_text_build_4180_x64_setup.tmp (PID: 5880)

    • Manual execution by a user

      • mspaint.exe (PID: 6820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.8)
.exe | Win32 Executable Delphi generic (19)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:06 14:39:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x117dc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Sublime HQ Pty Ltd
FileDescription: Sublime Text Setup
FileVersion:
LegalCopyright:
ProductName: Sublime Text
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sublime_text_build_4180_x64_setup.exe sublime_text_build_4180_x64_setup.tmp no specs sublime_text_build_4180_x64_setup.exe sublime_text_build_4180_x64_setup.tmp textinputhost.exe no specs mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3620"C:\Users\admin\AppData\Local\Temp\sublime_text_build_4180_x64_setup.exe" /SPAWNWND=$501DE /NOTIFYWND=$501F8 C:\Users\admin\AppData\Local\Temp\sublime_text_build_4180_x64_setup.exe
sublime_text_build_4180_x64_setup.tmp
User:
admin
Company:
Sublime HQ Pty Ltd
Integrity Level:
HIGH
Description:
Sublime Text Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\sublime_text_build_4180_x64_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3812"C:\Users\admin\AppData\Local\Temp\is-1Q440.tmp\sublime_text_build_4180_x64_setup.tmp" /SL5="$190022,15643013,121344,C:\Users\admin\AppData\Local\Temp\sublime_text_build_4180_x64_setup.exe" /SPAWNWND=$501DE /NOTIFYWND=$501F8 C:\Users\admin\AppData\Local\Temp\is-1Q440.tmp\sublime_text_build_4180_x64_setup.tmp
sublime_text_build_4180_x64_setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-1q440.tmp\sublime_text_build_4180_x64_setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5880"C:\Users\admin\AppData\Local\Temp\is-1UPSJ.tmp\sublime_text_build_4180_x64_setup.tmp" /SL5="$501F8,15643013,121344,C:\Users\admin\AppData\Local\Temp\sublime_text_build_4180_x64_setup.exe" C:\Users\admin\AppData\Local\Temp\is-1UPSJ.tmp\sublime_text_build_4180_x64_setup.tmpsublime_text_build_4180_x64_setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-1upsj.tmp\sublime_text_build_4180_x64_setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6060"C:\Users\admin\AppData\Local\Temp\sublime_text_build_4180_x64_setup.exe" C:\Users\admin\AppData\Local\Temp\sublime_text_build_4180_x64_setup.exe
explorer.exe
User:
admin
Company:
Sublime HQ Pty Ltd
Integrity Level:
MEDIUM
Description:
Sublime Text Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\sublime_text_build_4180_x64_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6216"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6820"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\systemplease.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 470
Read events
1 393
Write events
76
Delete events
1

Modification events

(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sublime-build\OpenWithProgids
Operation:writeName:com.sublimehq.sublimetext.build-system
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\sublime_text.exe\SupportedTypes
Operation:writeName:.sublime-build
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sublime-color-scheme\OpenWithProgids
Operation:writeName:com.sublimehq.sublimetext.color-scheme
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\sublime_text.exe\SupportedTypes
Operation:writeName:.sublime-color-scheme
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sublime-commands\OpenWithProgids
Operation:writeName:com.sublimehq.sublimetext.commands
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\sublime_text.exe\SupportedTypes
Operation:writeName:.sublime-commands
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sublime-completions\OpenWithProgids
Operation:writeName:com.sublimehq.sublimetext.completions
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\sublime_text.exe\SupportedTypes
Operation:writeName:.sublime-completions
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sublime-keymap\OpenWithProgids
Operation:writeName:com.sublimehq.sublimetext.keymap
Value:
(PID) Process:(3812) sublime_text_build_4180_x64_setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\sublime_text.exe\SupportedTypes
Operation:writeName:.sublime-keymap
Value:
Executable files
29
Suspicious files
113
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
3812sublime_text_build_4180_x64_setup.tmpC:\Users\admin\AppData\Local\Temp\is-85NBI.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6060sublime_text_build_4180_x64_setup.exeC:\Users\admin\AppData\Local\Temp\is-1UPSJ.tmp\sublime_text_build_4180_x64_setup.tmpexecutable
MD5:6E3790D6371E3B91685CF12150698545
SHA256:A5AC7EE2ADD434AF74FB3E1AB6CE51B54859E34BBF169826B05813F1E96AB0C6
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\sublime_text.exeexecutable
MD5:ED18178DC554270EA339606FBBC703ED
SHA256:559ABBCE0D9083D2A19EE98CA7AA1E4A1CA04715B6E30A8C0D34A7DC4B8C0BA0
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\subl.exeexecutable
MD5:078CD87747852248523C88A427456355
SHA256:ABD2F1ED5F5E283641F0472C0217F12267CED3264B69478AE15E861DA737BA2F
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\update_installer.exeexecutable
MD5:9155C9ED10429307CB87EC505CD37ADE
SHA256:3DF7C995328BA1C1B47AD25F22EC22245105BEFF850B8E9AE97D70AF8D7B1CEE
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\unins000.exeexecutable
MD5:6E3790D6371E3B91685CF12150698545
SHA256:A5AC7EE2ADD434AF74FB3E1AB6CE51B54859E34BBF169826B05813F1E96AB0C6
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\plugin_host-3.8.exeexecutable
MD5:427A998C61DE637690A2E925119A841C
SHA256:F22CB4C40C1F92760A1C1436BD80A760F5C939C65A497D60618FBB76967FCC66
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\is-131DI.tmpexecutable
MD5:ED18178DC554270EA339606FBBC703ED
SHA256:559ABBCE0D9083D2A19EE98CA7AA1E4A1CA04715B6E30A8C0D34A7DC4B8C0BA0
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\crash_handler.exeexecutable
MD5:8971185B1EC37121B7A4343758DDE077
SHA256:610A60FBB42E360C850C8F8C1AC3A46EE11CDC7AA0BCEA1F586E641CE9D72AE1
3812sublime_text_build_4180_x64_setup.tmpC:\Program Files\Sublime Text\is-TJKKV.tmpexecutable
MD5:9155C9ED10429307CB87EC505CD37ADE
SHA256:3DF7C995328BA1C1B47AD25F22EC22245105BEFF850B8E9AE97D70AF8D7B1CEE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
31
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6548
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6120
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6548
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4932
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
544
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4932
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
92.123.104.31:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 92.123.104.31
  • 92.123.104.36
  • 92.123.104.33
  • 92.123.104.41
  • 92.123.104.40
  • 92.123.104.38
  • 92.123.104.32
  • 92.123.104.34
  • 92.123.104.35
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sublime_text_build_4180_x64_setup.exe