File name:

setup_RED_MC_v.5.0.0.01.exe

Full analysis: https://app.any.run/tasks/a07815d5-702c-4f3a-8a8d-2cbb935f6e94
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 07:45:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
upx
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

D6A0EB86DFAF956A30782143198A9BB9

SHA1:

9FF1DC1318D26BA4D56E2D8D9A9ECB08178BE139

SHA256:

B15A4E3DF241948B87DB3D854CE15AE315F724980E34DE1B58AA13FDEC3C5488

SSDEEP:

98304:kWFM7dF6eVPxMyhl8GeDiC3CUrfAWCGcGJIhQ0Z19RD0wUprHUf2f7JkJ6IZguR3:FPcxzZ8zZ9Pq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)

    • Reads security settings of Internet Explorer

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)
      • RED_MC.exe (PID: 4644)

    • Executable content was dropped or overwritten

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)
      • RED_MC.exe (PID: 4644)

    • The process creates files with name similar to system file names

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)

    • Start notepad (likely ransomware note)

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)

    • Reads Microsoft Outlook installation path

      • RED_MC.exe (PID: 4644)

    • Reads Internet Explorer settings

      • RED_MC.exe (PID: 4644)

    • Process requests binary or script from the Internet

      • RED_MC.exe (PID: 4644)

  • INFO

    • The sample compiled with english language support

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)
      • RED_MC.exe (PID: 4644)

    • Create files in a temporary directory

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)

    • Checks supported languages

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)
      • RED_MC.exe (PID: 4644)

    • Creates files or folders in the user directory

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)
      • RED_MC.exe (PID: 4644)

    • Reads the computer name

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)
      • RED_MC.exe (PID: 4644)

    • Process checks computer location settings

      • setup_RED_MC_v.5.0.0.01.exe (PID: 1164)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3688)

    • Compiled with Borland Delphi (YARA)

      • RED_MC.exe (PID: 4644)
      • slui.exe (PID: 6816)
      • notepad.exe (PID: 3688)

    • UPX packer has been detected

      • RED_MC.exe (PID: 4644)

    • Reads the software policy settings

      • RED_MC.exe (PID: 4644)
      • slui.exe (PID: 6816)

    • Reads the machine GUID from the registry

      • RED_MC.exe (PID: 4644)

    • Checks proxy server information

      • slui.exe (PID: 6816)
      • RED_MC.exe (PID: 4644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 22:50:41+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23040
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x30cb
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.0.0.0
ProductVersionNumber: 5.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Vl@d Zola Jr.
FileDescription: RED MC Installer
FileVersion: 5.0.0.0
LegalCopyright: © 2013-2018 Vl@d Zola Jr.
ProductName: RED Modding Center
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup_red_mc_v.5.0.0.01.exe red_mc.exe notepad.exe no specs slui.exe setup_red_mc_v.5.0.0.01.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1044"C:\Users\admin\Desktop\setup_RED_MC_v.5.0.0.01.exe" C:\Users\admin\Desktop\setup_RED_MC_v.5.0.0.01.exeexplorer.exe
User:
admin
Company:
Vl@d Zola Jr.
Integrity Level:
MEDIUM
Description:
RED MC Installer
Exit code:
3221226540
Version:
5.0.0.0
Modules
Images
c:\users\admin\desktop\setup_red_mc_v.5.0.0.01.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1164"C:\Users\admin\Desktop\setup_RED_MC_v.5.0.0.01.exe" C:\Users\admin\Desktop\setup_RED_MC_v.5.0.0.01.exe
explorer.exe
User:
admin
Company:
Vl@d Zola Jr.
Integrity Level:
HIGH
Description:
RED MC Installer
Exit code:
0
Version:
5.0.0.0
Modules
Images
c:\users\admin\desktop\setup_red_mc_v.5.0.0.01.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3688"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Editing Tools\RED MC\Release Notes - Important!.txtC:\Windows\SysWOW64\notepad.exesetup_RED_MC_v.5.0.0.01.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
4644"C:\Editing Tools\RED MC\RED_MC.exe"C:\Editing Tools\RED MC\RED_MC.exe
setup_RED_MC_v.5.0.0.01.exe
User:
admin
Integrity Level:
HIGH
Version:
5.0.0.0
Modules
Images
c:\editing tools\red mc\red_mc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6816C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 309
Read events
8 298
Write events
11
Delete events
0

Modification events

(PID) Process:(1164) setup_RED_MC_v.5.0.0.01.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
Operation:writeName: (TrueType)
Value:
tahoma.ttf
(PID) Process:(1164) setup_RED_MC_v.5.0.0.01.exeKey:HKEY_CURRENT_USER\SOFTWARE\RED MC
Operation:writeName:Directory
Value:
C:\Editing Tools\RED MC
(PID) Process:(1164) setup_RED_MC_v.5.0.0.01.exeKey:HKEY_CURRENT_USER\SOFTWARE\RED MC
Operation:writeName:Version
Value:
5.0.0.0
(PID) Process:(1164) setup_RED_MC_v.5.0.0.01.exeKey:HKEY_CURRENT_USER\SOFTWARE\RED MC
Operation:writeName:Registered
Value:
0
(PID) Process:(1164) setup_RED_MC_v.5.0.0.01.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:writeName:txtfile
Value:
(PID) Process:(4644) RED_MC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4644) RED_MC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4644) RED_MC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4644) RED_MC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(4644) RED_MC.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
Executable files
12
Suspicious files
10
Text files
77
Unknown types
0

Dropped files

PID
Process
Filename
Type
1164setup_RED_MC_v.5.0.0.01.exeC:\Editing Tools\RED MC\vorbisfile.dllexecutable
MD5:5275F0437F319FCB0F396D40661D484C
SHA256:01B3443E049B5E642A994F1549A99D3B64A3E41B75FA7062DDDF7E19BC9AA7C1
1164setup_RED_MC_v.5.0.0.01.exeC:\Users\admin\AppData\Local\Temp\nsr7A22.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1164setup_RED_MC_v.5.0.0.01.exeC:\Users\admin\AppData\Local\Temp\nsr7A22.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
1164setup_RED_MC_v.5.0.0.01.exeC:\Users\admin\AppData\Roaming\REDitor II\VInfo.txttext
MD5:4AF54E3FD6572E595EE818598077E0A1
SHA256:19B22ACD5A050DBA25AF999A6CC35C7ECC9B41001184156ED01A9687F1FD5D50
1164setup_RED_MC_v.5.0.0.01.exeC:\Editing Tools\RED MC\RED_MC.exe.manifestxml
MD5:08534C1707279503CD0E1FF06ED26723
SHA256:D44098887A375EC57AC8563DB3B2BD4E3EBD99B473BC7CAF5ECEFD2D4D4E432D
1164setup_RED_MC_v.5.0.0.01.exeC:\Users\admin\AppData\Local\Temp\nsr7A22.tmp\InstallOptions.dllexecutable
MD5:325B008AEC81E5AAA57096F05D4212B5
SHA256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
1164setup_RED_MC_v.5.0.0.01.exeC:\Editing Tools\RED MC\RED_MC.exeexecutable
MD5:4FB120879A9B7A5A001B05F2D29F37AB
SHA256:185CCC07B6738627CBF7062F5E96743A5F97DF658A312986D6AB7004668B413A
1164setup_RED_MC_v.5.0.0.01.exeC:\Editing Tools\RED MC\vorbis.dllexecutable
MD5:8884A1C5DA2077CCD9D08C5D3DACF192
SHA256:6698808D9394C8267C019EEC458093CFBD8B3D5FDE517458091B603EE00C4345
1164setup_RED_MC_v.5.0.0.01.exeC:\Editing Tools\RED MC\ogg.dllexecutable
MD5:82BF92B15339F0DB75552B15DD1D1573
SHA256:2B2A426D6691998755C42A108EB1A9AFD3F33DC3F1081FB63C31C15AC8A405E0
1164setup_RED_MC_v.5.0.0.01.exeC:\Editing Tools\RED MC\Release Notes - Important!.txttext
MD5:E58E2AF878670D5D19A96D7837D80816
SHA256:FA1505623D534C8CC0C6272E9AC838822965879ACC5874E4BC32A8CA3B4D1BE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
26
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3732
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4644
RED_MC.exe
GET
200
69.162.127.5:80
http://reditor.red-mods.com/StatsCounter.php?version=MC5.0.0.0&registered=MC&mod_int=MC&mf_int=MC&nba2k10pc=MC&nba2k11pc=MC&nba2k11360=MC&mlb2k11pc=MC&nba2k12pc=MC&nba2k12360=MC&mlb2k12pc=MC&mlb2k12360=MC
unknown
unknown
GET
200
87.250.251.119:443
https://mc.yandex.com/metrika/advert.gif
unknown
image
43 b
whitelisted
4644
RED_MC.exe
GET
302
87.250.251.119:80
http://mc.yandex.ru/metrika/watch.js
unknown
whitelisted
GET
200
87.250.251.119:443
https://mc.yandex.ru/metrika/watch.js
unknown
binary
201 Kb
whitelisted
GET
302
87.250.250.119:443
https://mc.yandex.com/watch/12838618?callback=_ymjsp139007469&page-url=http%3A%2F%2Freditor.red-mods.com%2FStatsCounter.php%3Fversion%3DMC5.0.0.0%26registered%3DMC%26mod_int%3DMC%26mf_int%3DMC%26nba2k10pc%3DMC%26nba2k11pc%3DMC%26nba2k11360%3DMC%26mlb2k11pc%3DMC%26nba2k12pc%3DMC%26nba2k12360%3DMC%26mlb2k12pc%3DMC%26mlb2k12360%3DMC&charset=utf-8&ut=noindex&uah=che%0A0&browser-info=pv%3A1%3Avf%3A7gb6ul65btfmssvv7trw9u0wxw63%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A2091%3Acn%3A1%3Adp%3A0%3Als%3A548609749258%3Ahid%3A1070659164%3Az%3A0%3Ai%3A20250621074635%3Aet%3A1750491996%3Ac%3A1%3Arn%3A3221393%3Au%3A175049199679728222%3Aw%3A-20x-20%3As%3A1280x720x32%3Aifr%3A1%3Aj%3A1%3Afp%3A144%3Awv%3A2%3Ads%3A0%2C0%2C0%2C1%2C0%2C0%2C%2C14%2C0%2C10116%2C10181%2C0%2C10116%3Aco%3A0%3Ans%3A1750491984371%3Arqnl%3A1%3Ast%3A1750491996%3At%3A&t=gdpr(14)clc(0-0-0)rqnt(1)cdl(na)eco(335880)ti(3)&wmode=5
unknown
GET
200
77.88.21.119:443
https://mc.yandex.com/watch/12838618/1?callback=_ymjsp139007469&page-url=http%3A%2F%2Freditor.red-mods.com%2FStatsCounter.php%3Fversion%3DMC5.0.0.0%26registered%3DMC%26mod_int%3DMC%26mf_int%3DMC%26nba2k10pc%3DMC%26nba2k11pc%3DMC%26nba2k11360%3DMC%26mlb2k11pc%3DMC%26nba2k12pc%3DMC%26nba2k12360%3DMC%26mlb2k12pc%3DMC%26mlb2k12360%3DMC&charset=utf-8&ut=noindex&uah=che%0A0&browser-info=pv%3A1%3Avf%3A7gb6ul65btfmssvv7trw9u0wxw63%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A2091%3Acn%3A1%3Adp%3A0%3Als%3A548609749258%3Ahid%3A1070659164%3Az%3A0%3Ai%3A20250621074635%3Aet%3A1750491996%3Ac%3A1%3Arn%3A3221393%3Au%3A175049199679728222%3Aw%3A-20x-20%3As%3A1280x720x32%3Aifr%3A1%3Aj%3A1%3Afp%3A144%3Awv%3A2%3Ads%3A0%2C0%2C0%2C1%2C0%2C0%2C%2C14%2C0%2C10116%2C10181%2C0%2C10116%3Aco%3A0%3Ans%3A1750491984371%3Arqnl%3A1%3Ast%3A1750491996%3At%3A&t=gdpr%2814%29clc%280-0-0%29rqnt%281%29cdl%28na%29eco%28335880%29ti%283%29&wmode=5&redirnss=1
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3732
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.25.50.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3732
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 184.25.50.8
  • 184.25.50.10
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
reditor.red-mods.com
  • 69.162.127.5
unknown
mc.yandex.ru
  • 87.250.251.119
  • 77.88.21.119
  • 87.250.250.119
whitelisted
mc.yandex.com
  • 87.250.251.119
  • 77.88.21.119
  • 87.250.250.119
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted
self.events.data.microsoft.com
  • 40.79.150.121
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup_RED_MC_v.5.0.0.01.exe