File name:

random.exe

Full analysis: https://app.any.run/tasks/4f994b97-3afa-4a54-a72b-f2d997f00ec4
Verdict: Malicious activity
Analysis date: September 03, 2025, 16:18:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

8271B8D9AB8BECF8E42E99754DDAC53E

SHA1:

BF9112EAD58A2F379EF56D09E1F0821AA1A7A5CC

SHA256:

B82A3834F67C52098D972B41F3A520728EDD912538514F4E8388A20A4975F444

SSDEEP:

98304:/43NObRrV1h76YNISJlLBNwOu1rq/YHMz/Eebifsct2lmRzLB2yxSFgOthohUUDC:fUj4qhZI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • emptydirectorydetector4496.exe (PID: 5372)
      • random.exe (PID: 4320)
      • random.tmp (PID: 1948)

    • Reads the Windows owner or organization settings

      • random.tmp (PID: 1948)

    • Process drops legitimate windows executable

      • random.tmp (PID: 1948)

    • The process drops C-runtime libraries

      • random.tmp (PID: 1948)

    • Reads security settings of Internet Explorer

      • emptydirectorydetector4496.exe (PID: 5372)
      • EmptyDirectoryDetector.exe (PID: 6748)

    • Starts POWERSHELL.EXE for commands execution

      • emptydirectorydetector4496.exe (PID: 5372)

  • INFO

    • Creates files or folders in the user directory

      • random.tmp (PID: 1948)

    • Reads the computer name

      • random.tmp (PID: 1948)
      • EmptyDirectoryDetector.exe (PID: 6748)
      • emptydirectorydetector4496.exe (PID: 5372)

    • Checks supported languages

      • random.exe (PID: 4320)
      • random.tmp (PID: 1948)
      • emptydirectorydetector4496.exe (PID: 5372)
      • EmptyDirectoryDetector.exe (PID: 6748)

    • Create files in a temporary directory

      • random.exe (PID: 4320)
      • random.tmp (PID: 1948)

    • Process checks computer location settings

      • emptydirectorydetector4496.exe (PID: 5372)

    • Changes the registry key values via Powershell

      • emptydirectorydetector4496.exe (PID: 5372)

    • Manual execution by a user

      • EmptyDirectoryDetector.exe (PID: 6748)

    • Reads the software policy settings

      • slui.exe (PID: 5968)
      • emptydirectorydetector4496.exe (PID: 5372)
      • EmptyDirectoryDetector.exe (PID: 6748)

    • Detects InnoSetup installer (YARA)

      • random.tmp (PID: 1948)
      • random.exe (PID: 4320)

    • Checks proxy server information

      • emptydirectorydetector4496.exe (PID: 5372)
      • slui.exe (PID: 5968)
      • EmptyDirectoryDetector.exe (PID: 6748)

    • Compiled with Borland Delphi (YARA)

      • random.tmp (PID: 1948)

    • Reads the machine GUID from the registry

      • emptydirectorydetector4496.exe (PID: 5372)
      • EmptyDirectoryDetector.exe (PID: 6748)

    • The sample compiled with english language support

      • random.tmp (PID: 1948)
      • emptydirectorydetector4496.exe (PID: 5372)

    • Creates files in the program directory

      • emptydirectorydetector4496.exe (PID: 5372)

    • Creates a software uninstall entry

      • random.tmp (PID: 1948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0x9c40
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Empty Directory Detector Setup
FileVersion:
LegalCopyright:
ProductName: Empty Directory Detector
ProductVersion:
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start random.exe random.tmp emptydirectorydetector4496.exe powershell.exe no specs conhost.exe no specs emptydirectorydetector.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1948"C:\Users\admin\AppData\Local\Temp\is-72HR2.tmp\random.tmp" /SL5="$B02EA,3291737,54272,C:\Users\admin\Desktop\random.exe" C:\Users\admin\AppData\Local\Temp\is-72HR2.tmp\random.tmp
random.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-72hr2.tmp\random.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4320"C:\Users\admin\Desktop\random.exe" C:\Users\admin\Desktop\random.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Empty Directory Detector Setup
Version:
Modules
Images
c:\users\admin\desktop\random.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4544"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "EmptyDirD" -Value "C:\ProgramData\EmptyDirectoryDetector\EmptyDirectoryDetector.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeemptydirectorydetector4496.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5372"C:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\emptydirectorydetector4496.exe" -iC:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\emptydirectorydetector4496.exe
random.tmp
User:
admin
Integrity Level:
MEDIUM
Description:
Empty Directory Detector
Version:
2.4.6.4496
Modules
Images
c:\users\admin\appdata\local\empty directory detector 2.4.6.4496\emptydirectorydetector4496.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5968C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6748C:\ProgramData\EmptyDirectoryDetector\EmptyDirectoryDetector.exeC:\ProgramData\EmptyDirectoryDetector\EmptyDirectoryDetector.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Empty Directory Detector
Version:
2.4.6.4496
Modules
Images
c:\programdata\emptydirectorydetector\emptydirectorydetector.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
14 608
Read events
14 588
Write events
20
Delete events
0

Modification events

(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.2 (a)
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:Inno Setup: Language
Value:
English
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:DisplayName
Value:
Empty Directory Detector 2.4.6.4496
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\uninstall\unins000.exe"
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\uninstall\unins000.exe" /SILENT
(PID) Process:(1948) random.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empty Directory Detector_is1
Operation:writeName:NoModify
Value:
1
Executable files
26
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4320random.exeC:\Users\admin\AppData\Local\Temp\is-72HR2.tmp\random.tmpexecutable
MD5:2C8C9FA6EE49B711E4760E18B23170A8
SHA256:F46D309AA595D1BA6B1F366C2FCAFB4400292A79DDCBA8C7B70626368F53714F
1948random.tmpC:\Users\admin\AppData\Local\Temp\is-3J1Q7.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
1948random.tmpC:\Users\admin\AppData\Local\Temp\is-3J1Q7.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
1948random.tmpC:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\uninstall\is-56CG1.tmpexecutable
MD5:266118722F6E130C0D34C16ECEA8FC96
SHA256:2B2BE7B19263A442374C77FB933675ECAAE846A0744BFACDF4454941970E41DC
1948random.tmpC:\Users\admin\AppData\Local\Temp\is-3J1Q7.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
1948random.tmpC:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\uninstall\unins000.exeexecutable
MD5:266118722F6E130C0D34C16ECEA8FC96
SHA256:2B2BE7B19263A442374C77FB933675ECAAE846A0744BFACDF4454941970E41DC
1948random.tmpC:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\libGLESv2.dllexecutable
MD5:A73EE126B2E6D43182D4C3482899D338
SHA256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
1948random.tmpC:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\is-RGJP9.tmpexecutable
MD5:A7F201C0B9AC05E950ECC55D4403EC16
SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
1948random.tmpC:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\is-83M0P.tmpexecutable
MD5:E3C817F7FE44CC870ECDBCBC3EA36132
SHA256:D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
1948random.tmpC:\Users\admin\AppData\Local\Empty Directory Detector 2.4.6.4496\msvcr100.dllexecutable
MD5:BF38660A9125935658CFA3E53FDC7D65
SHA256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
59
DNS requests
21
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7064
RUXIMICS.exe
GET
200
2.16.164.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.164.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7064
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
unknown
POST
200
20.190.160.130:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
unknown
POST
400
20.190.160.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
unknown
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
unknown
POST
400
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
unknown
5944
MoUsoCoreWorker.exe
GET
200
2.16.164.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7064
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.164.112:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.16.164.112:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7064
RUXIMICS.exe
2.16.164.112:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.112
  • 2.16.164.34
  • 2.16.164.120
  • 2.16.164.98
  • 2.16.164.43
  • 2.16.164.72
  • 2.16.164.48
  • 2.16.164.75
  • 2.16.164.96
  • 2.16.164.33
  • 2.16.164.58
  • 2.16.164.27
  • 2.16.164.49
  • 2.16.164.64
  • 2.16.164.66
  • 2.16.164.32
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.67
  • 40.126.32.138
  • 20.190.160.3
  • 20.190.160.17
  • 40.126.32.134
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.128
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.64
  • 40.126.31.131
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
self.events.data.microsoft.com
  • 104.208.16.92
whitelisted
activation-v2.sls.microsoft.com
  • 20.165.238.210
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 72.246.169.163
whitelisted

Threats

PID
Process
Class
Message
5372
emptydirectorydetector4496.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
5372
emptydirectorydetector4496.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 11
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
random.exe