File name:

Setup.exe

Full analysis: https://app.any.run/tasks/8fca7cfe-fe75-42b5-8ce7-14d7fffc9392
Verdict: Malicious activity
Analysis date: April 30, 2024, 14:35:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C5EAB8E9F586E0FB3495174D7203F512

SHA1:

B938C9ADB363D303A44F31DCB9794A57E3E78E41

SHA256:

C08DD4671831D1770E85C36CF5AF7DA3E8B72B47074C3DDEBAA9751B6F42A1B6

SSDEEP:

49152:TRX9qbUEjIKSa9jLesqhSgV6H8o9Ab+DW69RVBp359nKpWYaxXRKJzE6cFeSBsca:VX9qQy9jysgSYm8Y0+7LBN5lKEYamJz1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Setup.exe (PID: 2204)
      • Setup.tmp (PID: 1772)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Setup.tmp (PID: 1772)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 2204)
      • Setup.tmp (PID: 1772)

    • Reads the Windows owner or organization settings

      • Setup.tmp (PID: 1772)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 2204)
      • Setup.tmp (PID: 1772)

    • Create files in a temporary directory

      • Setup.exe (PID: 2204)
      • Setup.tmp (PID: 1772)

    • Reads the computer name

      • Setup.tmp (PID: 1772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (81.5)
.exe | Win32 Executable Delphi generic (10.5)
.exe | Win32 Executable (generic) (3.3)
.exe | Win16/32 Executable Delphi generic (1.5)
.exe | Generic Win/DOS Executable (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0x9c14
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Setup
FileVersion: 1.0
LegalCopyright: Setup
ProductName: Setup
ProductVersion: 1.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe setup.tmp setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1772"C:\Users\admin\AppData\Local\Temp\is-41GTI.tmp\Setup.tmp" /SL5="$3012C,955519,128512,C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\AppData\Local\Temp\is-41GTI.tmp\Setup.tmp
Setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-41gti.tmp\setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2204"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup
Version:
1.0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3960"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
3221226540
Version:
1.0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
Total events
336
Read events
333
Write events
3
Delete events
0

Modification events

(PID) Process:(1772) Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
EC060000DA0578BC0B9BDA01
(PID) Process:(1772) Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
4B9397700D3FA7411529DE7818626CAA3E5B66CF828F0EB619F6DA24052A850B
(PID) Process:(1772) Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
Executable files
6
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\isskinex.dllexecutable
MD5:A80A2C59AAD01A5BD369D479F4F3CF3D
SHA256:282F40ED72CFC801EF88AB72A80C8824957AA554ECE3B74842B48ECEDFCF4755
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\TRiNiUM.cjstylesexecutable
MD5:C9F1AC6319EF3FD1F85840D72C971F7A
SHA256:6062BF6F7590DA39FFEEE6C1FDD65833843D56DF748BEA047671CFDF6F57DADA
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\front.bmpimage
MD5:BDA0CCEB313F93D9698DADF012BAD461
SHA256:7ABD33B823C9B12ABB402F5CC12546919DD37E5B999D40C7BA93D5ADFAEA6215
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\end.bmpimage
MD5:0CCD283024F4F48B686DE6B7ADE05E99
SHA256:7405FBD8BED4949021A2448D7865C8205918D70CF7A68918A5C7B2E5DB5443BF
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\SetupIcon.icoimage
MD5:F3161782829817241CE525571A994804
SHA256:599EF5DA7DD0CE4E1A932A7AC1304F08136294B78ACED246D053EEFA2BE3C86B
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\ISDone.dllexecutable
MD5:4FEAFA8B5E8CDB349125C8AF0AC43974
SHA256:BB8A0245DCC5C10A1C7181BAD509B65959855009A8105863EF14F2BB5B38AC71
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2204Setup.exeC:\Users\admin\AppData\Local\Temp\is-41GTI.tmp\Setup.tmpexecutable
MD5:C24C511379E964C9652AA10996623A75
SHA256:93CE3227FA531BE492F4F1E8BD659064CEB74564D51F41B491CCD7402C2D07CD
1772Setup.tmpC:\Users\admin\AppData\Local\Temp\is-HK98V.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe