File name:

Setup.exe

Full analysis: https://app.any.run/tasks/ca21b57a-e47e-456a-bfbe-071c63065cc9
Verdict: Malicious activity
Analysis date: May 13, 2025, 16:31:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

ADD300DBFF9A46F9428A117EBA3320E3

SHA1:

3E440F3ACD34C02DF36A93EDF3F7FF9565F13841

SHA256:

D5E75E0F8EBEBC3B45A41F089364F3EBC1B391E4BF42E89468CB5EE2C63816C7

SSDEEP:

12288:cg1VKC9rbJKsd2x3cFcmQtKtqZZrAttJVVVVVVVVVVVVVVVVVVVOVVVVVVVVVVV7:cg1g4rv2Dt4UdL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Setup.exe (PID: 4996)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • VSTOInstaller.exe (PID: 7216)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 4996)
      • VSTOInstaller.exe (PID: 7216)

    • Searches for installed software

      • VSTOInstaller.exe (PID: 7216)

    • Reads Internet Explorer settings

      • VSTOInstaller.exe (PID: 7216)

  • INFO

    • Reads the software policy settings

      • Setup.exe (PID: 4996)
      • VSTOInstaller.exe (PID: 7216)
      • slui.exe (PID: 7368)

    • Reads the computer name

      • Setup.exe (PID: 4996)
      • VSTOInstaller.exe (PID: 7216)

    • The sample compiled with english language support

      • Setup.exe (PID: 4996)

    • Reads the machine GUID from the registry

      • VSTOInstaller.exe (PID: 7216)
      • Setup.exe (PID: 4996)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 4996)
      • VSTOInstaller.exe (PID: 7216)

    • Reads Environment values

      • VSTOInstaller.exe (PID: 7216)

    • Checks proxy server information

      • Setup.exe (PID: 4996)
      • VSTOInstaller.exe (PID: 7216)

    • Checks supported languages

      • Setup.exe (PID: 4996)
      • VSTOInstaller.exe (PID: 7216)

    • Create files in a temporary directory

      • Setup.exe (PID: 4996)
      • VSTOInstaller.exe (PID: 7216)

    • Disables trace logs

      • VSTOInstaller.exe (PID: 7216)

    • Process checks whether UAC notifications are on

      • VSTOInstaller.exe (PID: 7216)

    • Application launched itself

      • firefox.exe (PID: 6040)
      • firefox.exe (PID: 5936)

    • Manual execution by a user

      • firefox.exe (PID: 6040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:07 06:26:33+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 364544
InitializedDataSize: 814592
UninitializedDataSize: -
EntryPoint: 0x330c2
OSVersion: 5.1
ImageVersion: 10
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 14.0.23107.0
ProductVersionNumber: 14.0.23107.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: Setup
FileVersion: 14.0.23107.0 built by: D14REL
InternalName: setup.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: setup.exe
ProductName: -
ProductVersion: 14.0.23107.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
16
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe vstoinstaller.exe sppextcomobj.exe no specs slui.exe rundll32.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2152 -parentBuildID 20240213221259 -prefsHandle 2144 -prefMapHandle 2132 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b710786e-fb75-4417-93be-7ac8600d7225} 5936 "\\.\pipe\gecko-crash-server-pipe.5936" 1e306781510 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
2340C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
3096"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2644 -childID 1 -isForBrowser -prefsHandle 2568 -prefMapHandle 1520 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1500 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b48a3615-ded8-49f1-8f06-c0b35ef1303a} 5936 "\\.\pipe\gecko-crash-server-pipe.5936" 1e318545d90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
4560"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240213221259 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d86689a-c153-41ad-9538-31c262ece6ca} 5936 "\\.\pipe\gecko-crash-server-pipe.5936" 1e3137ea810 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
4892"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -childID 2 -isForBrowser -prefsHandle 2284 -prefMapHandle 2660 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1500 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5350386f-8983-479a-a4b6-57321fdb4a4b} 5936 "\\.\pipe\gecko-crash-server-pipe.5936" 1e31acdfa10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
4996"C:\Users\admin\AppData\Local\Temp\Setup.exe" C:\Users\admin\AppData\Local\Temp\Setup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
0
Version:
14.0.23107.0 built by: D14REL
5936"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
6040"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
6972"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5104 -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1500 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fcf2123-69b8-4476-954e-6f97c04e7a84} 5936 "\\.\pipe\gecko-crash-server-pipe.5936" 1e31e442f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
7216VSTOInstaller.exe /install https://aplicaciones.sat.gob.mx/SIPREDP/SIPREDCliente/SAT.Dictamenes.SIPRED.Client.vstoC:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Studio Tools for Office Solution Installer
Exit code:
4294966996
Version:
10.0.60828.0 built by: VSTO_Rel
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
143
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
5936firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
4996Setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3binary
MD5:7A94EBFB8391D5341F6BB8091FD5961C
SHA256:A90E97F427C32DB79B4377A17B4B1B6D3F88D11F7A7847E0884FB804B87C1A67
4996Setup.exeC:\Users\admin\AppData\Local\Temp\VSDB8D2.tmp\install.logbinary
MD5:92543CC578CD592034DE592ADCDC3FA4
SHA256:E4873E9BD20B6A26C64912A64F0121AA23B84990261FBFE8C23D0BB94D87DFE0
5936firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
5936firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:E21598451212E399C13B701301FC8E85
SHA256:9BA104A0F24CE78E3CD12E0FBC8FD3E93E6F6DE7FCA41DC348511D1AFA6AFAEA
7216VSTOInstaller.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\SRNQH67X.logtext
MD5:3B0E45D58C496D5C886D412DBB85BFE0
SHA256:0389616CDA7745277BF16D39F6FB022E5A7F8C516617DDC08E6FF9E728FF4EE0
5936firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5936firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5936firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5936firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
67
DNS requests
103
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4996
Setup.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDAJYcqgmKDOspiuEig%3D%3D
unknown
whitelisted
4996
Setup.exe
GET
200
151.101.194.133:80
http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8064
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5936
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
8064
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5936
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
5936
firefox.exe
POST
200
142.250.186.99:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6488
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4996
Setup.exe
200.33.84.156:443
aplicaciones.sat.gob.mx
Operbes, S.A. de C.V.
MX
unknown
4996
Setup.exe
151.101.194.133:80
ocsp2.globalsign.com
FASTLY
US
whitelisted
7216
VSTOInstaller.exe
200.33.84.156:443
aplicaciones.sat.gob.mx
Operbes, S.A. de C.V.
MX
unknown
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.166
  • 23.48.23.167
  • 23.48.23.158
  • 23.48.23.143
  • 23.48.23.164
  • 23.48.23.156
  • 23.48.23.159
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.174
whitelisted
aplicaciones.sat.gob.mx
  • 200.33.84.156
unknown
ocsp2.globalsign.com
  • 151.101.194.133
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
whitelisted
ocsp.globalsign.com
  • 151.101.194.133
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.68
  • 20.190.160.67
  • 40.126.32.136
  • 20.190.160.4
  • 20.190.160.66
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe