File name:

setup.exe

Full analysis: https://app.any.run/tasks/b361e858-e5d2-450d-8db1-7ebf5f9079c9
Verdict: Malicious activity
Analysis date: May 27, 2024, 08:08:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

28BD6698ED0F6B9B153C68EC12CECED1

SHA1:

640C64F4365A73F3FF9C16895443166FC190A54F

SHA256:

D6ABD0C13E32EA620AE486B27C399DDA0EEA91B9602EA988F1C50A5DC58D35C8

SSDEEP:

98304:9K/SMPUQ+ku/mMjvswRsgwASXybygXyonKDolYN/aK8TKfjMVyaeQVFLL5kMfzZu:y5e94zoxYRvlkQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • setup.tmp (PID: 4080)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

    • Reads the Windows owner or organization settings

      • setup.tmp (PID: 4080)

  • INFO

    • Checks supported languages

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

    • Create files in a temporary directory

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

    • Reads the computer name

      • setup.tmp (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:02 05:04:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x16478
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: ELDEN RING Setup
FileVersion:
LegalCopyright: FitGirl
ProductName: ELDEN RING
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe setup.tmp setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3960"C:\Users\admin\Downloads\setup.exe" C:\Users\admin\Downloads\setup.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
ELDEN RING Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\downloads\setup.exe
c:\windows\system32\ntdll.dll
4064"C:\Users\admin\Downloads\setup.exe" C:\Users\admin\Downloads\setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
ELDEN RING Setup
Version:
Modules
Images
c:\users\admin\downloads\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4080"C:\Users\admin\AppData\Local\Temp\is-5OPFN.tmp\setup.tmp" /SL5="$40136,7402000,140800,C:\Users\admin\Downloads\setup.exe" C:\Users\admin\AppData\Local\Temp\is-5OPFN.tmp\setup.tmp
setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-5opfn.tmp\setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
372
Read events
367
Write events
5
Delete events
0

Modification events

(PID) Process:(4080) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
F00F0000C6EB291C0DB0DA01
(PID) Process:(4080) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
BB59FF6F0F5EF4ED336C1E76AC86CADEE8D4DA2E95D21130C6DD40AF86020C04
(PID) Process:(4080) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(4080) setup.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
Executable files
37
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4064setup.exeC:\Users\admin\AppData\Local\Temp\is-5OPFN.tmp\setup.tmpexecutable
MD5:AE9890548F2FCAB56A4E9AE446F55B3F
SHA256:09AF8004B85478E1ECA09FA4CB5E3081DDDCB2F68A353F3EF6849D92BE47B449
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-magic2l.dllexecutable
MD5:9E1E200472D66356A4AE5D597B01DABC
SHA256:87DF573AC240E09EA4941E169FB2D15D5316A1B0E053446B8144E04B1154F061
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\idp.dllexecutable
MD5:AF555AC9C073F88FE5BF0D677F085025
SHA256:F4FC0187491A9CB89E233197FF72C2405B5EC02E8B8EA640EE68D034DDBC44BB
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-magic2.dllexecutable
MD5:9E1E200472D66356A4AE5D597B01DABC
SHA256:87DF573AC240E09EA4941E169FB2D15D5316A1B0E053446B8144E04B1154F061
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-magic2_x64.exeexecutable
MD5:7234C4334A7523B1AC6F51C072497071
SHA256:D92F7C60256509F74E36D9B5AAB041FE44999B1A3910D70AA83C9D01F062EA29
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\ISDone.dllexecutable
MD5:63DC27B7BC65243EFAA59A9797A140BA
SHA256:C652B4B564B3C85C399155CBB45C6FB5A9F56F074E566BFD20F01DA6E0412C74
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-lollypop_x86.exeexecutable
MD5:3527C6739C46F4EE1CFB6B48E1407883
SHA256:724C6E07180E321298B4EA4405C3F7536C524D9826D24F5D6FC50BCB0EF8F723
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-srep_x86.exeexecutable
MD5:FC7DD2CA9F47D64EDD3B2061CD8DB1B3
SHA256:4004BA624F8CE381C61C82ABA26E246D93E833357930C17CD4B02058EA31FAD4
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-magic2_x86.exeexecutable
MD5:7CBE7DB7FC9258B6A43551140C343BB3
SHA256:6EA07AA4F5565AC289402ADE3B2E52BF8089AD6185E0ECF0E1F36CEA39C091A9
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-magic2l_x64.exeexecutable
MD5:7234C4334A7523B1AC6F51C072497071
SHA256:D92F7C60256509F74E36D9B5AAB041FE44999B1A3910D70AA83C9D01F062EA29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe