File name:

setup.exe

Full analysis: https://app.any.run/tasks/b361e858-e5d2-450d-8db1-7ebf5f9079c9
Verdict: Malicious activity
Analysis date: May 27, 2024, 08:08:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

28BD6698ED0F6B9B153C68EC12CECED1

SHA1:

640C64F4365A73F3FF9C16895443166FC190A54F

SHA256:

D6ABD0C13E32EA620AE486B27C399DDA0EEA91B9602EA988F1C50A5DC58D35C8

SSDEEP:

98304:9K/SMPUQ+ku/mMjvswRsgwASXybygXyonKDolYN/aK8TKfjMVyaeQVFLL5kMfzZu:y5e94zoxYRvlkQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • setup.tmp (PID: 4080)

    • Reads the Windows owner or organization settings

      • setup.tmp (PID: 4080)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

  • INFO

    • Create files in a temporary directory

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

    • Checks supported languages

      • setup.exe (PID: 4064)
      • setup.tmp (PID: 4080)

    • Reads the computer name

      • setup.tmp (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:02 05:04:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x16478
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: ELDEN RING Setup
FileVersion:
LegalCopyright: FitGirl
ProductName: ELDEN RING
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe setup.tmp setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3960"C:\Users\admin\Downloads\setup.exe" C:\Users\admin\Downloads\setup.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
ELDEN RING Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\downloads\setup.exe
c:\windows\system32\ntdll.dll
4064"C:\Users\admin\Downloads\setup.exe" C:\Users\admin\Downloads\setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
ELDEN RING Setup
Version:
Modules
Images
c:\users\admin\downloads\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4080"C:\Users\admin\AppData\Local\Temp\is-5OPFN.tmp\setup.tmp" /SL5="$40136,7402000,140800,C:\Users\admin\Downloads\setup.exe" C:\Users\admin\AppData\Local\Temp\is-5OPFN.tmp\setup.tmp
setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-5opfn.tmp\setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
372
Read events
367
Write events
5
Delete events
0

Modification events

(PID) Process:(4080) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
F00F0000C6EB291C0DB0DA01
(PID) Process:(4080) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
BB59FF6F0F5EF4ED336C1E76AC86CADEE8D4DA2E95D21130C6DD40AF86020C04
(PID) Process:(4080) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(4080) setup.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
Executable files
37
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\BASS.dllexecutable
MD5:8005750EC63EB5292884AD6183AE2E77
SHA256:DF9F56C4DA160101567B0526845228EE481EE7D2F98391696FA27FE41F8ACF15
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\innocallback.dllexecutable
MD5:1C55AE5EF9980E3B1028447DA6105C75
SHA256:6AFA2D104BE6EFE3D9A2AB96DBB75DB31565DAD64DD0B791E402ECC25529809F
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\idp.dllexecutable
MD5:AF555AC9C073F88FE5BF0D677F085025
SHA256:F4FC0187491A9CB89E233197FF72C2405B5EC02E8B8EA640EE68D034DDBC44BB
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\ISDone.dllexecutable
MD5:63DC27B7BC65243EFAA59A9797A140BA
SHA256:C652B4B564B3C85C399155CBB45C6FB5A9F56F074E566BFD20F01DA6E0412C74
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-lollypop.dllexecutable
MD5:0EF04BC15FD1B28975AFF2951B857F03
SHA256:F84677643D9977AA1E8A4AA8C85A12665D29A4E8292485A0B4DF846DD161F824
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\wintb.dllexecutable
MD5:9436DF49E08C83BAD8DDC906478C2041
SHA256:1910537AA95684142250CA0C7426A0B5F082E39F6FBDBDBA649AECB179541435
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-lollypop_x64.exeexecutable
MD5:5B848A24126F54A2C3C7B7393B536D33
SHA256:2D32C4F4522BC62F63C7949313434F6CA0EAA6B65B44EE5AA8B6B877988B1AA8
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-lollypop_x86.exeexecutable
MD5:3527C6739C46F4EE1CFB6B48E1407883
SHA256:724C6E07180E321298B4EA4405C3F7536C524D9826D24F5D6FC50BCB0EF8F723
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-srep_x64.exeexecutable
MD5:6AE2ADD85EC2B642D865FFAAA391D5BB
SHA256:ED8A485B9984997306EA6B5C6D98B5026A5B7903C1DF4C229BF93BF113C78EE9
4080setup.tmpC:\Users\admin\AppData\Local\Temp\is-I77LV.tmp\cls-magic2.dllexecutable
MD5:9E1E200472D66356A4AE5D597B01DABC
SHA256:87DF573AC240E09EA4941E169FB2D15D5316A1B0E053446B8144E04B1154F061
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe