File name:

we-Set-up.exe

Full analysis: https://app.any.run/tasks/c5d80568-bd96-4917-b9c3-8b6a58b2220f
Verdict: Malicious activity
Analysis date: May 24, 2025, 01:03:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

2BE8DA27F4744F555B719536F8D86FA0

SHA1:

43FDCE99CB5B88991B9C04436F80C448987BB78B

SHA256:

DC5979CEBA45497ACE41619B2397E876791610DDA35999A55F03CD67AA4519FC

SSDEEP:

49152:YWyza3UPPUqvhiRveTIshzrbHaQfywQKRwzYKjrdIc3/Vi/XDJP54lyJZBXNJo+v:PwmUPLZiRUhLaQaNKWzz/dIcvV4DJRF5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • we-Set-up.exe (PID: 2960)

  • SUSPICIOUS

    • The executable file from the user directory is run by the CMD process

      • Arrival.com (PID: 7084)

    • Starts CMD.EXE for commands execution

      • we-Set-up.exe (PID: 2960)
      • cmd.exe (PID: 1276)

    • Reads security settings of Internet Explorer

      • we-Set-up.exe (PID: 2960)

    • Executing commands from a ".bat" file

      • we-Set-up.exe (PID: 2960)

    • Get information on the list of running processes

      • cmd.exe (PID: 1276)

    • There is functionality for taking screenshot (YARA)

      • we-Set-up.exe (PID: 2960)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1276)

    • Application launched itself

      • cmd.exe (PID: 1276)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1276)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1276)

  • INFO

    • Create files in a temporary directory

      • we-Set-up.exe (PID: 2960)
      • extrac32.exe (PID: 7052)

    • Checks supported languages

      • we-Set-up.exe (PID: 2960)
      • extrac32.exe (PID: 7052)
      • Arrival.com (PID: 7084)

    • Reads the computer name

      • we-Set-up.exe (PID: 2960)
      • extrac32.exe (PID: 7052)
      • Arrival.com (PID: 7084)

    • Reads mouse settings

      • Arrival.com (PID: 7084)

    • Process checks computer location settings

      • we-Set-up.exe (PID: 2960)

    • Creates a new folder

      • cmd.exe (PID: 660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start we-set-up.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs arrival.com no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660cmd /c md 453969C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1276"C:\WINDOWS\system32\cmd.exe" /c copy Joan.ini Joan.ini.bat & Joan.ini.batC:\Windows\SysWOW64\cmd.exewe-Set-up.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2960"C:\Users\admin\Desktop\we-Set-up.exe" C:\Users\admin\Desktop\we-Set-up.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\we-set-up.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4208choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5256cmd /c copy /b ..\Tit.ini + ..\Pit.ini + ..\Tribal.ini + ..\Sd.ini + ..\God.ini + ..\Surgical.ini + ..\Watts.ini + ..\Concord.ini + ..\Supplies.ini + ..\Mb.ini + ..\Canal.ini + ..\Times.ini n C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5892findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6240tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6244C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6264"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
896
Read events
896
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
25
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Watts.inibinary
MD5:6F18EB1C09ABBC71931AAED5581706C4
SHA256:FC82ED9C1CF057E3D0D19B0DE94ADE1CF7DBA62F5CBCFE82D5C1729BF1ACD407
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Concord.inibinary
MD5:2938D34789A80713560B4A1AB8F98956
SHA256:8C71ECA5BA2D92F9E77E1423640C59A5EFC3D633D0347AD57012BA59A84322F9
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Supplies.inibinary
MD5:62CF1CD1E0A9DD91040D14B85BE070A5
SHA256:DA6C9C1EF5CCA3CACE5A9561A0D9568CDD8E847F1800729BA1297B71B458237B
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Sd.inibinary
MD5:50E4B86AB3F331D12098FC366C989067
SHA256:A5757F7631BEEB47256E1EBBEAAAA5CF49EA1D4D97C70F54290E27B1D70D4DD9
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Tribal.inibinary
MD5:71B2551E82E54C046326D38F7033FF90
SHA256:156DED9B63F30C1794353882A76E09B9734176709961FE2A7FEF4B0A91FA9356
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Spoken.inicompressed
MD5:208C699B81059B8B4F948DF19EF55028
SHA256:BB2465C2CC2736C111713230B2ACCEE9976684EC0FF7B7863842AA2AD01B3D5C
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Surgical.inibinary
MD5:F690A40D5E4AA5AF3FEFDEB725B4CD62
SHA256:8C580DBD3DD651FC010C512CD6420833DFEFC1DC4F7645DAEBE06DD4A6C249DD
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\God.inibinary
MD5:70400BE9D229D1F5EC6FCE2E46206F9A
SHA256:85FCD8A063E397B273D9F3251C3A6DC8918C7410BD63745F9495AFA102320479
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Canal.inibinary
MD5:01267D5F5BC2CFB2B119AABC5B5C166B
SHA256:6401E60AC86C8C2F5890C4B9B95518789BFC7BD6780F6059759102B4720B223E
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Times.inibinary
MD5:B56A3D3208FE211EF48FFBD16FD0B22D
SHA256:98F559B8BAA71F89A350BC4713C06281DDD3B61EFD658684BD8F0819B4857A9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
39
DNS requests
14
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
736
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.3
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.14
whitelisted
TOrwhtyQyfySnHIgtdVCLq.TOrwhtyQyfySnHIgtdVCLq
  • 49.13.77.253
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
  • 2603:1030:408:7::3d
whitelisted
241.42.69.40.in-addr.arpa
unknown
d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
we-Set-up.exe