File name:

we-Set-up.exe

Full analysis: https://app.any.run/tasks/c5d80568-bd96-4917-b9c3-8b6a58b2220f
Verdict: Malicious activity
Analysis date: May 24, 2025, 01:03:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

2BE8DA27F4744F555B719536F8D86FA0

SHA1:

43FDCE99CB5B88991B9C04436F80C448987BB78B

SHA256:

DC5979CEBA45497ACE41619B2397E876791610DDA35999A55F03CD67AA4519FC

SSDEEP:

49152:YWyza3UPPUqvhiRveTIshzrbHaQfywQKRwzYKjrdIc3/Vi/XDJP54lyJZBXNJo+v:PwmUPLZiRUhLaQaNKWzz/dIcvV4DJRF5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • we-Set-up.exe (PID: 2960)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • we-Set-up.exe (PID: 2960)
      • cmd.exe (PID: 1276)

    • Reads security settings of Internet Explorer

      • we-Set-up.exe (PID: 2960)

    • Executing commands from a ".bat" file

      • we-Set-up.exe (PID: 2960)

    • Get information on the list of running processes

      • cmd.exe (PID: 1276)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1276)

    • Application launched itself

      • cmd.exe (PID: 1276)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1276)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1276)

    • There is functionality for taking screenshot (YARA)

      • we-Set-up.exe (PID: 2960)

    • The executable file from the user directory is run by the CMD process

      • Arrival.com (PID: 7084)

  • INFO

    • Create files in a temporary directory

      • we-Set-up.exe (PID: 2960)
      • extrac32.exe (PID: 7052)

    • Reads the computer name

      • we-Set-up.exe (PID: 2960)
      • extrac32.exe (PID: 7052)
      • Arrival.com (PID: 7084)

    • Process checks computer location settings

      • we-Set-up.exe (PID: 2960)

    • Checks supported languages

      • we-Set-up.exe (PID: 2960)
      • extrac32.exe (PID: 7052)
      • Arrival.com (PID: 7084)

    • Creates a new folder

      • cmd.exe (PID: 660)

    • Reads mouse settings

      • Arrival.com (PID: 7084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start we-set-up.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs arrival.com no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660cmd /c md 453969C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1276"C:\WINDOWS\system32\cmd.exe" /c copy Joan.ini Joan.ini.bat & Joan.ini.batC:\Windows\SysWOW64\cmd.exewe-Set-up.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2960"C:\Users\admin\Desktop\we-Set-up.exe" C:\Users\admin\Desktop\we-Set-up.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\we-set-up.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4208choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5256cmd /c copy /b ..\Tit.ini + ..\Pit.ini + ..\Tribal.ini + ..\Sd.ini + ..\God.ini + ..\Surgical.ini + ..\Watts.ini + ..\Concord.ini + ..\Supplies.ini + ..\Mb.ini + ..\Canal.ini + ..\Times.ini n C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5892findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6240tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6244C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6264"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
896
Read events
896
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
25
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\God.inibinary
MD5:70400BE9D229D1F5EC6FCE2E46206F9A
SHA256:85FCD8A063E397B273D9F3251C3A6DC8918C7410BD63745F9495AFA102320479
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Watts.inibinary
MD5:6F18EB1C09ABBC71931AAED5581706C4
SHA256:FC82ED9C1CF057E3D0D19B0DE94ADE1CF7DBA62F5CBCFE82D5C1729BF1ACD407
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Tit.inibinary
MD5:FD52D29C00080E8AAA76EC586903CBD3
SHA256:2A13111A736DE500DEADB2FD7AF02C8CA421C79328A7EC6E1C49DFF173460D55
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Surgical.inibinary
MD5:F690A40D5E4AA5AF3FEFDEB725B4CD62
SHA256:8C580DBD3DD651FC010C512CD6420833DFEFC1DC4F7645DAEBE06DD4A6C249DD
7052extrac32.exeC:\Users\admin\AppData\Local\Temp\Barriersbinary
MD5:3A66963D1253E269B960332EEF3EF219
SHA256:8EC1876B912B972082C1CABC3E00D791A7C3055114620812B4737D5D0D2C6B02
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Pit.inibinary
MD5:39322D306522A536A5E9E71059BF6B4D
SHA256:42DE9AB00F49B355FFEDA1AD25CE53962A21B66D84406962D2AF54250CBDDAA8
1276cmd.exeC:\Users\admin\AppData\Local\Temp\Joan.ini.battext
MD5:DC67AAC41708F893758E3A76DCA482AA
SHA256:60ED2741540345D9B55AF5ABBA6C34973AD850CC3FA688A589D0DDF8247D2B1D
2960we-Set-up.exeC:\Users\admin\AppData\Local\Temp\Times.inibinary
MD5:B56A3D3208FE211EF48FFBD16FD0B22D
SHA256:98F559B8BAA71F89A350BC4713C06281DDD3B61EFD658684BD8F0819B4857A9B
7052extrac32.exeC:\Users\admin\AppData\Local\Temp\Supervisorsbinary
MD5:10768246325EAB29225B0E50D0F266E3
SHA256:70232FC5D38376B37550A9432667D0737379AA6D028E95111B4897A99C3B99EA
7052extrac32.exeC:\Users\admin\AppData\Local\Temp\Namibiabinary
MD5:75460D87C0AE9F6CE2EF775C6511C3B6
SHA256:C0AC44B743558E265DD13A81157AC1B791A85927D8EEF310F3E070629BAAFA29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
39
DNS requests
14
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
736
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.3
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.14
whitelisted
TOrwhtyQyfySnHIgtdVCLq.TOrwhtyQyfySnHIgtdVCLq
  • 49.13.77.253
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
  • 2603:1030:408:7::3d
whitelisted
241.42.69.40.in-addr.arpa
unknown
d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
we-Set-up.exe