File name:

HxDSetup.exe

Full analysis: https://app.any.run/tasks/ec9a35f0-6e15-4041-bd22-1f37a40f0ffb
Verdict: Malicious activity
Analysis date: November 02, 2023, 20:22:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4F9E75A41D02666CD5CC86BD33A578FE

SHA1:

AC08B28E953D7D200BBB3C2E644890A689D0D8B1

SHA256:

DCCFA4B16AA79E273CC7FFC35493C495A7FD09F92A4B790F2DC41C65F64D5378

SSDEEP:

98304:oYgmygQ4mUSSlmD5u6hY1T/zgzeJ0pV9u1O:Bgmw4iS+r20u0pVMo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HxDSetup.exe (PID: 3472)
      • HxDSetup.tmp (PID: 3524)
      • HxDSetup.exe (PID: 3428)

  • SUSPICIOUS

    • Searches for installed software

      • HxD.exe (PID: 3844)
      • HxD.exe (PID: 3888)
      • HxD.exe (PID: 4080)
      • HxD.exe (PID: 4000)

    • Reads the Windows owner or organization settings

      • HxDSetup.tmp (PID: 3524)

    • Application launched itself

      • HxD.exe (PID: 3844)

    • Reads Internet Explorer settings

      • HxD.exe (PID: 3844)

  • INFO

    • Create files in a temporary directory

      • HxDSetup.exe (PID: 3428)
      • HxDSetup.exe (PID: 3472)

    • Checks supported languages

      • HxDSetup.tmp (PID: 3524)
      • HxDSetup.tmp (PID: 3460)
      • HxD.exe (PID: 3844)
      • HxDSetup.exe (PID: 3428)
      • HxD.exe (PID: 3888)
      • HxD.exe (PID: 4000)
      • HxD.exe (PID: 4080)
      • HxDSetup.exe (PID: 3472)

    • Creates files in the program directory

      • HxDSetup.tmp (PID: 3524)

    • Reads the computer name

      • HxDSetup.tmp (PID: 3524)
      • HxDSetup.tmp (PID: 3460)
      • HxD.exe (PID: 3844)
      • HxD.exe (PID: 4000)
      • HxD.exe (PID: 4080)

    • Creates files or folders in the user directory

      • HxD.exe (PID: 3888)
      • HxD.exe (PID: 3844)

    • Reads the machine GUID from the registry

      • HxD.exe (PID: 3844)
      • HxD.exe (PID: 4080)

    • Manual execution by a user

      • HxD.exe (PID: 4080)
      • HxD.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:06:14 15:27:46+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x1181c
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.5.0.0
ProductVersionNumber: 2.5.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Maël Hörz
FileDescription: HxD Hex Editor Setup
FileVersion: 2.5
LegalCopyright: Copyright © 2002-2021 Maël Hörz
ProductName: HxD Hex Editor
ProductVersion: 2.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start hxdsetup.exe no specs hxdsetup.tmp no specs hxdsetup.exe hxdsetup.tmp no specs hxd.exe no specs hxd.exe no specs hxd.exe no specs hxd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3428"C:\Users\admin\Desktop\HxDSetup.exe" C:\Users\admin\Desktop\HxDSetup.exeexplorer.exe
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor Setup
Exit code:
0
Version:
2.5
Modules
Images
c:\users\admin\desktop\hxdsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3460"C:\Users\admin\AppData\Local\Temp\is-1IAHF.tmp\HxDSetup.tmp" /SL5="$60134,2973524,121344,C:\Users\admin\Desktop\HxDSetup.exe" C:\Users\admin\AppData\Local\Temp\is-1IAHF.tmp\HxDSetup.tmpHxDSetup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-1iahf.tmp\hxdsetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3472"C:\Users\admin\Desktop\HxDSetup.exe" /SPAWNWND=$401F4 /NOTIFYWND=$60134 C:\Users\admin\Desktop\HxDSetup.exe
HxDSetup.tmp
User:
admin
Company:
Maël Hörz
Integrity Level:
HIGH
Description:
HxD Hex Editor Setup
Exit code:
0
Version:
2.5
Modules
Images
c:\users\admin\desktop\hxdsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3524"C:\Users\admin\AppData\Local\Temp\is-7D1AE.tmp\HxDSetup.tmp" /SL5="$601FC,2973524,121344,C:\Users\admin\Desktop\HxDSetup.exe" /SPAWNWND=$401F4 /NOTIFYWND=$60134 C:\Users\admin\AppData\Local\Temp\is-7D1AE.tmp\HxDSetup.tmpHxDSetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-7d1ae.tmp\hxdsetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3844"C:\Program Files\HxD\HxD.exe"C:\Program Files\HxD\HxD.exeHxDSetup.tmp
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\program files\hxd\hxd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3888"C:\Program Files\HxD\HxD.exe" /chooselangC:\Program Files\HxD\HxD.exeHxD.exe
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\program files\hxd\hxd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4000"C:\Program Files\HxD\HxD.exe" C:\Program Files\HxD\HxD.exeexplorer.exe
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\program files\hxd\hxd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4080"C:\Program Files\HxD\HxD.exe" C:\Program Files\HxD\HxD.exeexplorer.exe
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\program files\hxd\hxd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
6 827
Read events
6 743
Write events
74
Delete events
10

Modification events

(PID) Process:(3524) HxDSetup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
320FB0608949AD468AA01F50EF4D0DF9933E8539B2993A68FE12026EC1B4689F
(PID) Process:(3524) HxDSetup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\HxD\HxD.exe
(PID) Process:(3524) HxDSetup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(3524) HxDSetup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
E792160262F090194D12A8938B1DFA6673D8351E81456027A35F5F278F9D7EF7
(PID) Process:(3524) HxDSetup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
C40D000050E7234BCA0DDA01
(PID) Process:(3524) HxDSetup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(3844) HxD.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3844) HxD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3844) HxD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000020000000700000000000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3844) HxD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1
Operation:writeName:MRUListEx
Value:
090000000A000000010000000800000007000000060000000500000004000000030000000000000002000000FFFFFFFF
Executable files
6
Suspicious files
7
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
3524HxDSetup.tmpC:\Program Files\HxD\unins000.exeexecutable
MD5:E0EEC9E8C014B73920ABB1458A16044C
SHA256:7366FEDDC96E7A08E5CCA7416B1B6026FF9ED3E825FFB0FC392B81530F0B48A2
3524HxDSetup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\HxD Hex Editor\HxD.lnkbinary
MD5:77E6C23AE0AFA29EE8E3D85E4ACE1306
SHA256:B069769758ADDA9F40C68DE694CD2C013203181F3499E0AB4F3A1AD4798995A8
3524HxDSetup.tmpC:\Program Files\HxD\is-F60TP.tmpexecutable
MD5:E0EEC9E8C014B73920ABB1458A16044C
SHA256:7366FEDDC96E7A08E5CCA7416B1B6026FF9ED3E825FFB0FC392B81530F0B48A2
3472HxDSetup.exeC:\Users\admin\AppData\Local\Temp\is-7D1AE.tmp\HxDSetup.tmpexecutable
MD5:34ACC2BDB45A9C436181426828C4CB49
SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
3524HxDSetup.tmpC:\Program Files\HxD\license.txttext
MD5:4E93FBC8DB2A3BF7CC8336DE7B75169F
SHA256:DD616207E21510E9F8F3F2A220DA037DC2C8BED8D90927A2C00C01A6AFF104CF
3524HxDSetup.tmpC:\Program Files\HxD\HxD.exeexecutable
MD5:804F06B24FBA7BA4E1122FAF2B119A2B
SHA256:1FC927CB6747C105D1A66E4792F166B857A9E42BC1B58A08A6698C2D05E62087
3524HxDSetup.tmpC:\Program Files\HxD\changelog.txttext
MD5:E5884E3283664012C3F2DAADE3B4FC8B
SHA256:176FE3F6276CE5E2DED4A23F63F7216114B44D9844E01F33ED1F5A862C653010
3524HxDSetup.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\HxD Hex Editor\Readme.lnkbinary
MD5:E50D2BA97886CB3F74EC635F8AEE0722
SHA256:05DA02D4C3123E57AD686DA7147C8CF6F61A4F3096622E58DCD978A5010258E4
3524HxDSetup.tmpC:\Program Files\HxD\is-MBKJG.tmptext
MD5:0755D4E1FDF379C36369E96F6F6D8FA8
SHA256:CA4F74DE91DB68DB75A685640957140C42D8D01659C20CF72EB771A0F7BCBA2D
3524HxDSetup.tmpC:\Program Files\HxD\readme.txttext
MD5:0755D4E1FDF379C36369E96F6F6D8FA8
SHA256:CA4F74DE91DB68DB75A685640957140C42D8D01659C20CF72EB771A0F7BCBA2D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HxDSetup.exe