File name:

setup file.zip

Full analysis: https://app.any.run/tasks/2625fcc4-0008-4d0d-b1ec-21fa7ecc16c1
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 24, 2025, 20:40:35
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
arch-exec
delphi
inno
installer
adware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

BB4C00B09C27BD0B138AA64B89C5F395

SHA1:

E03FA07EB15158723F12D0ACFBACF9542560149A

SHA256:

E2912A3847466C17FA31AC6B7C184B8E0BD64D06E61C520828E20454D627A07A

SSDEEP:

98304:S6GavikHf6IxiAphww11+LGWTc64hp4MT5WeR6EnwZJy+FBlfnSRB6U8LaNLAp//:yoLduxyhDSIfkj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 3244)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3244)
      • setup file.tmp (PID: 6444)
      • setup file.tmp (PID: 6680)

    • Executable content was dropped or overwritten

      • setup file.exe (PID: 6332)
      • setup file.exe (PID: 996)
      • setup file.tmp (PID: 6680)

    • Reads the Internet Settings

      • setup file.tmp (PID: 6444)
      • setup file.tmp (PID: 6680)

    • Reads the Windows owner or organization settings

      • setup file.tmp (PID: 6680)

    • There is functionality for taking screenshot (YARA)

      • setup file.tmp (PID: 6680)

    • Reads settings of System Certificates

      • setup file.tmp (PID: 6680)

    • The process executes via Task Scheduler

      • updater.exe (PID: 3220)

    • Application launched itself

      • updater.exe (PID: 3220)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3244)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3244)

    • Checks supported languages

      • setup file.exe (PID: 6332)
      • setup file.tmp (PID: 6444)
      • setup file.exe (PID: 996)
      • setup file.tmp (PID: 6680)
      • updater.exe (PID: 3220)
      • updater.exe (PID: 6008)

    • Create files in a temporary directory

      • setup file.exe (PID: 6332)
      • setup file.exe (PID: 996)
      • setup file.tmp (PID: 6680)

    • Reads the computer name

      • setup file.tmp (PID: 6444)
      • setup file.exe (PID: 996)
      • setup file.tmp (PID: 6680)
      • updater.exe (PID: 3220)

    • Detects InnoSetup installer (YARA)

      • setup file.exe (PID: 6332)
      • setup file.tmp (PID: 6444)
      • setup file.exe (PID: 996)
      • setup file.tmp (PID: 6680)

    • Compiled with Borland Delphi (YARA)

      • setup file.tmp (PID: 6444)
      • setup file.exe (PID: 6332)
      • setup file.tmp (PID: 6680)
      • setup file.exe (PID: 996)

    • Reads the machine GUID from the registry

      • setup file.tmp (PID: 6680)

    • Reads the software policy settings

      • setup file.tmp (PID: 6680)

    • Creates files in the program directory

      • setup file.tmp (PID: 6680)

    • Creates a software uninstall entry

      • setup file.tmp (PID: 6680)

    • Checks proxy server information

      • setup file.tmp (PID: 6680)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:06:24 20:39:18
ZipCRC: 0x16b3ab2f
ZipCompressedSize: 1914307
ZipUncompressedSize: 1914307
ZipFileName: setup file.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
8
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe setup file.exe setup file.tmp no specs setup file.exe setup file.tmp svchost.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
996"C:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\setup file.exe" /SPAWNWND=$40210 /NOTIFYWND=$40216 C:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\setup file.exe
setup file.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
setup file.exe Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3244.45391\setup file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1692C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3220"C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
135.0.7023.0
Modules
Images
c:\program files (x86)\google\googleupdater\135.0.7023.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
3244"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\setup file.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6008"C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=135.0.7023.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7a4850,0x7a485c,0x7a4868C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
135.0.7023.0
Modules
Images
c:\program files (x86)\google\googleupdater\135.0.7023.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
6332"C:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\setup file.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\setup file.exe
WinRAR.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
setup file.exe Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3244.45391\setup file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
6444"C:\Users\admin\AppData\Local\Temp\is-BPK0E.tmp\setup file.tmp" /SL5="$40216,934334,844800,C:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\setup file.exe" C:\Users\admin\AppData\Local\Temp\is-BPK0E.tmp\setup file.tmpsetup file.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-bpk0e.tmp\setup file.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
6680"C:\Users\admin\AppData\Local\Temp\is-8TRMF.tmp\setup file.tmp" /SL5="$5020E,934334,844800,C:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\setup file.exe" /SPAWNWND=$40210 /NOTIFYWND=$40216 C:\Users\admin\AppData\Local\Temp\is-8TRMF.tmp\setup file.tmp
setup file.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-8trmf.tmp\setup file.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
8 170
Read events
8 120
Write events
46
Delete events
4

Modification events

(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\setup file.zip
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3244) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
8
Suspicious files
0
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
3244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\.Storeexecutable
MD5:15596B41DBA42CDCCE4F677FBBC86B6E
SHA256:377ABC9D367E61CB5C4761BF48DCFDF5BCD3822F303E0F972D7F4C8295A2EA79
6332setup file.exeC:\Users\admin\AppData\Local\Temp\is-BPK0E.tmp\setup file.tmpexecutable
MD5:E0583BB5DA436FFB6B998D27D13EC187
SHA256:FA801552D0AA2D3C1FC5BE3E9461D37183D6D49DDB4C6EC92347438190266E99
3244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3244.45391\setup file.exeexecutable
MD5:B842DDBEACB690F180104FF690215DB4
SHA256:B62C3DD7C406730A6039324B4BDC65578C60E8308695CA27D172349529B3626E
6680setup file.tmpC:\Users\admin\AppData\Local\Temp\is-A1IRP.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
996setup file.exeC:\Users\admin\AppData\Local\Temp\is-8TRMF.tmp\setup file.tmpexecutable
MD5:E0583BB5DA436FFB6B998D27D13EC187
SHA256:FA801552D0AA2D3C1FC5BE3E9461D37183D6D49DDB4C6EC92347438190266E99
6680setup file.tmpC:\Program Files (x86)\Setup\unins000.exeexecutable
MD5:2FBB5C024CC1C063675B0EDBA93BDBCB
SHA256:2C1390B89CC3A3E1EC7AA0975659951CB7E735F355CDB1031BCB0560988B79A9
6008updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:865D4EB61CEB3ED2EC39D17A51CD6E14
SHA256:C1AB4BDBB4DBC0A8B3A961A8506036297C982C6931D2F5FA0BF9C7CB882FC862
6680setup file.tmpC:\Program Files (x86)\Setup\is-Q3Q23.tmpexecutable
MD5:2FBB5C024CC1C063675B0EDBA93BDBCB
SHA256:2C1390B89CC3A3E1EC7AA0975659951CB7E735F355CDB1031BCB0560988B79A9
6680setup file.tmpC:\Users\admin\AppData\Local\Temp\is-A1IRP.tmp\checktext
MD5:7FA3B767C460B54A2BE4D49030B349C7
SHA256:
6680setup file.tmpC:\Program Files (x86)\Setup\unins000.datdat
MD5:162C94C38309B5F5A585A34691A61DE5
SHA256:B848755C61F39D6A75504D28C0B1C4CD1E38AD534C87762CF1CB8BF843C3DE36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
28
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
23.212.222.21:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2860
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6f8f23a40afb49a2
unknown
whitelisted
6568
MoUsoCoreWorker.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?819476be7cf990f5
unknown
whitelisted
HEAD
200
172.67.173.242:443
https://arithmeticvest.icu/bin.php?e=392&sis=tczwrtsjqx4&pid=4189&tid=&a=4189&cc=ES&t=1750797559
unknown
GET
200
104.21.30.216:443
https://arithmeticvest.icu/bin.php?e=392&sis=tczwrtsjqx4&pid=4189&tid=&a=4189&cc=ES&t=1750797559
unknown
text
2 b
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
2840
svchost.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?975bf22c8f3519e9
unknown
whitelisted
2840
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
2840
svchost.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?499047a8e7969667
unknown
whitelisted
2840
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e828fd9bc285667e
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4720
pingsender.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
192.168.100.255:137
whitelisted
4160
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
2860
svchost.exe
20.189.173.26:443
v20.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1524
svchost.exe
184.25.50.48:80
www.msftconnecttest.com
Akamai International B.V.
DE
whitelisted
6396
rundll32.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
304
OfficeC2RClient.exe
52.109.32.97:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
5268
svchost.exe
23.212.222.21:443
fs.microsoft.com
AKAMAI-AS
AU
whitelisted
304
OfficeC2RClient.exe
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2860
svchost.exe
52.168.117.170:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
v20.events.data.microsoft.com
  • 20.189.173.26
whitelisted
www.msftconnecttest.com
  • 184.25.50.48
  • 184.25.50.104
whitelisted
google.com
  • 142.250.186.78
whitelisted
fs.microsoft.com
  • 23.212.222.21
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
v10.events.data.microsoft.com
  • 52.168.117.170
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.216
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.52
  • 52.110.17.3
  • 52.110.17.27
  • 52.110.17.67
  • 52.110.17.75
  • 52.110.17.74
  • 52.110.17.42
  • 52.110.17.69
whitelisted

Threats

PID
Process
Class
Message
1524
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
1692
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
6680
setup file.tmp
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup file.zip