File name:

setup.exe

Full analysis: https://app.any.run/tasks/c23dba30-919f-4709-a4fe-7958ecdf4874
Verdict: Malicious activity
Analysis date: November 23, 2023, 17:00:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EA58C12B25C48FEA01EEE390ED06C84A

SHA1:

DF28A8077121C74EFE33A0617F8CC030C654F3C6

SHA256:

FA757528FDF828A3C372A2C12A4BACA687CED0D1F7E4C5F7A69183ADDC575A46

SSDEEP:

98304:QJyEM7ncqFIG7xn8Oy2uyCNxIHCrrHk+4kq65I+G6fs8IN1DGfma5E7vVpKYFNMV:VYv3eg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 3508)
      • setup.tmp (PID: 3524)
      • unins000.exe (PID: 3624)
      • _iu14D2N.tmp (PID: 3632)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • setup.tmp (PID: 3524)
      • _iu14D2N.tmp (PID: 3632)

    • Process drops legitimate windows executable

      • setup.tmp (PID: 3524)
      • _iu14D2N.tmp (PID: 3632)

    • Starts itself from another location

      • unins000.exe (PID: 3624)

    • Starts application with an unusual extension

      • unins000.exe (PID: 3624)

  • INFO

    • Checks supported languages

      • setup.exe (PID: 3508)
      • setup.tmp (PID: 3524)
      • unins000.exe (PID: 3624)
      • _iu14D2N.tmp (PID: 3632)

    • Create files in a temporary directory

      • setup.tmp (PID: 3524)
      • setup.exe (PID: 3508)
      • _iu14D2N.tmp (PID: 3632)
      • unins000.exe (PID: 3624)

    • Creates files in the program directory

      • setup.tmp (PID: 3524)

    • Reads the computer name

      • setup.tmp (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (81.5)
.exe | Win32 Executable Delphi generic (10.5)
.exe | Win32 Executable (generic) (3.3)
.exe | Win16/32 Executable Delphi generic (1.5)
.exe | Generic Win/DOS Executable (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:02 07:04:04+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 158208
UninitializedDataSize: -
EntryPoint: 0x16478
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.5
ProductVersionNumber: 1.0.0.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: torrent-igruha.org
FileDescription: Half-Life 2 Complete Edition Setup
FileVersion: 1.0.0.5
LegalCopyright: © Mail
ProductName: Half-Life 2 Complete Edition
ProductVersion: 1.0.0.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe setup.tmp no specs unins000.exe no specs _iu14d2n.tmp no specs setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exeexplorer.exe
User:
admin
Company:
torrent-igruha.org
Integrity Level:
MEDIUM
Description:
Half-Life 2 Complete Edition Setup
Exit code:
3221226540
Version:
1.0.0.5
3508"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
explorer.exe
User:
admin
Company:
torrent-igruha.org
Integrity Level:
HIGH
Description:
Half-Life 2 Complete Edition Setup
Exit code:
0
Version:
1.0.0.5
3524"C:\Users\admin\AppData\Local\Temp\is-D6JCC.tmp\setup.tmp" /SL5="$70134,1698870,245248,C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\is-D6JCC.tmp\setup.tmpsetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3624"C:\Program Files\Half-Life 2 Complete Edition\unins000.exe" /VERYSILENTC:\Program Files\Half-Life 2 Complete Edition\unins000.exesetup.tmp
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3632"C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Half-Life 2 Complete Edition\unins000.exe" /FIRSTPHASEWND=$501A0 /VERYSILENTC:\Users\admin\AppData\Local\Temp\_iu14D2N.tmpunins000.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
2
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls.ini
MD5:
SHA256:
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\unarc.dllexecutable
MD5:C8600EE0BAD1CB2A899B792CB6C1869B
SHA256:B670F7E828AEFF88BBE6351BF3B0775AF39ADC1BFAC3B84AF4061A4C78ED174A
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\Russian.initext
MD5:C2F6F1038DE8369B2E31067EA4D48536
SHA256:1CFA41921DCE01991640DB414D4955B1A6DC6D6FA4F4333CA7552E2E8B81391E
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls-lolz_x86.exeexecutable
MD5:7CBE7DB7FC9258B6A43551140C343BB3
SHA256:6EA07AA4F5565AC289402ADE3B2E52BF8089AD6185E0ECF0E1F36CEA39C091A9
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\CLS-srep.dllexecutable
MD5:E68C32297A0B144D13C0B5870CA8C8D8
SHA256:6954112104BA041D18760DE5EB7E6825CC14CEC98FF49939A587CC6B27908BD2
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls-lolz_x64.exeexecutable
MD5:7234C4334A7523B1AC6F51C072497071
SHA256:D92F7C60256509F74E36D9B5AAB041FE44999B1A3910D70AA83C9D01F062EA29
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\arc.initext
MD5:377AED8F1AD08D80DCBD1A631A128EEB
SHA256:0AB838CA04CDF7052CA730F8375B46A8C1785FA8F9383F04A7024C40C4CA8DD6
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\b2p.dllexecutable
MD5:AB35386487B343E3E82DBD2671FF9DAB
SHA256:C3729545522FCFF70DB61046C0EFD962DF047D40E3B5CCD2272866540FC872B2
3524setup.tmpC:\Users\admin\Documents\TI\is-3MPQP.tmptext
MD5:629E551E2783B532ABBDBFC0789D51C5
SHA256:3761A0B75C68BCA3C1D8717A41F01094C5DA6999C945B35A852D4A844076E42D
3524setup.tmpC:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\WinTB.dllexecutable
MD5:A2EEE508E6A51C6335650532E05AC550
SHA256:75FB2984E1B06F4278FB7B3C77E9FEC84E02A3B4BF82D35120F8CBE7BDBC76BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe