File name:

windowsdesktop-runtime-6.0.36-win-x64.exe

Full analysis: https://app.any.run/tasks/aa052179-fb58-4efa-a7ba-da54c9be70e7
Verdict: Malicious activity
Analysis date: April 21, 2025, 20:56:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

2F34B7C01B2C0EC8C95E2050D0A48B56

SHA1:

C290C59E58F6629F0D0FA66B05EE740079B6CCDA

SHA256:

0D20DEBB26FC8B2BC84F25FBD9D4596A6364AF8517EBF012E8B871127B798941

SSDEEP:

786432:WeohBu/kvU1+ceEOkyC8j+UylYpbWc0Ynp8itwhh:WeohBu/KUAceEOTDyl0bWfYpKX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7596)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7596)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

    • Process drops legitimate windows executable

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7596)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

    • Searches for installed software

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)

    • Reads security settings of Internet Explorer

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)

    • Starts itself from another location

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

  • INFO

    • The sample compiled with english language support

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7596)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

    • Create files in a temporary directory

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7596)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)

    • Checks supported languages

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7596)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

    • Reads the computer name

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

    • Process checks computer location settings

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7620)

    • Creates files in the program directory

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)

    • Reads the software policy settings

      • slui.exe (PID: 7264)

    • Checks proxy server information

      • slui.exe (PID: 7264)

    • Auto-launch of the file from Registry key

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 7736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:23 22:06:56+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 303104
InitializedDataSize: 162816
UninitializedDataSize: -
EntryPoint: 0x3054b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.0.36.34217
ProductVersionNumber: 6.0.36.34217
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Desktop Runtime - 6.0.36 (x64)
FileVersion: 6.0.36.34217
InternalName: setup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: windowsdesktop-runtime-6.0.36-win-x64.exe
ProductName: Microsoft Windows Desktop Runtime - 6.0.36 (x64)
ProductVersion: 6.0.36.34217
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windowsdesktop-runtime-6.0.36-win-x64.exe windowsdesktop-runtime-6.0.36-win-x64.exe windowsdesktop-runtime-6.0.36-win-x64.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7264C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7596"C:\Users\admin\Desktop\windowsdesktop-runtime-6.0.36-win-x64.exe" C:\Users\admin\Desktop\windowsdesktop-runtime-6.0.36-win-x64.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 6.0.36 (x64)
Exit code:
1392
Version:
6.0.36.34217
Modules
Images
c:\users\admin\desktop\windowsdesktop-runtime-6.0.36-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7620"C:\Users\admin\AppData\Local\Temp\{DEC2849E-3622-41F5-930C-49AB28C51302}\.cr\windowsdesktop-runtime-6.0.36-win-x64.exe" -burn.clean.room="C:\Users\admin\Desktop\windowsdesktop-runtime-6.0.36-win-x64.exe" -burn.filehandle.attached=700 -burn.filehandle.self=728 C:\Users\admin\AppData\Local\Temp\{DEC2849E-3622-41F5-930C-49AB28C51302}\.cr\windowsdesktop-runtime-6.0.36-win-x64.exe
windowsdesktop-runtime-6.0.36-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 6.0.36 (x64)
Exit code:
1392
Version:
6.0.36.34217
Modules
Images
c:\users\admin\appdata\local\temp\{dec2849e-3622-41f5-930c-49ab28c51302}\.cr\windowsdesktop-runtime-6.0.36-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7736"C:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.be\windowsdesktop-runtime-6.0.36-win-x64.exe" -q -burn.elevated BurnPipe.{5FDADDFB-8E1A-40E9-B231-CACBB850785A} {B482DACA-1394-4579-980A-0FBAC2B0276C} 7620C:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.be\windowsdesktop-runtime-6.0.36-win-x64.exe
windowsdesktop-runtime-6.0.36-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Desktop Runtime - 6.0.36 (x64)
Exit code:
1392
Version:
6.0.36.34217
Modules
Images
c:\users\admin\appdata\local\temp\{b12522fa-0562-4d6a-86f9-d210d37843cd}\.be\windowsdesktop-runtime-6.0.36-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
3 838
Read events
3 805
Write events
26
Delete events
7

Modification events

(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleCachePath
Value:
C:\ProgramData\Package Cache\{0532b8f2-12d7-43de-95fc-7b87006758a8}\windowsdesktop-runtime-6.0.36-win-x64.exe
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleUpgradeCode
Value:
{E50DC420-5C2F-5516-1DA5-0F8B584F9E0D}
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleAddonCode
Value:
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleDetectCode
Value:
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundlePatchCode
Value:
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleVersion
Value:
6.0.36.34217
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:VersionMajor
Value:
6
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:VersionMinor
Value:
0
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleProviderKey
Value:
{0532b8f2-12d7-43de-95fc-7b87006758a8}
(PID) Process:(7736) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleTag
Value:
Executable files
4
Suspicious files
1
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.ba\1031\thm.wxlxml
MD5:B45249A2238A5568B377E58D4CE89E9A
SHA256:0C4203A81DCD01D53378036AF78CFFCF9E9A5AF7754DFBDD56584AE74C21CC61
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.ba\1029\thm.wxlxml
MD5:27411946EF45B3B8236319421770E5AD
SHA256:C92D3EFD72D6D14148F9931128EE4143AFFD1DA517EB358AB88ED4138C1434A4
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.ba\bg.pngimage
MD5:9EB0320DFBF2BD541E6A55C01DDC9F20
SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.ba\1028\thm.wxlxml
MD5:B9428C94444693B5E3A392C8D0B95170
SHA256:C0413EDFD13FD27EEAB7B8CE60963668236466C48F4173C29F84093011C281AF
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.ba\1036\thm.wxlxml
MD5:9F779700FF90DF7211AE3A3340DDD5FC
SHA256:6AF5C2BC88B1E5CE188A97DD9204061D66369EC2689B3657AFF1DC6188F44F22
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.ba\1040\thm.wxlxml
MD5:347BE63418F507E7F2A086726E96FCA8
SHA256:344ACD0D3665BA489EB30EBC0F902C625E1AD33A4E2B5BA7CDD7E463658D5557
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\1EF7A704D1B36E68C2F460FB7E0EDEAE77F51FE7
MD5:
SHA256:
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\.ba\thm.wxlxml
MD5:D5070CB3387A0A22B7046AE5AB53F371
SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A
7620windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{B12522FA-0562-4D6A-86F9-D210D37843CD}\dotnet_runtime_6.0.36_win_x64.msi
MD5:
SHA256:
7596windowsdesktop-runtime-6.0.36-win-x64.exeC:\Users\admin\AppData\Local\Temp\{DEC2849E-3622-41F5-930C-49AB28C51302}\.cr\windowsdesktop-runtime-6.0.36-win-x64.exeexecutable
MD5:D73468BAE3DEE29164DD9F7FB0ED49CD
SHA256:9B8B7390579A87B3F6A1370A31C92EBDCBBF0D43A4007EE6F66F3C1887681B15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
43
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8040
SIHClient.exe
GET
200
23.48.23.191:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
23.48.23.191:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
8040
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8040
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
8040
SIHClient.exe
23.48.23.191:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.181
  • 23.48.23.137
  • 23.48.23.191
  • 23.48.23.192
  • 23.48.23.180
  • 23.48.23.178
  • 23.48.23.193
  • 23.48.23.183
  • 23.48.23.189
  • 23.48.23.185
  • 23.48.23.190
  • 23.48.23.188
  • 23.48.23.176
  • 23.48.23.175
  • 23.48.23.179
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.128
  • 20.190.160.131
  • 40.126.32.138
  • 40.126.32.140
  • 20.190.160.67
  • 40.126.32.76
  • 20.190.160.22
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
windowsdesktop-runtime-6.0.36-win-x64.exe