File name:	windjview.exe
Full analysis:	https://app.any.run/tasks/6973330e-8624-48d9-ba42-86abf73bc82d
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 13, 2024, 19:55:02
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware innosetup loader stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	145C1B29B2B90E3932EAEF90A0F9F511
SHA1:	66771E31B3242DC1A63FBA03AF8E4EDE44E1CADB
SHA256:	2960E4433BEBC8236B0417D35071C304AEAB9D90A28BEB5C8079CA00BDFE41A2
SSDEEP:	98304:Z0Tmadbk6URPz8O+/kXGHV6PwT17Z8UZzq26RnRtqLIK5FQq3dzT55qR1gAv61jJ:j2lLm5+6ja12S5m5tq

.exe	\|	InstallShield setup (63.4)
.exe	\|	Win32 Executable Delphi generic (20.9)
.exe	\|	Win32 Executable (generic) (6.6)
.exe	\|	Win16/32 Executable Delphi generic (3)
.exe	\|	Generic Win/DOS Executable (2.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:06:14 13:27:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	66560
InitializedDataSize:	99840
UninitializedDataSize:	-
EntryPoint:	0x1181c
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	2.1.0.0
ProductVersionNumber:	2.1.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	WinDjView Setup
FileVersion:	2.1
LegalCopyright:
ProductName:	WinDjView
ProductVersion:	2.1


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000503A2
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000D0416
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000006035C
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4404) WinDjView_2.1_[NEO].tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Owner
Value: 341100008B9A25E21606DB01
(PID) Process:	(4404) WinDjView_2.1_[NEO].tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	SessionHash
Value: 43092E5863735DEFF0ADCF9AA059D91A86A52BFFE7C9D850A063942137E3BA26
(PID) Process:	(4404) WinDjView_2.1_[NEO].tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(4404) WinDjView_2.1_[NEO].tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	RegFiles0000
Value: C:\Program Files\WinDjView\WinDjView.exe
(PID) Process:	(4404) WinDjView_2.1_[NEO].tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	RegFilesHash
Value: 4C6CC289BADE9B12E5E5718B222359973F8B55B2DBE3177E1E034B695272E6B9
(PID) Process:	(4404) WinDjView_2.1_[NEO].tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Andrew Zhezherun\WinDjView\Settings
Operation:	write	Name:	check-updates
Value: 0
(PID) Process:	(4404) WinDjView_2.1_[NEO].tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Andrew Zhezherun\WinDjView\Settings
Operation:	write	Name:	language
Value: 1033

PID	Process	Filename		Type
6808	windjview.exe	C:\Users\admin\AppData\Local\Temp\is-9IO3F.tmp\windjview.tmp		executable
		MD5:079EC58063AA4DAB2874AB9172CEAE0B	SHA256:EB0C7A19368E92F064EEF7A5F5C2DB3488684328988307B627CAD34B530835AC
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Accept_buttons_100.png		image
		MD5:BC52D119BEAA537CB23FD9E6F53710E2	SHA256:536CCCA55B50E67864ECC7388E498AD6567E271CC79C6FF52C592BC9CA034AB9
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\CW5NK8TWV7nMO9K7WS.dll		executable
		MD5:BB744D784D9548A56D859FA4C4FD1F5A	SHA256:524C210F1DBD5D73040EFDBAD31F6F9E683F6E146EB5F0949C9B3EE2C2CAB2E0
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Background_150.png		image
		MD5:BFD053A59574ACE80724644A25770583	SHA256:9D78AB3AECA0DC560A2A34673709F932CE3F7355A85EB048641FC261AF0569E2
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\is-8ECBP.ini		text
		MD5:0A0ACA889DC830DE42A9A801DF1BBF1E	SHA256:B1DA6156269D28E0367CD278DD8C5B11DC878FC802FDAD1B251EE89E7FF7B164
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Accept_buttons_200.png		image
		MD5:66ED96978B9869BEA3AE689B265FC1FE	SHA256:65A8D030FC4508ACE386703F90455B98DCB042F9C8BB5A083C95436A2AC75E61
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Accept_buttons_150.png		image
		MD5:216480982115385689910C22155587BC	SHA256:E207A18366D9768595EEA3EDE3ACF9509071A964788037F3AA6BB6831A3BA51E
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Background_200.png		image
		MD5:5787A47DE57DD99D2A831A366BEAC27D	SHA256:367902DEC5FC027A4233824844FA80C89CCD2D1531751D422A46155A851E57BE
780	windjview.tmp	C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Background_100.png		image
		MD5:A9F6B5D49F632DF311713F427EB5867A	SHA256:A23C7BC0E48B90ED586D57DFEB1938EC8E0802492C6AAAB92DDE30DC39693884
2208	windjview.exe	C:\Users\admin\AppData\Local\Temp\is-MN7VK.tmp\windjview.tmp		executable
		MD5:079EC58063AA4DAB2874AB9172CEAE0B	SHA256:EB0C7A19368E92F064EEF7A5F5C2DB3488684328988307B627CAD34B530835AC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6880	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6252	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	34.88.137.133:443	https://stat.datarcv.ru/analitics/	unknown	binary	17 b	—
—	—	POST	200	34.88.137.133:443	https://stat.datarcv.ru/analitics/	unknown	binary	17 b	—
—	—	POST	200	34.88.137.133:443	https://stat.datarcv.ru/analitics/	unknown	binary	17 b	—
—	—	POST	200	34.88.137.133:443	https://stat.datarcv.ru/analitics/	unknown	binary	17 b	—
—	—	POST	200	34.88.137.133:443	https://stat.datarcv.ru/analitics/	unknown	binary	17 b	—
—	—	POST	200	34.88.137.133:443	https://stat.datarcv.ru/analitics/	unknown	binary	17 b	—
—	—	POST	200	34.88.137.133:443	https://stat.datarcv.ru/analitics/	unknown	binary	17 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
6880	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6252	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6880	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6252	RUXIMICS.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
780	windjview.tmp	34.88.137.133:443	conf.datarcv.ru	GOOGLE-CLOUD-PLATFORM	FI	unknown
4324	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.238	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
conf.datarcv.ru	34.88.137.133	unknown
stat.datarcv.ru	34.88.137.133	unknown
download.yandex.ru	5.45.205.244 5.45.205.242 5.45.205.243 5.45.205.245 5.45.205.241	whitelisted
cachev2-std-1.cdn.yandex.net	37.9.96.9	whitelisted
cachev2-std-23.cdn.yandex.net	37.9.96.59	whitelisted
downloader.yandex.net	5.45.205.243 5.45.205.241 5.45.205.244 5.45.205.242 5.45.205.245	whitelisted
ocsp.globalsign.com	104.18.20.226 104.18.21.226	whitelisted

PID	Process	Class	Message
780	windjview.tmp	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3296	downloader.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1452	lite_installer.exe	Misc activity	ET INFO EXE - Served Attached HTTP
1452	lite_installer.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
780	windjview.tmp	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1452	lite_installer.exe	Misc activity	ET INFO EXE - Served Attached HTTP
1452	lite_installer.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Process	Message
YandexPackSetup.exe	IsAlreadyRun() In
YandexPackSetup.exe	IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe	IsMSISrvFree() In
YandexPackSetup.exe	IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe	IsMSISrvFree() Out ret = 1
YandexPackSetup.exe	GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1
YandexPackSetup.exe	GetSidFromEnumSess(): i = 0 : szUserName = Administrator, szDomain = DESKTOP-JGLLJLD, dwSessionId = 0
YandexPackSetup.exe	GetSidFromEnumSess(): i = 1 : szUserName = ANONYMOUS LOGON, szDomain = NT AUTHORITY, dwSessionId = 0
YandexPackSetup.exe	GetSidFromEnumSess(): ProfileImagePath(2) = C:\Users\admin
YandexPackSetup.exe	GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1693682860-607145093-2874071422-1001

General Info

windjview.exe

145C1B29B2B90E3932EAEF90A0F9F511

66771E31B3242DC1A63FBA03AF8E4EDE44E1CADB

2960E4433BEBC8236B0417D35071C304AEAB9D90A28BEB5C8079CA00BDFE41A2

98304:Z0Tmadbk6URPz8O+/kXGHV6PwT17Z8UZzq26RnRtqLIK5FQq3dzT55qR1gAv61jJ:j2lLm5+6ja12S5m5tq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

INNOSETUP has been detected (SURICATA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Application was injected by another process

Runs injected code in another process

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Searches for installed software

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Checks Windows Trust Settings

Starts a Microsoft application from unusual location

Adds/modifies Windows certificates

Application launched itself

Reads Mozilla Firefox installation path

Changes the Home page of Internet Explorer

Changes the title of the Internet Explorer window

The process creates files with name similar to system file names

Starts itself from another location

Creates a software uninstall entry

Executes application which crashes

Reads the date of Windows installation

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Reads the software policy settings

Creates a software uninstall entry

Creates files in the program directory

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Checks proxy server information

The process uses the downloaded file

Sends debugging messages

Executable content was dropped or overwritten

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules