File name:

windjview.exe

Full analysis: https://app.any.run/tasks/6973330e-8624-48d9-ba42-86abf73bc82d
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: September 13, 2024, 19:55:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
innosetup
loader
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

145C1B29B2B90E3932EAEF90A0F9F511

SHA1:

66771E31B3242DC1A63FBA03AF8E4EDE44E1CADB

SHA256:

2960E4433BEBC8236B0417D35071C304AEAB9D90A28BEB5C8079CA00BDFE41A2

SSDEEP:

98304:Z0Tmadbk6URPz8O+/kXGHV6PwT17Z8UZzq26RnRtqLIK5FQq3dzT55qR1gAv61jJ:j2lLm5+6ja12S5m5tq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • INNOSETUP has been detected (SURICATA)

      • windjview.tmp (PID: 780)

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 1452)
      • seederexe.exe (PID: 5552)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 5552)

    • Application was injected by another process

      • explorer.exe (PID: 4552)
      • explorer.exe (PID: 252)
      • explorer.exe (PID: 4952)
      • explorer.exe (PID: 5004)
      • explorer.exe (PID: 6460)

    • Runs injected code in another process

      • ceh1X0yJpNV9qwMJVrun.exe (PID: 568)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 2900)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 4652)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 6900)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 7076)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • windjview.exe (PID: 2208)
      • windjview.exe (PID: 6808)
      • windjview.tmp (PID: 780)
      • WinDjView_2.1_[NEO].exe (PID: 3708)
      • WinDjView_2.1_[NEO].tmp (PID: 4404)
      • downloader.exe (PID: 3296)
      • Yandex.exe (PID: 5072)
      • lite_installer.exe (PID: 1452)

    • Reads security settings of Internet Explorer

      • windjview.tmp (PID: 6768)
      • windjview.tmp (PID: 780)
      • downloader.exe (PID: 3296)
      • lite_installer.exe (PID: 1452)
      • Yandex.exe (PID: 5072)
      • explorer.exe (PID: 6684)
      • StartMenuExperienceHost.exe (PID: 6292)
      • StartMenuExperienceHost.exe (PID: 6488)

    • Reads the Windows owner or organization settings

      • windjview.tmp (PID: 780)
      • WinDjView_2.1_[NEO].tmp (PID: 4404)
      • msiexec.exe (PID: 6368)

    • Searches for installed software

      • windjview.tmp (PID: 780)

    • Process requests binary or script from the Internet

      • windjview.tmp (PID: 780)
      • downloader.exe (PID: 3296)
      • lite_installer.exe (PID: 1452)

    • Potential Corporate Privacy Violation

      • windjview.tmp (PID: 780)
      • downloader.exe (PID: 3296)
      • lite_installer.exe (PID: 1452)

    • Checks Windows Trust Settings

      • downloader.exe (PID: 3296)
      • msiexec.exe (PID: 6368)
      • lite_installer.exe (PID: 1452)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 4824)

    • Adds/modifies Windows certificates

      • downloader.exe (PID: 3296)

    • Application launched itself

      • downloader.exe (PID: 3296)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 5552)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 5552)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 5552)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 5072)
      • WerFault.exe (PID: 360)
      • WerFault.exe (PID: 5212)
      • WerFault.exe (PID: 360)
      • WerFault.exe (PID: 6772)
      • WerFault.exe (PID: 5784)

    • Creates a software uninstall entry

      • Yandex.exe (PID: 5072)

    • Starts itself from another location

      • Yandex.exe (PID: 5072)

    • Executes application which crashes

      • explorer.exe (PID: 4552)
      • explorer.exe (PID: 252)
      • explorer.exe (PID: 4952)
      • explorer.exe (PID: 5004)
      • explorer.exe (PID: 6460)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 6292)
      • StartMenuExperienceHost.exe (PID: 6488)

  • INFO

    • Checks supported languages

      • windjview.exe (PID: 2208)
      • windjview.tmp (PID: 6768)
      • windjview.exe (PID: 6808)
      • windjview.tmp (PID: 780)
      • WinDjView_2.1_[NEO].exe (PID: 3708)
      • WinDjView_2.1_[NEO].tmp (PID: 4404)
      • WinDjView.exe (PID: 3672)
      • downloader.exe (PID: 3296)
      • YandexPackSetup.exe (PID: 4824)
      • msiexec.exe (PID: 5112)
      • WinDjView.exe (PID: 6164)
      • lite_installer.exe (PID: 1452)
      • seederexe.exe (PID: 5552)
      • msiexec.exe (PID: 6368)
      • Yandex.exe (PID: 5072)
      • explorer.exe (PID: 6684)
      • sender.exe (PID: 232)
      • downloader.exe (PID: 4364)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 568)
      • TextInputHost.exe (PID: 6884)
      • StartMenuExperienceHost.exe (PID: 6292)
      • SearchApp.exe (PID: 3908)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 2900)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 4652)
      • TextInputHost.exe (PID: 5056)
      • StartMenuExperienceHost.exe (PID: 6488)
      • SearchApp.exe (PID: 6420)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 6900)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 7076)
      • ceh1X0yJpNV9qwMJVrun.exe (PID: 5548)

    • Create files in a temporary directory

      • windjview.exe (PID: 2208)
      • windjview.exe (PID: 6808)
      • windjview.tmp (PID: 780)
      • WinDjView_2.1_[NEO].exe (PID: 3708)
      • WinDjView_2.1_[NEO].tmp (PID: 4404)
      • downloader.exe (PID: 3296)
      • YandexPackSetup.exe (PID: 4824)
      • msiexec.exe (PID: 5112)
      • lite_installer.exe (PID: 1452)
      • seederexe.exe (PID: 5552)
      • downloader.exe (PID: 4364)
      • Yandex.exe (PID: 5072)
      • sender.exe (PID: 232)

    • Reads the computer name

      • windjview.tmp (PID: 6768)
      • windjview.tmp (PID: 780)
      • WinDjView_2.1_[NEO].tmp (PID: 4404)
      • downloader.exe (PID: 3296)
      • YandexPackSetup.exe (PID: 4824)
      • msiexec.exe (PID: 5112)
      • WinDjView.exe (PID: 6164)
      • lite_installer.exe (PID: 1452)
      • seederexe.exe (PID: 5552)
      • msiexec.exe (PID: 6368)
      • downloader.exe (PID: 4364)
      • Yandex.exe (PID: 5072)
      • explorer.exe (PID: 6684)
      • sender.exe (PID: 232)
      • StartMenuExperienceHost.exe (PID: 6292)
      • SearchApp.exe (PID: 3908)
      • TextInputHost.exe (PID: 6884)
      • StartMenuExperienceHost.exe (PID: 6488)
      • TextInputHost.exe (PID: 5056)
      • SearchApp.exe (PID: 6420)

    • Reads the machine GUID from the registry

      • windjview.tmp (PID: 780)
      • downloader.exe (PID: 3296)
      • msiexec.exe (PID: 6368)
      • seederexe.exe (PID: 5552)
      • lite_installer.exe (PID: 1452)
      • SearchApp.exe (PID: 3908)
      • SearchApp.exe (PID: 6420)

    • Process checks computer location settings

      • windjview.tmp (PID: 6768)
      • downloader.exe (PID: 3296)
      • msiexec.exe (PID: 5112)
      • Yandex.exe (PID: 5072)
      • explorer.exe (PID: 6684)
      • windjview.tmp (PID: 780)
      • StartMenuExperienceHost.exe (PID: 6292)
      • SearchApp.exe (PID: 3908)
      • StartMenuExperienceHost.exe (PID: 6488)
      • SearchApp.exe (PID: 6420)

    • Reads the software policy settings

      • windjview.tmp (PID: 780)
      • downloader.exe (PID: 3296)
      • msiexec.exe (PID: 6368)
      • lite_installer.exe (PID: 1452)
      • SearchApp.exe (PID: 3908)
      • SearchApp.exe (PID: 6420)

    • Creates a software uninstall entry

      • WinDjView_2.1_[NEO].tmp (PID: 4404)
      • windjview.tmp (PID: 780)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4552)
      • explorer.exe (PID: 252)
      • explorer.exe (PID: 4952)
      • explorer.exe (PID: 5004)
      • explorer.exe (PID: 6460)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4552)
      • downloader.exe (PID: 3296)
      • msiexec.exe (PID: 5112)
      • lite_installer.exe (PID: 1452)
      • msiexec.exe (PID: 6368)
      • seederexe.exe (PID: 5552)
      • Yandex.exe (PID: 5072)
      • explorer.exe (PID: 6684)
      • windjview.tmp (PID: 780)
      • WerFault.exe (PID: 360)
      • WerFault.exe (PID: 5212)
      • WerFault.exe (PID: 360)
      • WerFault.exe (PID: 6772)
      • WerFault.exe (PID: 5784)

    • Creates files in the program directory

      • WinDjView_2.1_[NEO].tmp (PID: 4404)

    • Checks proxy server information

      • windjview.tmp (PID: 780)
      • downloader.exe (PID: 3296)
      • lite_installer.exe (PID: 1452)
      • SearchApp.exe (PID: 3908)
      • explorer.exe (PID: 252)
      • SearchApp.exe (PID: 6420)
      • explorer.exe (PID: 5004)

    • The process uses the downloaded file

      • downloader.exe (PID: 3296)
      • windjview.tmp (PID: 780)

    • Sends debugging messages

      • YandexPackSetup.exe (PID: 4824)
      • msiexec.exe (PID: 5112)
      • downloader.exe (PID: 4364)
      • StartMenuExperienceHost.exe (PID: 6292)
      • StartMenuExperienceHost.exe (PID: 6488)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6368)
      • msiexec.exe (PID: 5112)

    • Manual execution by a user

      • WerFault.exe (PID: 360)
      • WerFault.exe (PID: 5212)
      • WerFault.exe (PID: 360)
      • WerFault.exe (PID: 6772)
      • WerFault.exe (PID: 5784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (63.4)
.exe | Win32 Executable Delphi generic (20.9)
.exe | Win32 Executable (generic) (6.6)
.exe | Win16/32 Executable Delphi generic (3)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:06:14 13:27:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 99840
UninitializedDataSize: -
EntryPoint: 0x1181c
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.1.0.0
ProductVersionNumber: 2.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: WinDjView Setup
FileVersion: 2.1
LegalCopyright:
ProductName: WinDjView
ProductVersion: 2.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
46
Malicious processes
11
Suspicious processes
11

Behavior graph

Click at the process to see the details
start windjview.exe windjview.tmp no specs windjview.exe #INNOSETUP windjview.tmp windjview_2.1_[neo].exe windjview_2.1_[neo].tmp windjview.exe no specs windjview.exe no specs downloader.exe yandexpacksetup.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe downloader.exe yandex.exe explorer.exe no specs sender.exe ceh1x0yjpnv9qwmjvrun.exe no specs conhost.exe no specs werfault.exe no specs explorer.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe ceh1x0yjpnv9qwmjvrun.exe no specs conhost.exe no specs werfault.exe no specs explorer.exe ceh1x0yjpnv9qwmjvrun.exe no specs conhost.exe no specs werfault.exe no specs explorer.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe ceh1x0yjpnv9qwmjvrun.exe no specs conhost.exe no specs werfault.exe no specs explorer.exe ceh1x0yjpnv9qwmjvrun.exe no specs conhost.exe no specs werfault.exe no specs ceh1x0yjpnv9qwmjvrun.exe no specs conhost.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
232C:\Users\admin\AppData\Local\Temp\D8D5B086-5A04-4EF8-9FBF-12424A37745C\sender.exe --send "/status.xml?clid=2413737-14&uuid=56f3deb7-3017-466D-972C-70DC22F7a212&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A40%0A42%0A45%0A57%0A61%0A89%0A103%0A111%0A123%0A124%0A125%0A129%0A"C:\Users\admin\AppData\Local\Temp\D8D5B086-5A04-4EF8-9FBF-12424A37745C\sender.exe
seederexe.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Yandex Statistics
Exit code:
0
Version:
0.0.2.14
Modules
Images
c:\users\admin\appdata\local\temp\d8d5b086-5a04-4ef8-9fbf-12424a37745c\sender.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
252explorer.exeC:\Windows\explorer.exe
winlogon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1467
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
360C:\WINDOWS\system32\WerFault.exe -u -p 4552 -s 8676C:\Windows\System32\WerFault.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
360C:\WINDOWS\system32\WerFault.exe -u -p 4952 -s 2960C:\Windows\System32\WerFault.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
568"C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ceh1X0yJpNV9qwMJVrun.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\World of Tanks.lnk" 5386C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ceh1X0yJpNV9qwMJVrun.exewindjview.tmp
User:
admin
Company:
Technosys Corporation
Integrity Level:
HIGH
Description:
Pin To Taskbar
Exit code:
0
Version:
0.99.9.1
Modules
Images
c:\users\admin\appdata\local\temp\is-fvl4r.tmp\ceh1x0yjpnv9qwmjvrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
780"C:\Users\admin\AppData\Local\Temp\is-9IO3F.tmp\windjview.tmp" /SL5="$F035E,12019939,167424,C:\Users\admin\Desktop\windjview.exe" /SPAWNWND=$15028C /NOTIFYWND=$503A8 C:\Users\admin\AppData\Local\Temp\is-9IO3F.tmp\windjview.tmp
windjview.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
4
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-9io3f.tmp\windjview.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1452"C:\Users\admin\AppData\Local\Temp\10F66A00-7318-47EC-BB49-C3AFCF6F5392\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSERC:\Users\admin\AppData\Local\Temp\10F66A00-7318-47EC-BB49-C3AFCF6F5392\lite_installer.exe
msiexec.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
YandexBrowserDownloader
Exit code:
0
Version:
1.0.1.9
Modules
Images
c:\users\admin\appdata\local\temp\10f66a00-7318-47ec-bb49-c3afcf6f5392\lite_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2208"C:\Users\admin\Desktop\windjview.exe" C:\Users\admin\Desktop\windjview.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
WinDjView Setup
Exit code:
4
Version:
2.1
Modules
Images
c:\users\admin\desktop\windjview.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execeh1X0yJpNV9qwMJVrun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2900"C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ceh1X0yJpNV9qwMJVrun.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\World of Tanks.lnk" 5386C:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ceh1X0yJpNV9qwMJVrun.exewindjview.tmp
User:
admin
Company:
Technosys Corporation
Integrity Level:
HIGH
Description:
Pin To Taskbar
Exit code:
0
Version:
0.99.9.1
Modules
Images
c:\users\admin\appdata\local\temp\is-fvl4r.tmp\ceh1x0yjpnv9qwmjvrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
74 886
Read events
74 363
Write events
451
Delete events
72

Modification events

(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000503A2
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000D0416
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000006035C
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4404) WinDjView_2.1_[NEO].tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
341100008B9A25E21606DB01
(PID) Process:(4404) WinDjView_2.1_[NEO].tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
43092E5863735DEFF0ADCF9AA059D91A86A52BFFE7C9D850A063942137E3BA26
(PID) Process:(4404) WinDjView_2.1_[NEO].tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(4404) WinDjView_2.1_[NEO].tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFiles0000
Value:
C:\Program Files\WinDjView\WinDjView.exe
(PID) Process:(4404) WinDjView_2.1_[NEO].tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFilesHash
Value:
4C6CC289BADE9B12E5E5718B222359973F8B55B2DBE3177E1E034B695272E6B9
(PID) Process:(4404) WinDjView_2.1_[NEO].tmpKey:HKEY_CURRENT_USER\SOFTWARE\Andrew Zhezherun\WinDjView\Settings
Operation:writeName:check-updates
Value:
0
(PID) Process:(4404) WinDjView_2.1_[NEO].tmpKey:HKEY_CURRENT_USER\SOFTWARE\Andrew Zhezherun\WinDjView\Settings
Operation:writeName:language
Value:
1033
Executable files
42
Suspicious files
87
Text files
162
Unknown types
5

Dropped files

PID
Process
Filename
Type
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\{app}\yncFQ\ANLcL6k5Wvgk8obinary
MD5:035A645AA32248EB322DEA1B3063EF25
SHA256:9E87A25D4FCF933B735D929329118A18A982DDA643B0FD969A880E74553272F7
2208windjview.exeC:\Users\admin\AppData\Local\Temp\is-MN7VK.tmp\windjview.tmpexecutable
MD5:079EC58063AA4DAB2874AB9172CEAE0B
SHA256:EB0C7A19368E92F064EEF7A5F5C2DB3488684328988307B627CAD34B530835AC
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Accept_buttons_175.pngimage
MD5:FCE8F803891426B137713E4595B05B42
SHA256:0C48C8AF091A7602366631E35F1DEC2F31E17D6726707F1D51476EC0DB0CB9B5
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\CallbackCtrl.dllexecutable
MD5:F07E819BA2E46A897CFABF816D7557B2
SHA256:68F42A7823ED7EE88A5C59020AC52D4BBCADF1036611E96E470D986C8FAA172D
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\is-8ECBP.initext
MD5:0A0ACA889DC830DE42A9A801DF1BBF1E
SHA256:B1DA6156269D28E0367CD278DD8C5B11DC878FC802FDAD1B251EE89E7FF7B164
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\CW5NK8TWV7nMO9K7WS.dllexecutable
MD5:BB744D784D9548A56D859FA4C4FD1F5A
SHA256:524C210F1DBD5D73040EFDBAD31F6F9E683F6E146EB5F0949C9B3EE2C2CAB2E0
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Accept_buttons_150.pngimage
MD5:216480982115385689910C22155587BC
SHA256:E207A18366D9768595EEA3EDE3ACF9509071A964788037F3AA6BB6831A3BA51E
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\ANLcL6k5Wvgk8o\Accept_buttons_125.pngimage
MD5:6F60AC8D87538CCFBF77B44DE07D695C
SHA256:91D0C34184342AE204BFACA0662FC02F2CC8638F94D67B28A0BA363DA1DBCC95
780windjview.tmpC:\Users\admin\AppData\Local\Temp\is-FVL4R.tmp\botva2.dllexecutable
MD5:EF899FA243C07B7B82B3A45F6EC36771
SHA256:DA7D0368712EE419952EB2640A65A7F24E39FB7872442ED4D2EE847EC4CFDE77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
90
TCP/UDP connections
55
DNS requests
19
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6252
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6880
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
34.88.137.133:443
https://conf.datarcv.ru/config/?branch=master&b=65e6a7f9f033bfc317e016e8&r=pw_30_cpr_t&utm_source=1797&utm_medium=cpi&utm_campaign=windjview21
unknown
text
3.43 Kb
unknown
POST
200
34.88.137.133:443
https://stat.datarcv.ru/analitics/
unknown
binary
17 b
unknown
POST
200
34.88.137.133:443
https://stat.datarcv.ru/analitics/
unknown
binary
17 b
unknown
POST
200
34.88.137.133:443
https://stat.datarcv.ru/analitics/
unknown
binary
17 b
unknown
POST
200
34.88.137.133:443
https://stat.datarcv.ru/analitics/
unknown
binary
17 b
unknown
POST
200
34.88.137.133:443
https://stat.datarcv.ru/analitics/
unknown
binary
17 b
unknown
POST
200
34.88.137.133:443
https://stat.datarcv.ru/analitics/
unknown
binary
17 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6880
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6252
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6880
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6252
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
780
windjview.tmp
34.88.137.133:443
conf.datarcv.ru
GOOGLE-CLOUD-PLATFORM
FI
unknown
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
conf.datarcv.ru
  • 34.88.137.133
unknown
stat.datarcv.ru
  • 34.88.137.133
unknown
download.yandex.ru
  • 5.45.205.244
  • 5.45.205.242
  • 5.45.205.243
  • 5.45.205.245
  • 5.45.205.241
whitelisted
cachev2-std-1.cdn.yandex.net
  • 37.9.96.9
whitelisted
cachev2-std-23.cdn.yandex.net
  • 37.9.96.59
whitelisted
downloader.yandex.net
  • 5.45.205.243
  • 5.45.205.241
  • 5.45.205.244
  • 5.45.205.242
  • 5.45.205.245
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted

Threats

PID
Process
Class
Message
780
windjview.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3296
downloader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1452
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1452
lite_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
780
windjview.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1452
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1452
lite_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6 ETPRO signatures available at the full report
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1
YandexPackSetup.exe
GetSidFromEnumSess(): i = 0 : szUserName = Administrator, szDomain = DESKTOP-JGLLJLD, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): i = 1 : szUserName = ANONYMOUS LOGON, szDomain = NT AUTHORITY, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(2) = C:\Users\admin
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1693682860-607145093-2874071422-1001
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
windjview.exe