Malware analysis Windos9.1Setup.exe Malicious activity

Add for printing

download:	Windos9.1Setup.exe
Full analysis:	https://app.any.run/tasks/24340f06-10d1-48ec-8d99-a0fa29531b2c
Verdict:	Malicious activity
Analysis date:	July 15, 2023, 03:57:43
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:	5409001BFC4308A6CB8C09C4E1E32D1E
SHA1:	D47CC20E23E5B2BE27923A34FA85C02B3764C064
SHA256:	61D311D7A772E2BD670381F733FB9302B6202859ED5D47ACAEDF0BB58D5BC570
SSDEEP:	49152:QbVUGmpD+/xPfh6q/8kV6K9GCVcVoGiXPylb6rMy4w:QbVepD+/xPfh6yfVzF4b2My

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
PowerShell 7-x64 (7.2.11.0)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Searches for installed software
  - Windos9.1Setup.exe (PID: 1628)
- Executes as Windows Service
  - MicrosoftEdgeUpdate.exe (PID: 784)
- Application launched itself
  - MicrosoftEdgeUpdate.exe (PID: 784)
- Checks Windows Trust Settings
  - MicrosoftEdgeUpdate.exe (PID: 1520)
- Reads the Internet Settings
  - Windos9.1Setup.exe (PID: 1628)
- Reads Microsoft Outlook installation path
  - Windos9.1Setup.exe (PID: 1628)
- Reads Internet Explorer settings
  - Windos9.1Setup.exe (PID: 1628)
- The process executes via Task Scheduler
  - MicrosoftEdgeUpdate.exe (PID: 1520)
INFO
- Checks supported languages
  - Windos9.1Setup.exe (PID: 1628)
  - MicrosoftEdgeUpdate.exe (PID: 1520)
  - MicrosoftEdgeUpdate.exe (PID: 784)
  - MicrosoftEdgeUpdate.exe (PID: 2960)
- Reads the computer name
  - Windos9.1Setup.exe (PID: 1628)
  - MicrosoftEdgeUpdate.exe (PID: 1520)
  - MicrosoftEdgeUpdate.exe (PID: 784)
  - MicrosoftEdgeUpdate.exe (PID: 2960)
- Reads Environment values
  - MicrosoftEdgeUpdate.exe (PID: 2960)
  - MicrosoftEdgeUpdate.exe (PID: 1520)
- Checks proxy server information
  - Windos9.1Setup.exe (PID: 1628)
- Creates files or folders in the user directory
  - Windos9.1Setup.exe (PID: 1628)
- Reads the machine GUID from the registry
  - Windos9.1Setup.exe (PID: 1628)
- The process checks LSA protection
  - Windos9.1Setup.exe (PID: 1628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

AssemblyVersion:	1.0.0.0
ProductVersion:	1.0.0.0
ProductName:	Windos9Installer
OriginalFileName:	Windos9Setup.exe
LegalTrademarks:	-
LegalCopyright:	Copyright © 2023
InternalName:	Windos9Setup.exe
FileVersion:	1.0.0.0
FileDescription:	Windos9Installer
CompanyName:	-
Comments:	-
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	1.0.0.0
FileVersionNumber:	1.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x0000
UninitializedDataSize:	-
InitializedDataSize:	49664
CodeSize:	2549248
LinkerVersion:	48
PEType:	PE32+
ImageFileCharacteristics:	Executable, Large address aware
TimeStamp:	2023:01:21 03:23:11+00:00
MachineType:	AMD AMD64

Summary

Architecture:	IMAGE_FILE_MACHINE_AMD64
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	21-Jan-2023 03:23:11
Debug artifacts:	C:\Users\networkadapter\Documents\Windos91Installer\obj\x64\Release\Windos9Setup.pdb
Comments:	-
CompanyName:	-
FileDescription:	Windos9Installer
FileVersion:	1.0.0.0
InternalName:	Windos9Setup.exe
LegalCopyright:	Copyright © 2023
LegalTrademarks:	-
OriginalFilename:	Windos9Setup.exe
ProductName:	Windos9Installer
ProductVersion:	1.0.0.0
Assembly Version:	1.0.0.0

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_AMD64
Number of sections:	2
Time date stamp:	21-Jan-2023 03:23:11
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00F0
Characteristics:	IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00002000	0x0026E4D4	0x0026E600	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.33347
.rsrc	0x00272000	0x0000C038	0x0000C200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.58779

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.00112	490	UNKNOWN	UNKNOWN	RT_MANIFEST
2	2.88492	744	UNKNOWN	UNKNOWN	RT_ICON
3	2.61243	488	UNKNOWN	UNKNOWN	RT_ICON
4	2.60227	296	UNKNOWN	UNKNOWN	RT_ICON
5	4.35159	3752	UNKNOWN	UNKNOWN	RT_ICON
6	4.11143	2216	UNKNOWN	UNKNOWN	RT_ICON
7	3.49375	1736	UNKNOWN	UNKNOWN	RT_ICON
8	2.49145	1384	UNKNOWN	UNKNOWN	RT_ICON
9	7.91299	16975	UNKNOWN	UNKNOWN	RT_ICON
10	3.43385	9640	UNKNOWN	UNKNOWN	RT_ICON

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

784

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Edge Update

Exit code:

Version:

1.3.175.29

Modules

Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1520

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

taskeng.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Edge Update

Exit code:

Version:

1.3.175.29

Modules

Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1628

"C:\Users\admin\AppData\Roaming\Windos9.1Setup.exe"

C:\Users\admin\AppData\Roaming\Windos9.1Setup.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Windos9Installer

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\roaming\windos9.1setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

2960

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEIxNjQ4QUUtQThBQy00MzlELUI1NEYtQTYyOTM1NzkxM0NGfSIgdXNlcmlkPSJ7NThCRUVDNjYtM0Y0MS00QTQ4LUFGN0QtOTQ2NkZCRjIwNEI1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntBMzA2MUNFNy1CQTE3LTQzQ0QtODU5Mi03RDAwNDZENzcxOEN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTc3LjExIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJNMTAwIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjgiIGluc3RhbGxkYXRlPSI2MDI3IiBjb2hvcnQ9InJyZkAwLjkyIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjkiIHJkPSI2MDMwIiBwaW5nX2ZyZXNobmVzcz0ie0M1MjQ5MkY0LUMyMTItNEVFMS1BN0QwLTNBREJBQTA0MTEwQX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iMTA5LjAuMTUxOC4xMTUiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iTTEwMCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjgiIGluc3RhbGxkYXRlPSI2MDI3IiBjb2hvcnQ9InJyZkAwLjc4IiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMzMxNTAxMjY5MjE4NzUwIiBmaXJzdF9mcmVfc2Vlbl90aW1lPSIxMzMzMzE1MDEyNjg4OTY0ODAiIGZpcnN0X2ZyZV9zZWVuX3ZlcnNpb249IjEwOS4wLjE1MTguMTE1Ij48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMCIgcj0iOSIgcmQ9IjYwMzAiIHBpbmdfZnJlc2huZXNzPSJ7NUQ0Njg1RkEtREQwOS00OEMzLTkwQ0MtNTk1REIwRUYwOEU2fSIvPjwvYXBwPjwvcmVxdWVzdD4

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

MicrosoftEdgeUpdate.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Edge Update

Exit code:

Version:

1.3.175.29

Modules

Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\ole32.dll

Add for printing

Total events

4 878

Read events

4 776

Write events

Delete events

Modification events


(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000_CLASSES\Local Settings\MuiCache\155\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\CurrentState
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\PersistedPings\{7E229AE7-318B-4AD0-B3CA-D27601C41163}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState
Operation:	write	Name:	StateValue
Value: 3
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\EdgeUpdate\proxy
Operation:	write	Name:	source
Value: auto
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate
Operation:	write	Name:	ConsecutiveCheckFailures
Value: 0
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	dr
Value: 0
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	DayOfLastRollCall
Value: 6030
(PID) Process:	(784) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	ping_freshness
Value: {5D4685FA-DD09-48C3-90CC-595DB0EF08E6}

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
784	MicrosoftEdgeUpdate.exe	C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log		text
		MD5:3852318D197EF65760A3F05C43FEA6A7	SHA256:0D64C2DA0CEF1E1EFB3B3FCA49464FA6FE8715B4714D450929EE43A653B8450A
1520	MicrosoftEdgeUpdate.exe	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		compressed
		MD5:F7DCB24540769805E5BB30D193944DCE	SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
1520	MicrosoftEdgeUpdate.exe	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53		binary
		MD5:A38AE241ACC99176ECF16BA87F6E2A48	SHA256:635A2527AA1DEA8519B491CE9161CFB08EB5F17D55DED3F671FEF79014AB92F3
1520	MicrosoftEdgeUpdate.exe	C:\Windows\TEMP\af397ef28e484961ba48646a5d38cf54.db.ses		text
		MD5:7CA3B8F36E0B6D89820319A21256B7BE	SHA256:FF5091BD27C3A3984DDED93B22FFD810FE6370764C684D47E2AF1AC61701310A
1520	MicrosoftEdgeUpdate.exe	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53		binary
		MD5:48A5095EFADD4F999CC9230D05664054	SHA256:E6F7D3F124FF60A052E854E514C90FD5BBD3C6030F7EE23A74F581937C0DED4D
1520	MicrosoftEdgeUpdate.exe	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:5745DFD24754FA2FFA4652092A0D90F0	SHA256:D84ABC1A5B1269B6192674F4A2AFDA7688EAEC2A32461190F4772DAE9B8918C4
1628	Windos9.1Setup.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\googlelogo_color_150x54dp[1].png		image
		MD5:9D73B3AA30BCE9D8F166DE5178AE4338	SHA256:DBEF5E5530003B7233E944856C23D1437902A2D3568CDFD2BEAF2166E9CA9139
1628	Windos9.1Setup.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\robot[1].png		image
		MD5:4C9ACF280B47CEF7DEF3FC91A34C7FFE	SHA256:5F9FC5B3FBDDF0E72C5C56CDCFC81C6E10C617D70B1B93FBE1E4679A8797BFF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1628	Windos9.1Setup.exe	GET	—	142.250.186.164:80	http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png	US	—	—	malicious
1520	MicrosoftEdgeUpdate.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	US	der	471 b	whitelisted
1628	Windos9.1Setup.exe	GET	403	142.250.186.78:80	http://google.com/	US	html	1.54 Kb	malicious
1628	Windos9.1Setup.exe	GET	—	142.250.186.164:80	http://www.google.com/images/errors/robot.png	US	—	—	malicious
1628	Windos9.1Setup.exe	GET	403	142.250.186.78:80	http://google.com/	US	html	1.54 Kb	malicious
1520	MicrosoftEdgeUpdate.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fd3930e37479b515	US	compressed	4.70 Kb	whitelisted
1628	Windos9.1Setup.exe	GET	200	142.250.186.164:80	http://www.google.com/images/errors/robot.png	US	image	6.18 Kb	malicious
1628	Windos9.1Setup.exe	GET	200	142.250.186.164:80	http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png	US	image	3.10 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
784	MicrosoftEdgeUpdate.exe	23.102.129.60:443	msedge.api.cdp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
2960	MicrosoftEdgeUpdate.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1520	MicrosoftEdgeUpdate.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1628	Windos9.1Setup.exe	142.250.186.164:80	www.google.com	GOOGLE	US	whitelisted
1520	MicrosoftEdgeUpdate.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
1628	Windos9.1Setup.exe	142.250.186.78:80	google.com	GOOGLE	US	whitelisted
1520	MicrosoftEdgeUpdate.exe	13.89.179.9:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious

DNS requests

Domain	IP	Reputation
msedge.api.cdp.microsoft.com	23.102.129.60	whitelisted
config.edge.skype.com	13.107.42.16	malicious
self.events.data.microsoft.com	13.89.179.9	whitelisted
ctldl.windowsupdate.com	93.184.221.240	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
google.com	142.250.186.78	malicious
www.google.com	142.250.186.164	malicious

Threats

No threats detected

Add for printing

No debug info

General Info

Windos9.1Setup.exe

5409001BFC4308A6CB8C09C4E1E32D1E

D47CC20E23E5B2BE27923A34FA85C02B3764C064

61D311D7A772E2BD670381F733FB9302B6202859ED5D47ACAEDF0BB58D5BC570

49152:QbVUGmpD+/xPfh6q/8kV6K9GCVcVoGiXPylb6rMy4w:QbVepD+/xPfh6yfVzF4b2My

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Searches for installed software

Executes as Windows Service

Application launched itself

Checks Windows Trust Settings

Reads the Internet Settings

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

The process executes via Task Scheduler

INFO

Checks supported languages

Reads the computer name

Reads Environment values

Checks proxy server information

Creates files or folders in the user directory

Reads the machine GUID from the registry

The process checks LSA protection

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings