File name:	windowsdesktop-runtime-8.0.7-win-x64.exe
Full analysis:	https://app.any.run/tasks/07f746a8-1ee9-42b6-9c4f-e45898023f2b
Verdict:	Malicious activity
Analysis date:	August 02, 2024, 21:23:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	66284AC9AAB49D957193E876398FA7EE
SHA1:	13E289ABD2284C0E88CE522651D73D64E502FC15
SHA256:	622E3D046852CAAE4C28A71BE174020DABBC6B21F2A1A320AC0C41C701A6A52C
SSDEEP:	393216:UOT0gfVmMo0/+HoLgVrifJhAvNeKB7pxH+PfJh5BQUhjoJWuonWUULJSI+:LffRo0vgtYUvjxHOtQxJWIFk

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:22 22:14:43+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	314368
InitializedDataSize:	164352
UninitializedDataSize:	-
EntryPoint:	0x302e5
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	8.0.7.33814
ProductVersionNumber:	8.0.7.33814
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Windows Desktop Runtime - 8.0.7 (x64)
FileVersion:	8.0.7.33814
InternalName:	setup
LegalCopyright:	Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName:	windowsdesktop-runtime-8.0.7-win-x64.exe
ProductName:	Microsoft Windows Desktop Runtime - 8.0.7 (x64)
ProductVersion:	8.0.7.33814


(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleCachePath
Value: C:\ProgramData\Package Cache\{754bcfb5-42ac-4c12-8f12-b818943a1365}\windowsdesktop-runtime-8.0.7-win-x64.exe
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleUpgradeCode
Value: {7F5F299F-5EB1-6FC0-6D86-FB7931E33C68}
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleVersion
Value: 8.0.7.33814

PID	Process	Filename		Type
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\bg.png		image
		MD5:9EB0320DFBF2BD541E6A55C01DDC9F20	SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
7036	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{C7E3FD3B-58F7-443B-8315-0DD1C60D6098}\.cr\windowsdesktop-runtime-8.0.7-win-x64.exe		executable
		MD5:1021BCDDA151FB3BAD0513D8311DFF8C	SHA256:AB0D30EEAAD5EB3D1C697097E6099FE81CD303C5BA26D7D88168201163B1FFF4
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\thm.xml		xml
		MD5:302563A713B142EE41B59E3EEAC53A90	SHA256:83CA096F7BA2C83FC3B3AEB697B8139A788FA35EB8632943E26BB9FFF7C78E63
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\wixstdba.dll		executable
		MD5:F68F43F809840328F4E993A54B0D5E62	SHA256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\thm.wxl		xml
		MD5:D5070CB3387A0A22B7046AE5AB53F371	SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1031\thm.wxl		xml
		MD5:B45249A2238A5568B377E58D4CE89E9A	SHA256:0C4203A81DCD01D53378036AF78CFFCF9E9A5AF7754DFBDD56584AE74C21CC61
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\65A7381F7A036D0FFD2485F90DCF50FDFEDD9E3B		—
		MD5:—	SHA256:—
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\dotnet_runtime_8.0.7_win_x64.msi		—
		MD5:—	SHA256:—
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1046\thm.wxl		xml
		MD5:88CB193F0B0C15023D789E0F8FCE3E03	SHA256:4D6A2D306ABE77E7DBDB2609F6198B4CF99B3F9DC15B9DC72951592AD2F64384
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1045\thm.wxl		xml
		MD5:8CFBEE02F1C88567CD9AA747FF27182E	SHA256:D92B3838DE7A1685CCBD04FC9C123704FBD198BFD284D8FAECE4A3663494E75A

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.186.174	whitelisted

General Info

windowsdesktop-runtime-8.0.7-win-x64.exe

66284AC9AAB49D957193E876398FA7EE

13E289ABD2284C0E88CE522651D73D64E502FC15

622E3D046852CAAE4C28A71BE174020DABBC6B21F2A1A320AC0C41C701A6A52C

393216:UOT0gfVmMo0/+HoLgVrifJhAvNeKB7pxH+PfJh5BQUhjoJWuonWUULJSI+:LffRo0vgtYUvjxHOtQxJWIFk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Searches for installed software

Reads security settings of Internet Explorer

Reads the date of Windows installation

Creates a software uninstall entry

Starts itself from another location

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings