| File name: | windowsdesktop-runtime-8.0.7-win-x64.exe |
| Full analysis: | https://app.any.run/tasks/07f746a8-1ee9-42b6-9c4f-e45898023f2b |
| Verdict: | Malicious activity |
| Analysis date: | August 02, 2024, 21:23:43 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 66284AC9AAB49D957193E876398FA7EE |
| SHA1: | 13E289ABD2284C0E88CE522651D73D64E502FC15 |
| SHA256: | 622E3D046852CAAE4C28A71BE174020DABBC6B21F2A1A320AC0C41C701A6A52C |
| SSDEEP: | 393216:UOT0gfVmMo0/+HoLgVrifJhAvNeKB7pxH+PfJh5BQUhjoJWuonWUULJSI+:LffRo0vgtYUvjxHOtQxJWIFk |
MALICIOUS
Drops the executable file immediately after the start
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7036)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Changes the autorun value in the registry
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
SUSPICIOUS
Starts a Microsoft application from unusual location
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7036)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Process drops legitimate windows executable
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7036)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Executable content was dropped or overwritten
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7036)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Searches for installed software
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Reads security settings of Internet Explorer
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
Reads the date of Windows installation
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
Starts itself from another location
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
Creates a software uninstall entry
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
INFO
Create files in a temporary directory
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7036)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
Checks supported languages
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7036)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Reads the computer name
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Process checks computer location settings
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 7068)
Creates files in the program directory
- windowsdesktop-runtime-8.0.7-win-x64.exe (PID: 936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:22 22:14:43+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit, Removable run from swap, Net run from swap |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 314368 |
| InitializedDataSize: | 164352 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x302e5 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 8.0.7.33814 |
| ProductVersionNumber: | 8.0.7.33814 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft Windows Desktop Runtime - 8.0.7 (x64) |
| FileVersion: | 8.0.7.33814 |
| InternalName: | setup |
| LegalCopyright: | Copyright (c) Microsoft Corporation. All rights reserved. |
| OriginalFileName: | windowsdesktop-runtime-8.0.7-win-x64.exe |
| ProductName: | Microsoft Windows Desktop Runtime - 8.0.7 (x64) |
| ProductVersion: | 8.0.7.33814 |
Total processes
116
Monitored processes
3
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 936 | "C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.be\windowsdesktop-runtime-8.0.7-win-x64.exe" -q -burn.elevated BurnPipe.{734D0BAE-AA4E-46CE-A846-458153654BAC} {E7FE9993-0783-4860-B619-6A9EB6B5C08D} 7068 | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.be\windowsdesktop-runtime-8.0.7-win-x64.exe | windowsdesktop-runtime-8.0.7-win-x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Desktop Runtime - 8.0.7 (x64) Exit code: 1392 Version: 8.0.7.33814 Modules
| |||||||||||||||
| 7036 | "C:\Users\admin\Desktop\windowsdesktop-runtime-8.0.7-win-x64.exe" | C:\Users\admin\Desktop\windowsdesktop-runtime-8.0.7-win-x64.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Desktop Runtime - 8.0.7 (x64) Exit code: 1392 Version: 8.0.7.33814 Modules
| |||||||||||||||
| 7068 | "C:\Users\admin\AppData\Local\Temp\{C7E3FD3B-58F7-443B-8315-0DD1C60D6098}\.cr\windowsdesktop-runtime-8.0.7-win-x64.exe" -burn.clean.room="C:\Users\admin\Desktop\windowsdesktop-runtime-8.0.7-win-x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=600 | C:\Users\admin\AppData\Local\Temp\{C7E3FD3B-58F7-443B-8315-0DD1C60D6098}\.cr\windowsdesktop-runtime-8.0.7-win-x64.exe | windowsdesktop-runtime-8.0.7-win-x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Desktop Runtime - 8.0.7 (x64) Exit code: 1392 Version: 8.0.7.33814 Modules
| |||||||||||||||
Total events
4 060
Read events
4 019
Write events
34
Delete events
7
Modification events
| (PID) Process: | (7068) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (7068) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (7068) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (7068) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (936) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365} |
| Operation: | write | Name: | BundleCachePath |
Value: C:\ProgramData\Package Cache\{754bcfb5-42ac-4c12-8f12-b818943a1365}\windowsdesktop-runtime-8.0.7-win-x64.exe | |||
| (PID) Process: | (936) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365} |
| Operation: | write | Name: | BundleUpgradeCode |
Value: {7F5F299F-5EB1-6FC0-6D86-FB7931E33C68} | |||
| (PID) Process: | (936) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365} |
| Operation: | write | Name: | BundleAddonCode |
Value: | |||
| (PID) Process: | (936) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365} |
| Operation: | write | Name: | BundleDetectCode |
Value: | |||
| (PID) Process: | (936) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365} |
| Operation: | write | Name: | BundlePatchCode |
Value: | |||
| (PID) Process: | (936) windowsdesktop-runtime-8.0.7-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365} |
| Operation: | write | Name: | BundleVersion |
Value: 8.0.7.33814 | |||
Executable files
6
Suspicious files
1
Text files
21
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\bg.png | image | |
MD5:9EB0320DFBF2BD541E6A55C01DDC9F20 | SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79 | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1031\thm.wxl | xml | |
MD5:B45249A2238A5568B377E58D4CE89E9A | SHA256:0C4203A81DCD01D53378036AF78CFFCF9E9A5AF7754DFBDD56584AE74C21CC61 | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\thm.xml | xml | |
MD5:302563A713B142EE41B59E3EEAC53A90 | SHA256:83CA096F7BA2C83FC3B3AEB697B8139A788FA35EB8632943E26BB9FFF7C78E63 | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\thm.wxl | xml | |
MD5:D5070CB3387A0A22B7046AE5AB53F371 | SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1049\thm.wxl | xml | |
MD5:1D628F2E1DBAA25BDD8CF2D7F2A9CAF2 | SHA256:C7CC8E0BDD4F82DA33984F553B576412DF69C5E1E5B8479542D024CB6B41D050 | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1028\thm.wxl | xml | |
MD5:B9428C94444693B5E3A392C8D0B95170 | SHA256:C0413EDFD13FD27EEAB7B8CE60963668236466C48F4173C29F84093011C281AF | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\65A7381F7A036D0FFD2485F90DCF50FDFEDD9E3B | — | |
MD5:— | SHA256:— | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\dotnet_runtime_8.0.7_win_x64.msi | — | |
MD5:— | SHA256:— | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1033\thm.wxl | xml | |
MD5:D5070CB3387A0A22B7046AE5AB53F371 | SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A | |||
| 7068 | windowsdesktop-runtime-8.0.7-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1046\thm.wxl | xml | |
MD5:88CB193F0B0C15023D789E0F8FCE3E03 | SHA256:4D6A2D306ABE77E7DBDB2609F6198B4CF99B3F9DC15B9DC72951592AD2F64384 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
4
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |