File name:	windowsdesktop-runtime-8.0.7-win-x64.exe
Full analysis:	https://app.any.run/tasks/07f746a8-1ee9-42b6-9c4f-e45898023f2b
Verdict:	Malicious activity
Analysis date:	August 02, 2024, 21:23:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	66284AC9AAB49D957193E876398FA7EE
SHA1:	13E289ABD2284C0E88CE522651D73D64E502FC15
SHA256:	622E3D046852CAAE4C28A71BE174020DABBC6B21F2A1A320AC0C41C701A6A52C
SSDEEP:	393216:UOT0gfVmMo0/+HoLgVrifJhAvNeKB7pxH+PfJh5BQUhjoJWuonWUULJSI+:LffRo0vgtYUvjxHOtQxJWIFk

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:22 22:14:43+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	314368
InitializedDataSize:	164352
UninitializedDataSize:	-
EntryPoint:	0x302e5
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	8.0.7.33814
ProductVersionNumber:	8.0.7.33814
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Windows Desktop Runtime - 8.0.7 (x64)
FileVersion:	8.0.7.33814
InternalName:	setup
LegalCopyright:	Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName:	windowsdesktop-runtime-8.0.7-win-x64.exe
ProductName:	Microsoft Windows Desktop Runtime - 8.0.7 (x64)
ProductVersion:	8.0.7.33814


(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7068) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleCachePath
Value: C:\ProgramData\Package Cache\{754bcfb5-42ac-4c12-8f12-b818943a1365}\windowsdesktop-runtime-8.0.7-win-x64.exe
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleUpgradeCode
Value: {7F5F299F-5EB1-6FC0-6D86-FB7931E33C68}
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(936) windowsdesktop-runtime-8.0.7-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{754bcfb5-42ac-4c12-8f12-b818943a1365}
Operation:	write	Name:	BundleVersion
Value: 8.0.7.33814

PID	Process	Filename		Type
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\wixstdba.dll		executable
		MD5:F68F43F809840328F4E993A54B0D5E62	SHA256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1046\thm.wxl		xml
		MD5:88CB193F0B0C15023D789E0F8FCE3E03	SHA256:4D6A2D306ABE77E7DBDB2609F6198B4CF99B3F9DC15B9DC72951592AD2F64384
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1041\thm.wxl		xml
		MD5:E5FD798D4BBDD419A602423A699E2854	SHA256:00AEC52B4564BC07302881FCFD510F7CCA535AC9E05CFD95A86738171626F6C4
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1055\thm.wxl		xml
		MD5:2897BAEC061B9A89661744685FE3C217	SHA256:285E32E649EB71A68F29BCA7321A6CADE50D79F94DD89E50ECE1197DD70E7633
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1042\thm.wxl		xml
		MD5:F59A0369A337B58A797DDBB5EBBDCADC	SHA256:1B1B0700AA6677AFE3581B8B3F4934BF85F4750C544A108E1D5F1B688078E1CF
7036	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{C7E3FD3B-58F7-443B-8315-0DD1C60D6098}\.cr\windowsdesktop-runtime-8.0.7-win-x64.exe		executable
		MD5:1021BCDDA151FB3BAD0513D8311DFF8C	SHA256:AB0D30EEAAD5EB3D1C697097E6099FE81CD303C5BA26D7D88168201163B1FFF4
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\65A7381F7A036D0FFD2485F90DCF50FDFEDD9E3B		—
		MD5:—	SHA256:—
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\dotnet_runtime_8.0.7_win_x64.msi		—
		MD5:—	SHA256:—
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\1049\thm.wxl		xml
		MD5:1D628F2E1DBAA25BDD8CF2D7F2A9CAF2	SHA256:C7CC8E0BDD4F82DA33984F553B576412DF69C5E1E5B8479542D024CB6B41D050
7068	windowsdesktop-runtime-8.0.7-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{B7BF75DC-1F6A-4C09-8E76-1BDDD36CB031}\.ba\2052\thm.wxl		xml
		MD5:ED946A363E47DCC77017EC10B1032C54	SHA256:3BB9CE59BA1C4B76FA6B35F544E2B04C85387053EDD8B25D8C8D4FE637FB0A85

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.186.174	whitelisted

General Info

windowsdesktop-runtime-8.0.7-win-x64.exe

66284AC9AAB49D957193E876398FA7EE

13E289ABD2284C0E88CE522651D73D64E502FC15

622E3D046852CAAE4C28A71BE174020DABBC6B21F2A1A320AC0C41C701A6A52C

393216:UOT0gfVmMo0/+HoLgVrifJhAvNeKB7pxH+PfJh5BQUhjoJWuonWUULJSI+:LffRo0vgtYUvjxHOtQxJWIFk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Executable content was dropped or overwritten

Searches for installed software

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts itself from another location

Creates a software uninstall entry

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings