| File name: | windowsdesktop-runtime-6.0.33-win-x64.exe |
| Full analysis: | https://app.any.run/tasks/603a4dc0-015a-49f2-80af-24260fa53bca |
| Verdict: | Malicious activity |
| Analysis date: | September 30, 2024, 04:47:13 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 2FD32B6746DC63036A057139AA35F839 |
| SHA1: | 93F290BE5799938E82E92AC572DEAA22CCC16ECB |
| SHA256: | 6B1B7BFFE4024D86C4FEB6E881648DE557C6BFF2E16E867E3CE1A2ED39489A53 |
| SSDEEP: | 393216:W5roB7MQdyp4HAxVf0S0FWDzUdqqBRioGMEx6DiTga3wuxnhIKFE4kt:WGB/d6WygWDzSRiopEUilwuxhIJ |
MALICIOUS
Changes the autorun value in the registry
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
SUSPICIOUS
Starts a Microsoft application from unusual location
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 5044)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
Process drops legitimate windows executable
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 5044)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
- msiexec.exe (PID: 4668)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
Executable content was dropped or overwritten
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 5044)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
Searches for installed software
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
Reads security settings of Internet Explorer
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
Starts itself from another location
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
Creates a software uninstall entry
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
Checks Windows Trust Settings
- msiexec.exe (PID: 4668)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 4668)
The process creates files with name similar to system file names
- msiexec.exe (PID: 4668)
The process drops C-runtime libraries
- msiexec.exe (PID: 4668)
INFO
Checks supported languages
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 5044)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
- msiexec.exe (PID: 4668)
- msiexec.exe (PID: 6456)
Create files in a temporary directory
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 5044)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
Reads the computer name
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
- msiexec.exe (PID: 4668)
- msiexec.exe (PID: 6456)
The process uses the downloaded file
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
Process checks computer location settings
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4472)
Creates files in the program directory
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
Creates files or folders in the user directory
- msiexec.exe (PID: 4668)
Reads the machine GUID from the registry
- windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 4976)
- msiexec.exe (PID: 4668)
Reads the software policy settings
- msiexec.exe (PID: 4668)
Executable content was dropped or overwritten
- msiexec.exe (PID: 4668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:22 22:14:43+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit, Removable run from swap, Net run from swap |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 314368 |
| InitializedDataSize: | 164352 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x302e5 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.0.33.33916 |
| ProductVersionNumber: | 6.0.33.33916 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft Windows Desktop Runtime - 6.0.33 (x64) |
| FileVersion: | 6.0.33.33916 |
| InternalName: | setup |
| LegalCopyright: | Copyright (c) Microsoft Corporation. All rights reserved. |
| OriginalFileName: | windowsdesktop-runtime-6.0.33-win-x64.exe |
| ProductName: | Microsoft Windows Desktop Runtime - 6.0.33 (x64) |
| ProductVersion: | 6.0.33.33916 |
Total processes
127
Monitored processes
8
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2476 | C:\Windows\syswow64\MsiExec.exe -Embedding 1AC3B7E406C6AF96521D14505974A8C6 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4472 | "C:\Users\admin\AppData\Local\Temp\{DDE4DC5A-797A-47C6-A529-32D93EE3A08F}\.cr\windowsdesktop-runtime-6.0.33-win-x64.exe" -burn.clean.room="C:\Users\admin\Desktop\windowsdesktop-runtime-6.0.33-win-x64.exe" -burn.filehandle.attached=580 -burn.filehandle.self=588 | C:\Users\admin\AppData\Local\Temp\{DDE4DC5A-797A-47C6-A529-32D93EE3A08F}\.cr\windowsdesktop-runtime-6.0.33-win-x64.exe | windowsdesktop-runtime-6.0.33-win-x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Desktop Runtime - 6.0.33 (x64) Exit code: 0 Version: 6.0.33.33916 Modules
| |||||||||||||||
| 4668 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4880 | C:\Windows\syswow64\MsiExec.exe -Embedding 2FE918B6E8698D52E93AFEA1322E64E0 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4976 | "C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.be\windowsdesktop-runtime-6.0.33-win-x64.exe" -q -burn.elevated BurnPipe.{BE5D2618-0565-4C66-B09F-5971BA50D1F9} {B361BBC8-1D68-4028-8047-654D174BFF5E} 4472 | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.be\windowsdesktop-runtime-6.0.33-win-x64.exe | windowsdesktop-runtime-6.0.33-win-x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Desktop Runtime - 6.0.33 (x64) Exit code: 0 Version: 6.0.33.33916 Modules
| |||||||||||||||
| 5044 | "C:\Users\admin\Desktop\windowsdesktop-runtime-6.0.33-win-x64.exe" | C:\Users\admin\Desktop\windowsdesktop-runtime-6.0.33-win-x64.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Desktop Runtime - 6.0.33 (x64) Exit code: 0 Version: 6.0.33.33916 Modules
| |||||||||||||||
| 6456 | C:\Windows\syswow64\MsiExec.exe -Embedding 7911B532AF44DECF2A6F675E8E9829B4 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6796 | C:\Windows\syswow64\MsiExec.exe -Embedding 46DAF6FB5ADADB1A87F1F7CD12DE6441 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 966
Read events
9 017
Write events
905
Delete events
44
Modification events
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundleCachePath |
Value: C:\ProgramData\Package Cache\{ecb94bc3-963d-412a-b141-8b7c32ef103f}\windowsdesktop-runtime-6.0.33-win-x64.exe | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundleUpgradeCode |
Value: {E50DC420-5C2F-5516-1DA5-0F8B584F9E0D} | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundleAddonCode |
Value: | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundleDetectCode |
Value: | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundlePatchCode |
Value: | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundleVersion |
Value: 6.0.33.33916 | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | VersionMajor |
Value: 6 | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | VersionMinor |
Value: 0 | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundleProviderKey |
Value: {ecb94bc3-963d-412a-b141-8b7c32ef103f} | |||
| (PID) Process: | (4976) windowsdesktop-runtime-6.0.33-win-x64.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f} |
| Operation: | write | Name: | BundleTag |
Value: | |||
Executable files
525
Suspicious files
70
Text files
29
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1040\thm.wxl | xml | |
MD5:347BE63418F507E7F2A086726E96FCA8 | SHA256:344ACD0D3665BA489EB30EBC0F902C625E1AD33A4E2B5BA7CDD7E463658D5557 | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\thm.wxl | xml | |
MD5:D5070CB3387A0A22B7046AE5AB53F371 | SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\wixstdba.dll | executable | |
MD5:F68F43F809840328F4E993A54B0D5E62 | SHA256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\thm.xml | xml | |
MD5:302563A713B142EE41B59E3EEAC53A90 | SHA256:83CA096F7BA2C83FC3B3AEB697B8139A788FA35EB8632943E26BB9FFF7C78E63 | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1042\thm.wxl | xml | |
MD5:F59A0369A337B58A797DDBB5EBBDCADC | SHA256:1B1B0700AA6677AFE3581B8B3F4934BF85F4750C544A108E1D5F1B688078E1CF | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1033\thm.wxl | xml | |
MD5:D5070CB3387A0A22B7046AE5AB53F371 | SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\dotnet_runtime_6.0.33_win_x64.msi | — | |
MD5:— | SHA256:— | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\bg.png | image | |
MD5:9EB0320DFBF2BD541E6A55C01DDC9F20 | SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79 | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1028\thm.wxl | xml | |
MD5:B9428C94444693B5E3A392C8D0B95170 | SHA256:C0413EDFD13FD27EEAB7B8CE60963668236466C48F4173C29F84093011C281AF | |||
| 4472 | windowsdesktop-runtime-6.0.33-win-x64.exe | C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\windowsdesktop_runtime_6.0.33_win_x64.msi | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
24
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2120 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4668 | msiexec.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl | unknown | — | — | whitelisted |
6868 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
6868 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4668 | msiexec.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
6868 | svchost.exe | 13.71.55.58:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IN | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |