File name:	windowsdesktop-runtime-6.0.33-win-x64.exe
Full analysis:	https://app.any.run/tasks/603a4dc0-015a-49f2-80af-24260fa53bca
Verdict:	Malicious activity
Analysis date:	September 30, 2024, 04:47:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	2FD32B6746DC63036A057139AA35F839
SHA1:	93F290BE5799938E82E92AC572DEAA22CCC16ECB
SHA256:	6B1B7BFFE4024D86C4FEB6E881648DE557C6BFF2E16E867E3CE1A2ED39489A53
SSDEEP:	393216:W5roB7MQdyp4HAxVf0S0FWDzUdqqBRioGMEx6DiTga3wuxnhIKFE4kt:WGB/d6WygWDzSRiopEUilwuxhIJ

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:22 22:14:43+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	314368
InitializedDataSize:	164352
UninitializedDataSize:	-
EntryPoint:	0x302e5
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	6.0.33.33916
ProductVersionNumber:	6.0.33.33916
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Windows Desktop Runtime - 6.0.33 (x64)
FileVersion:	6.0.33.33916
InternalName:	setup
LegalCopyright:	Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName:	windowsdesktop-runtime-6.0.33-win-x64.exe
ProductName:	Microsoft Windows Desktop Runtime - 6.0.33 (x64)
ProductVersion:	6.0.33.33916


(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundleCachePath
Value: C:\ProgramData\Package Cache\{ecb94bc3-963d-412a-b141-8b7c32ef103f}\windowsdesktop-runtime-6.0.33-win-x64.exe
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundleUpgradeCode
Value: {E50DC420-5C2F-5516-1DA5-0F8B584F9E0D}
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundleVersion
Value: 6.0.33.33916
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	VersionMajor
Value: 6
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	VersionMinor
Value: 0
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundleProviderKey
Value: {ecb94bc3-963d-412a-b141-8b7c32ef103f}
(PID) Process:	(4976) windowsdesktop-runtime-6.0.33-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ecb94bc3-963d-412a-b141-8b7c32ef103f}
Operation:	write	Name:	BundleTag
Value:

PID	Process	Filename		Type
5044	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{DDE4DC5A-797A-47C6-A529-32D93EE3A08F}\.cr\windowsdesktop-runtime-6.0.33-win-x64.exe		executable
		MD5:69FD3B5245ABA65BF93952FDAA398B73	SHA256:52C79844D1F4758C49577903C276CF681BE4FD4AFAD26DCE7F4372A993877A6C
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\thm.xml		xml
		MD5:302563A713B142EE41B59E3EEAC53A90	SHA256:83CA096F7BA2C83FC3B3AEB697B8139A788FA35EB8632943E26BB9FFF7C78E63
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1029\thm.wxl		xml
		MD5:27411946EF45B3B8236319421770E5AD	SHA256:C92D3EFD72D6D14148F9931128EE4143AFFD1DA517EB358AB88ED4138C1434A4
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1028\thm.wxl		xml
		MD5:B9428C94444693B5E3A392C8D0B95170	SHA256:C0413EDFD13FD27EEAB7B8CE60963668236466C48F4173C29F84093011C281AF
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\bg.png		image
		MD5:9EB0320DFBF2BD541E6A55C01DDC9F20	SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1036\thm.wxl		xml
		MD5:9F779700FF90DF7211AE3A3340DDD5FC	SHA256:6AF5C2BC88B1E5CE188A97DD9204061D66369EC2689B3657AFF1DC6188F44F22
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\dotnet_runtime_6.0.33_win_x64.msi		—
		MD5:—	SHA256:—
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1033\thm.wxl		xml
		MD5:D5070CB3387A0A22B7046AE5AB53F371	SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\.ba\1031\thm.wxl		xml
		MD5:B45249A2238A5568B377E58D4CE89E9A	SHA256:0C4203A81DCD01D53378036AF78CFFCF9E9A5AF7754DFBDD56584AE74C21CC61
4472	windowsdesktop-runtime-6.0.33-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{72F4BB34-04D7-4F8A-AAF6-5F37138EDF1E}\windowsdesktop_runtime_6.0.33_win_x64.msi		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6868	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4668	msiexec.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6868	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4668	msiexec.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6868	svchost.exe	13.71.55.58:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 13.71.55.58	whitelisted
google.com	172.217.18.14	whitelisted
www.microsoft.com	95.101.149.131	whitelisted

General Info

windowsdesktop-runtime-6.0.33-win-x64.exe

2FD32B6746DC63036A057139AA35F839

93F290BE5799938E82E92AC572DEAA22CCC16ECB

6B1B7BFFE4024D86C4FEB6E881648DE557C6BFF2E16E867E3CE1A2ED39489A53

393216:W5roB7MQdyp4HAxVf0S0FWDzUdqqBRioGMEx6DiTga3wuxnhIKFE4kt:WGB/d6WygWDzSRiopEUilwuxhIJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Executable content was dropped or overwritten

Searches for installed software

Reads security settings of Internet Explorer

Starts itself from another location

Creates a software uninstall entry

Reads the Windows owner or organization settings

Checks Windows Trust Settings

The process creates files with name similar to system file names

The process drops C-runtime libraries

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

The process uses the downloaded file

Process checks computer location settings

Creates files in the program directory

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings