File name:

SoftwareInstaller.exe

Full analysis: https://app.any.run/tasks/49433837-f95c-4cc4-9e69-76a313569abc
Verdict: Malicious activity
Analysis date: December 01, 2024, 16:50:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

9CF40A8B46C9552148565D43C3D92465

SHA1:

9AB414732E50669FACB798D34DD4F6DFC32B0EA6

SHA256:

75D96DFE70912F3F2C5B669EBAC010A83904DAEA9A908C5352063F1508D8ED58

SSDEEP:

3072:Kl5EY1B3111111Eee4WY1B3111111EXex2:KDb1B3111111C4V1B3111111Vx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • SoftwareInstaller.exe (PID: 6292)

  • INFO

    • Disables trace logs

      • SoftwareInstaller.exe (PID: 6292)

    • Reads the computer name

      • SoftwareInstaller.exe (PID: 6292)

    • Checks supported languages

      • SoftwareInstaller.exe (PID: 6292)

    • Checks proxy server information

      • SoftwareInstaller.exe (PID: 6292)

    • Reads the machine GUID from the registry

      • SoftwareInstaller.exe (PID: 6292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2098:05:22 04:54:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 44544
InitializedDataSize: 36864
UninitializedDataSize: -
EntryPoint: 0xcc5a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: droper
FileVersion: 1.0.0.0
InternalName: SoftwareInstaller.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: SoftwareInstaller.exe
ProductName: droper
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start softwareinstaller.exe

Process information

PID
CMD
Path
Indicators
Parent process
6292"C:\Users\admin\Desktop\SoftwareInstaller.exe" C:\Users\admin\Desktop\SoftwareInstaller.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
droper
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\softwareinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
1 005
Read events
991
Write events
14
Delete events
0

Modification events

(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6292) SoftwareInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SoftwareInstaller_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
9
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6292
SoftwareInstaller.exe
GET
83.25.173.88:80
http://dandev.online/exe.exe
unknown
malicious
1412
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1412
RUXIMICS.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1412
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2164
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.204.139:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6292
SoftwareInstaller.exe
83.25.173.88:80
dandev.online
Orange Polska Spolka Akcyjna
PL
malicious
1412
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1412
RUXIMICS.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.16.204.139
  • 2.16.204.161
  • 2.16.204.143
  • 2.16.204.146
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.134
  • 2.16.204.153
  • 2.16.204.135
whitelisted
google.com
  • 216.58.212.174
whitelisted
dandev.online
  • 83.25.173.88
malicious
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
self.events.data.microsoft.com
  • 51.104.15.252
whitelisted

Threats

PID
Process
Class
Message
6292
SoftwareInstaller.exe
A Network Trojan was detected
ET HUNTING Suspicious exe.exe request - possible downloader/Oficla
6292
SoftwareInstaller.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
6292
SoftwareInstaller.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
6292
SoftwareInstaller.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6292
SoftwareInstaller.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SoftwareInstaller.exe