File name:

MediaCreationTool_Win11_23H2.exe

Full analysis: https://app.any.run/tasks/965985c4-e933-4752-bf9c-c5f490725bc4
Verdict: Malicious activity
Analysis date: April 12, 2024, 17:34:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

25C9285C00EF7D41B28823A053A9A372

SHA1:

FAC6862D703A7D80418012CE1D5D7D9AECBB28B8

SHA256:

767E70C43673063A16D76E494FFCDFA0F5A85C53344A0DC505F161CCCF2F5B1B

SSDEEP:

98304:L7S0lsuG0AzcHH2W8NOWvfdIH7hg9P8l4d4oSngpH9XATszhB5hR8SAva424Ezo2:F4RqhdrZEN+X6V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MediaCreationTool_Win11_23H2.exe (PID: 2672)

    • The DLL Hijacking

      • SetupHost.Exe (PID: 1348)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MediaCreationTool_Win11_23H2.exe (PID: 2672)

    • Starts a Microsoft application from unusual location

      • MediaCreationTool_Win11_23H2.exe (PID: 2672)
      • MediaCreationTool_Win11_23H2.exe (PID: 1692)

    • The process creates files with name similar to system file names

      • MediaCreationTool_Win11_23H2.exe (PID: 2672)

    • Executable content was dropped or overwritten

      • MediaCreationTool_Win11_23H2.exe (PID: 2672)

    • Reads settings of System Certificates

      • SetupHost.Exe (PID: 1348)

    • Reads the Internet Settings

      • SetupHost.Exe (PID: 1348)

  • INFO

    • Checks supported languages

      • MediaCreationTool_Win11_23H2.exe (PID: 2672)
      • SetupHost.Exe (PID: 1348)

    • Reads the computer name

      • SetupHost.Exe (PID: 1348)

    • Reads Environment values

      • SetupHost.Exe (PID: 1348)

    • Reads the machine GUID from the registry

      • SetupHost.Exe (PID: 1348)

    • Process checks computer location settings

      • SetupHost.Exe (PID: 1348)

    • Reads the software policy settings

      • SetupHost.Exe (PID: 1348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2079:12:24 16:39:56+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.3
CodeSize: 575488
InitializedDataSize: 1392128
UninitializedDataSize: -
EntryPoint: 0x7d630
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 10.0.22621.2714
ProductVersionNumber: 10.0.22621.2714
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: إعداد Windows 11
FileVersion: 10.0.22621.2714 (ni_release_svc_prod1.231104-1807)
InternalName: SetupPrep.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SetupPrep.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22621.2714
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mediacreationtool_win11_23h2.exe setuphost.exe vdsldr.exe no specs mediacreationtool_win11_23h2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1348"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.Exe
MediaCreationTool_Win11_23H2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Version:
10.0.22621.2714 (ni_release_svc_prod1.231104-1807)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\$windows.~ws\sources\wdscore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
1692"C:\Users\admin\AppData\Local\Temp\MediaCreationTool_Win11_23H2.exe" C:\Users\admin\AppData\Local\Temp\MediaCreationTool_Win11_23H2.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 11 Setup
Exit code:
3221226540
Version:
10.0.22621.2714 (ni_release_svc_prod1.231104-1807)
Modules
Images
c:\users\admin\appdata\local\temp\mediacreationtool_win11_23h2.exe
c:\windows\system32\ntdll.dll
1888C:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
2672"C:\Users\admin\AppData\Local\Temp\MediaCreationTool_Win11_23H2.exe" C:\Users\admin\AppData\Local\Temp\MediaCreationTool_Win11_23H2.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 11 Setup
Version:
10.0.22621.2714 (ni_release_svc_prod1.231104-1807)
Modules
Images
c:\users\admin\appdata\local\temp\mediacreationtool_win11_23h2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
8 407
Read events
8 279
Write events
122
Delete events
6

Modification events

(PID) Process:(2672) MediaCreationTool_Win11_23H2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files
Operation:writeName:SetupDirectories
Value:
$Windows.~BT;$Windows.~LS;$Windows.~WS
(PID) Process:(2672) MediaCreationTool_Win11_23H2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files
Operation:writeName:SetupDirectories
Value:
$Windows.~BT;$Windows.~LS;$Windows.~WS;ESD\Download
(PID) Process:(1348) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup
Operation:writeName:CorrelationVector
Value:
PVvX+elZ2EaIaVbL.0
(PID) Process:(1348) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:InstallTicks
Value:
0
(PID) Process:(1348) SetupHost.ExeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1348) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(1348) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1348) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1348) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB61400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D7200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1348) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:SetupProgress
Value:
0
Executable files
22
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\DU.dllexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\DiagTrack.dllexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\DiagTrackRunner.exeexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\Diager.dllexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\ServicingCommon.dllexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\bcd.dllexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\bootsvc.dllexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\hwreqchk.dllexecutable
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\setupplatform.cfgtext
MD5:
SHA256:
2672MediaCreationTool_Win11_23H2.exeC:\$Windows.~WS\Sources\setupplatform.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
856
svchost.exe
HEAD
200
104.124.11.18:80
http://dl.delivery.mp.microsoft.com/filestreamingservice/files/5c5cedfc-2821-4395-a497-c9c45ec24194/22631.2861.231204-0538.23H2_NI_RELEASE_SVC_REFRESH_CLIENTCONSUMER_RET_x64FRE_en-us.esd
unknown
unknown
856
svchost.exe
GET
104.124.11.18:80
http://dl.delivery.mp.microsoft.com/filestreamingservice/files/5c5cedfc-2821-4395-a497-c9c45ec24194/22631.2861.231204-0538.23H2_NI_RELEASE_SVC_REFRESH_CLIENTCONSUMER_RET_x64FRE_en-us.esd
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
1348
SetupHost.Exe
23.211.9.234:443
go.microsoft.com
AKAMAI-AS
DE
unknown
1348
SetupHost.Exe
23.212.89.111:443
download.microsoft.com
AKAMAI-AS
MX
unknown
2788
svchost.exe
239.255.255.250:1900
unknown
856
svchost.exe
104.124.11.18:80
dl.delivery.mp.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 23.211.9.234
whitelisted
download.microsoft.com
  • 23.212.89.111
whitelisted
dl.delivery.mp.microsoft.com
  • 104.124.11.18
  • 104.124.11.34
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MediaCreationTool_Win11_23H2.exe