Malware analysis Setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/3492c42b-2a28-40d0-ba10-6752ab48f65b
Verdict:	Malicious activity
Analysis date:	July 25, 2024, 16:53:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	FB7BE3902AC7AC83F2661E6016C08980
SHA1:	CBE587FE8161A64DFC15580E686EF710FB1FD6DB
SHA256:	88F7FA4DF6B4360B896E254FC9547173AE451308F5E0F6E0782E21822A3EFFC3
SSDEEP:	3072:aefw3AuNAP+5g3WBo9A/BwdKIkIXgtqr4gT:a0wP3g4o9AWxHwtWf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
- Changes the autorun value in the registry
  - nsp3B51.tmp (PID: 7408)
- Scans artifacts that could help determine the target
  - Watchdog.exe (PID: 1108)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
- Searches for installed software
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
- Reads security settings of Internet Explorer
  - Setup.exe (PID: 6596)
  - Watchdog.exe (PID: 1108)
  - nsp3B51.tmp (PID: 7408)
  - NW_store.exe (PID: 8048)
- Checks Windows Trust Settings
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
  - Watchdog.exe (PID: 1108)
  - NW_store.exe (PID: 8048)
- Executable content was dropped or overwritten
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
- The process creates files with name similar to system file names
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
- Starts application with an unusual extension
  - Setup.exe (PID: 6596)
- Process drops legitimate windows executable
  - nsp3B51.tmp (PID: 7408)
- Creates a software uninstall entry
  - nsp3B51.tmp (PID: 7408)
- Application launched itself
  - NW_store.exe (PID: 7692)
  - NW_store.exe (PID: 7216)
- The process checks if it is being run in the virtual environment
  - NW_store.exe (PID: 7216)
INFO
- Checks supported languages
  - Setup.exe (PID: 6596)
  - identity_helper.exe (PID: 7248)
  - nsp3B51.tmp (PID: 7408)
  - Watchdog.exe (PID: 1108)
  - PcAppStore.exe (PID: 7972)
  - NW_store.exe (PID: 7692)
  - NW_store.exe (PID: 2204)
  - NW_store.exe (PID: 4176)
  - NW_store.exe (PID: 7216)
  - NW_store.exe (PID: 308)
  - NW_store.exe (PID: 1112)
  - NW_store.exe (PID: 4304)
  - NW_store.exe (PID: 6312)
  - msiexec.exe (PID: 1812)
  - TextInputHost.exe (PID: 3944)
  - NW_store.exe (PID: 8296)
  - NW_store.exe (PID: 8272)
  - NW_store.exe (PID: 7876)
  - NW_store.exe (PID: 8048)
- Checks proxy server information
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
  - slui.exe (PID: 4192)
  - Watchdog.exe (PID: 1108)
  - NW_store.exe (PID: 7216)
- Reads the machine GUID from the registry
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
  - Watchdog.exe (PID: 1108)
  - NW_store.exe (PID: 7216)
  - NW_store.exe (PID: 8048)
- Reads the software policy settings
  - Setup.exe (PID: 6596)
  - slui.exe (PID: 4192)
  - nsp3B51.tmp (PID: 7408)
  - PcAppStore.exe (PID: 7972)
  - Watchdog.exe (PID: 1108)
  - NW_store.exe (PID: 8048)
- Reads the computer name
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
  - identity_helper.exe (PID: 7248)
  - Watchdog.exe (PID: 1108)
  - PcAppStore.exe (PID: 7972)
  - NW_store.exe (PID: 7692)
  - NW_store.exe (PID: 7216)
  - NW_store.exe (PID: 4176)
  - NW_store.exe (PID: 1112)
  - msiexec.exe (PID: 1812)
  - NW_store.exe (PID: 4304)
  - TextInputHost.exe (PID: 3944)
  - NW_store.exe (PID: 7876)
  - NW_store.exe (PID: 8272)
  - NW_store.exe (PID: 8296)
  - NW_store.exe (PID: 6312)
  - NW_store.exe (PID: 8048)
- Create files in a temporary directory
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
  - NW_store.exe (PID: 7216)
- Reads Environment values
  - identity_helper.exe (PID: 7248)
  - Setup.exe (PID: 6596)
  - PcAppStore.exe (PID: 7972)
  - NW_store.exe (PID: 7692)
  - NW_store.exe (PID: 8048)
- Creates files or folders in the user directory
  - Setup.exe (PID: 6596)
  - nsp3B51.tmp (PID: 7408)
  - NW_store.exe (PID: 7216)
  - Watchdog.exe (PID: 1108)
  - NW_store.exe (PID: 7692)
  - NW_store.exe (PID: 1112)
  - NW_store.exe (PID: 8048)
- Reads Microsoft Office registry keys
  - Setup.exe (PID: 6596)
  - msedge.exe (PID: 6764)
  - NW_store.exe (PID: 7216)
- Application launched itself
  - msedge.exe (PID: 6764)
- Process checks computer location settings
  - NW_store.exe (PID: 7216)
  - NW_store.exe (PID: 4304)
  - NW_store.exe (PID: 308)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	186880
UninitializedDataSize:	2048
EntryPoint:	0x352d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1091
ProductVersionNumber:	1.0.0.1091
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Fast Corporation LTD
FileDescription:	PC App Store Setup
LegalCopyright:	Fast Corporation LTD
ProductName:	PC App Store
ProductVersion:	1.0.0.1091p

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

213

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

308

"C:\Users\admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=2328 --field-trial-handle=2008,i,4485884114018159963,11389927764621173317,262144 --variations-seed-version /prefetch:8

C:\Users\admin\PCAppStore\nwjs\NW_store.exe

—

NW_store.exe

User:

admin

Company:

The NW.js Community

Integrity Level:

MEDIUM

Description:

nwjs

Version:

0.85.0

Modules

Images
c:\users\admin\pcappstore\nwjs\nw_store.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\pcappstore\nwjs\nw_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

624

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5236 --field-trial-handle=2480,i,3165216997821088058,10960859046747289153,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1108

"C:\Users\admin\PCAppStore\Watchdog.exe" /guid=1D1FB0BB-21B9-4FC0-B017-A4DADA231E17 /rid=20240725165511.5931019812 /ver=fa.1091q

C:\Users\admin\PCAppStore\Watchdog.exe

nsp3B51.tmp

User:

admin

Company:

Fast Corporation LTD

Integrity Level:

MEDIUM

Description:

Watchdog of PC App Store

Version:

1.0.0.1091q

Modules

Images
c:\users\admin\pcappstore\watchdog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1112

"C:\Users\admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2112 --field-trial-handle=2008,i,4485884114018159963,11389927764621173317,262144 --variations-seed-version /prefetch:3

C:\Users\admin\PCAppStore\nwjs\NW_store.exe

NW_store.exe

User:

admin

Company:

The NW.js Community

Integrity Level:

MEDIUM

Description:

nwjs

Version:

0.85.0

Modules

Images
c:\users\admin\pcappstore\nwjs\nw_store.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\pcappstore\nwjs\nw_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

1812

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1936

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2824 --field-trial-handle=2480,i,3165216997821088058,10960859046747289153,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2128

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2480,i,3165216997821088058,10960859046747289153,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2204

C:\Users\admin\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\pc_app_store\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x20c,0x210,0x214,0x208,0x218,0x7ff6be008a60,0x7ff6be008a70,0x7ff6be008a80

C:\Users\admin\PCAppStore\nwjs\NW_store.exe

—

NW_store.exe

User:

admin

Company:

The NW.js Community

Integrity Level:

MEDIUM

Description:

nwjs

Version:

0.85.0

Modules

Images
c:\users\admin\pcappstore\nwjs\nw_store.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\pcappstore\nwjs\nw_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

2340

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2480,i,3165216997821088058,10960859046747289153,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2656

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5352 --field-trial-handle=2480,i,3165216997821088058,10960859046747289153,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

45 266

Read events

45 154

Write events

110

Delete events

Modification events


(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6596) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PCAppStore
Operation:	write	Name:	Version
Value: fa.1091q
(PID) Process:	(6764) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0

Add for printing

Executable files

Suspicious files

431

Text files

245

Unknown types

Dropped files

PID	Process	Filename		Type
6596	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsy1D97.tmp\image.gif		image
		MD5:1636218C14C357455B5C872982E2A047	SHA256:9B8B6285BF65F086E08701EEE04E57F2586E973A49C5A38660C9C6502A807045
6596	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsy1D97.tmp\nsJSON.dll		executable
		MD5:F4D89D9A2A3E2F164AEA3E93864905C9	SHA256:64B3EFDF3DE54E338D4DB96B549A7BDB7237BB88A82A0A63AEF570327A78A6FB
6596	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsy1D97.tmp\nsDialogs.dll		executable
		MD5:6C3F8C94D0727894D706940A8A980543	SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
6764	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe3af1.TMP		—
		MD5:—	SHA256:—
6596	Setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE		der
		MD5:FD0974FB5E6BBC517E3A656961453FA9	SHA256:0590DE3B6618D217E7080D3F776ED40A37BD0EA5BF97CF3D622317BC4905E1C4
6764	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6764	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe3ae2.TMP		—
		MD5:—	SHA256:—
6764	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat		binary
		MD5:666AAA60D0697D1AED7D8FEB3CE59500	SHA256:92A6495FA797224AF693EB2D5AD051C6B1425B1461179B42CBC3D8DE164F785A
6764	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6764	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe3b01.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

175

DNS requests

110

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3156	svchost.exe	GET	304	2.23.197.184:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	HEAD	200	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted
7272	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0857d1c0-cc48-481f-b19c-c404a0eb02f9?P1=1722526714&P2=404&P3=2&P4=ByLxYtilISZdQ9Tf9A1q0JR83Hb04KhdilgJAlUK%2fZXOZDLQWkYDm8g6g4R14ZTwlGTdqSRzV2RsdRf79ZtxPQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4512	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3960	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6596	Setup.exe	167.99.235.203:443	pcapp.store	DIGITALOCEAN-ASN	US	unknown
6596	Setup.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4204	svchost.exe	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6764	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.185.142	whitelisted
pcapp.store	167.99.235.203 104.248.126.225 209.222.21.115 159.223.126.41 45.32.1.23 64.176.203.93	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
status.rapidssl.com	192.229.221.95	whitelisted
delivery.pcapp.store	212.102.56.182 195.181.175.15 156.146.33.140 156.146.33.138 212.102.56.179 156.146.33.15 195.181.170.18 195.181.175.40	unknown
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
e6.o.lencr.org	195.138.255.24	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted

Threats

No threats detected

Add for printing

Process	Message
NW_store.exe	[0725/165513.336:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\17bb16f9-4eca-49e6-b9d0-d3d96215962d: The system cannot find the file specified. (0x2)
NW_store.exe	[0725/165513.338:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\17bb16f9-4eca-49e6-b9d0-d3d96215962d: The system cannot find the file specified. (0x2)
NW_store.exe	[0725/165513.353:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\17bb16f9-4eca-49e6-b9d0-d3d96215962d: The system cannot find the file specified. (0x2)

General Info

Setup.exe

FB7BE3902AC7AC83F2661E6016C08980

CBE587FE8161A64DFC15580E686EF710FB1FD6DB

88F7FA4DF6B4360B896E254FC9547173AE451308F5E0F6E0782E21822A3EFFC3

3072:aefw3AuNAP+5g3WBo9A/BwdKIkIXgtqr4gT:a0wP3g4o9AWxHwtWf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Scans artifacts that could help determine the target

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Searches for installed software

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Starts application with an unusual extension

Process drops legitimate windows executable

Creates a software uninstall entry

Application launched itself

The process checks if it is being run in the virtual environment

INFO

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Reads the computer name

Create files in a temporary directory

Reads Environment values

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Application launched itself

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings