analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

WMSetup.exe

Full analysis: https://app.any.run/tasks/960b80de-cfd5-4de8-8a33-f2418a66cca5
Verdict: Malicious activity
Analysis date: April 24, 2024, 07:00:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

32F7AFAC4BC7AADECF65E0C7F14E1DCC

SHA1:

3710B3713142679C8A23D117B289BD14EFBFBD55

SHA256:

97C0F47C4713562060C16141BA96D1A157C2D4E29BE8E635DDA5EC9092FF98DA

SSDEEP:

49152:oPbcq8efxg8KZzNhpmzPFZ1/Mp01/waF0QEpRWhCcWK5TgVJ3D+zxNCEsZQGfnCr:oPYGJKZJhpmJZpQre0Q6RGfWK1oZ4bF5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WMSetup.exe (PID: 3344)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WMSetup.exe (PID: 3344)

    • Reads security settings of Internet Explorer

      • WMSetup.exe (PID: 3344)

    • Creates a software uninstall entry

      • WMSetup.exe (PID: 3344)

    • Reads the Internet Settings

      • WMSetup.exe (PID: 3344)
      • hh.exe (PID: 2556)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 2556)

    • Reads Internet Explorer settings

      • hh.exe (PID: 2556)

  • INFO

    • Reads the computer name

      • WMSetup.exe (PID: 3344)
      • WindowManager.exe (PID: 1028)
      • WindowManager.exe (PID: 2904)

    • Creates files in the program directory

      • WMSetup.exe (PID: 3344)
      • WindowManager.exe (PID: 1028)
      • hh.exe (PID: 2556)
      • WindowManager.exe (PID: 2904)

    • Checks supported languages

      • WMSetup.exe (PID: 3344)
      • WindowManager.exe (PID: 1028)
      • WindowManager.exe (PID: 2904)

    • Create files in a temporary directory

      • WMSetup.exe (PID: 3344)
      • hh.exe (PID: 2556)

    • Reads the machine GUID from the registry

      • hh.exe (PID: 2556)
      • WindowManager.exe (PID: 1028)

    • Reads security settings of Internet Explorer

      • hh.exe (PID: 2556)

    • Creates files or folders in the user directory

      • WindowManager.exe (PID: 1028)
      • hh.exe (PID: 2556)
      • WindowManager.exe (PID: 2904)

    • Checks proxy server information

      • hh.exe (PID: 2556)

    • Manual execution by a user

      • WindowManager.exe (PID: 2904)
      • explorer.exe (PID: 1236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0xe02c
UninitializedDataSize: -
InitializedDataSize: 1105408
CodeSize: 150016
LinkerVersion: 14.35
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2023:03:30 15:05:45+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wmsetup.exe no specs wmsetup.exe windowmanager.exe hh.exe no specs windowmanager.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Users\admin\AppData\Local\Temp\WMSetup.exe" C:\Users\admin\AppData\Local\Temp\WMSetup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\wmsetup.exe
c:\windows\system32\ntdll.dll
3344"C:\Users\admin\AppData\Local\Temp\WMSetup.exe" C:\Users\admin\AppData\Local\Temp\WMSetup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wmsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1028"C:\Program Files\WindowManager\WindowManager.exe" C:\Program Files\WindowManager\WindowManager.exe
WMSetup.exe
User:
admin
Company:
DeskSoft
Integrity Level:
HIGH
Description:
WindowManager Application
Version:
10.17.2
Modules
Images
c:\program files\windowmanager\windowmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2556"C:\Windows\hh.exe" C:\Program Files\WindowManager\WindowManager.chmC:\Windows\hh.exeWMSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
2904"C:\Program Files\WindowManager\WindowManager.exe" C:\Program Files\WindowManager\WindowManager.exeexplorer.exe
User:
admin
Company:
DeskSoft
Integrity Level:
MEDIUM
Description:
WindowManager Application
Exit code:
0
Version:
10.17.2
Modules
Images
c:\program files\windowmanager\windowmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1236"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
4 219
Read events
4 176
Write events
37
Delete events
6

Modification events

(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MHDSYS32
Operation:writeName:99622DA110
Value:
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\DeskSoft
Operation:writeName:WindowManager
Value:
0100ECF1725AA12D62990A001100010000000000433A5C50726F6772616D2046696C65735C57696E646F774D616E616765720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000433A5C55736572735C61646D696E5C417070446174615C526F616D696E675C4465736B536F66745C57696E646F774D616E61676572000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000687474703A2F2F7777772E6465736B736F66742E636F6D2F57696E646F774D616E616765725F50757263686173652E68746D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000687474703A2F2F7777772E6465736B736F66742E636F6D2F5041442F574D5F5645522E545854000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000687474703A2F2F7777772E6465736B736F66742E636F6D2F57696E646F774D616E616765725F446F776E6C6F61642E68746D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
116
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowManager
Operation:writeName:DisplayName
Value:
WindowManager
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowManager
Operation:writeName:DisplayIcon
Value:
C:\Program Files\WindowManager\WindowManager.exe,0
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowManager
Operation:writeName:DisplayVersion
Value:
10.17.2
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowManager
Operation:writeName:Publisher
Value:
DeskSoft
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowManager
Operation:writeName:HelpLink
Value:
http://www.desksoft.com
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowManager
Operation:writeName:URLInfoAbout
Value:
http://www.desksoft.com
(PID) Process:(3344) WMSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowManager
Operation:writeName:URLUpdateInfo
Value:
http://www.desksoft.com
Executable files
2
Suspicious files
16
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
3344WMSetup.exeC:\Users\admin\AppData\Local\Temp\Temp.lnk
MD5:
SHA256:
3344WMSetup.exeC:\Users\Public\Desktop\WindowManager.lnk
MD5:
SHA256:
3344WMSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindowManager\WindowManager Manual.lnk
MD5:
SHA256:
1028WindowManager.exeC:\Users\admin\AppData\Roaming\DeskSoft\WindowManager\PinList.dcf_tmp
MD5:
SHA256:
1028WindowManager.exeC:\Users\admin\AppData\Roaming\DeskSoft\WindowManager\PinList.dcf
MD5:
SHA256:
1028WindowManager.exeC:\Users\admin\AppData\Roaming\DeskSoft\WindowManager\MinList.dcf_tmp
MD5:
SHA256:
1028WindowManager.exeC:\Users\admin\AppData\Roaming\DeskSoft\WindowManager\MinList.dcf
MD5:
SHA256:
3344WMSetup.exeC:\Program Files\WindowManager\Uninstall.exeexecutable
MD5:AA17AF7706986C81CF4E2A43DED340E3
SHA256:7523A477039225E020321E8CA48B92BD7228F72A85EF1E9BFC39808E1D5D2E43
1028WindowManager.exeC:\Users\admin\AppData\Roaming\DeskSoft\WindowManager\(DFC)Cmd.dcf_tmpbinary
MD5:93B885ADFE0DA089CDF634904FD59F71
SHA256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
3344WMSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindowManager\Uninstall.lnklnk
MD5:193E0A20BC023A0090B75FAF4823FEB7
SHA256:F0F364897884406B2822B70B88C630C70D4D77F9428453AFFF9869ACA383C677
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1028
WindowManager.exe
GET
301
188.68.47.244:80
http://www.desksoft.com/PAD/WM_VER.TXT
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1028
WindowManager.exe
188.68.47.244:80
www.desksoft.com
netcup GmbH
DE
unknown
1028
WindowManager.exe
188.68.47.244:443
www.desksoft.com
netcup GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
www.desksoft.com
  • 188.68.47.244
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WMSetup.exe