| File name: | Error404Setup1.0.04.exe |
| Full analysis: | https://app.any.run/tasks/5899a72e-fbe1-4282-a084-8160ce8c53bc |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | December 03, 2025, 20:36:54 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | AFF03BEB2D22C2E16E9A99521898F9D9 |
| SHA1: | 50CD45121F2CEDCE9823BC050A9C906ED14050C4 |
| SHA256: | C7D5ACA2305595BCB2C05FB7DA6CA08789892D6BDD174FA93FA1AFEB744BFA80 |
| SSDEEP: | 786432:lFJhfyLg8PUGOPghrlevEeRYcA54iPq1wT4L0bsltf2nCM:lFJhfMqGFhpevEeRYca4iswcL0bslWCM |
MALICIOUS
STEALIT has been detected
- Error404.exe (PID: 5392)
Adds path to the Windows Defender exclusion list
- Error404.exe (PID: 5392)
- cmd.exe (PID: 2376)
- cmd.exe (PID: 1632)
- cmd.exe (PID: 876)
Changes Windows Defender settings
- cmd.exe (PID: 2376)
- cmd.exe (PID: 1632)
- cmd.exe (PID: 876)
SUSPICIOUS
The process creates files with name similar to system file names
- Error404Setup1.0.04.exe (PID: 4080)
Executable content was dropped or overwritten
- Error404Setup1.0.04.exe (PID: 4080)
Drops 7-zip archiver for unpacking
- Error404Setup1.0.04.exe (PID: 4080)
There is functionality for taking screenshot (YARA)
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 1248)
Get information on the list of running processes
- Error404Setup1.0.04.exe (PID: 4080)
- cmd.exe (PID: 1552)
Process drops legitimate windows executable
- Error404Setup1.0.04.exe (PID: 4080)
Malware-specific behavior (creating "System.dll" in Temp)
- Error404Setup1.0.04.exe (PID: 4080)
Starts CMD.EXE for commands execution
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Reads security settings of Internet Explorer
- Error404Setup1.0.04.exe (PID: 4080)
The process executes VB scripts
- Error404.exe (PID: 3392)
Starts NET.EXE to display or manage information about active sessions
- net.exe (PID: 4164)
- net.exe (PID: 272)
- cmd.exe (PID: 2332)
- cmd.exe (PID: 4048)
- cmd.exe (PID: 408)
- net.exe (PID: 5288)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7144)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2376)
- cmd.exe (PID: 1632)
- cmd.exe (PID: 876)
Application launched itself
- Error404.exe (PID: 5392)
Script adds exclusion path to Windows Defender
- cmd.exe (PID: 2376)
- cmd.exe (PID: 1632)
- cmd.exe (PID: 876)
INFO
Reads the computer name
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 5660)
- Error404.exe (PID: 1248)
- Error404.exe (PID: 3960)
- Error404.exe (PID: 5392)
Create files in a temporary directory
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Checks supported languages
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 3960)
- Error404.exe (PID: 1248)
- Error404.exe (PID: 5660)
Process checks computer location settings
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Reads Environment values
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Creates a software uninstall entry
- Error404Setup1.0.04.exe (PID: 4080)
Manual execution by a user
- Error404.exe (PID: 3392)
Reads product name
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 696)
- powershell.exe (PID: 5304)
- powershell.exe (PID: 3204)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 696)
- powershell.exe (PID: 5304)
- powershell.exe (PID: 3204)
The sample compiled with english language support
- Error404Setup1.0.04.exe (PID: 4080)
Checks proxy server information
- Error404.exe (PID: 5392)
- slui.exe (PID: 3272)
Reads the machine GUID from the registry
- Error404.exe (PID: 5392)
- Error404.exe (PID: 3960)
Node.js compiler has been detected
- Error404.exe (PID: 1248)
- Error404.exe (PID: 5392)
Creates files or folders in the user directory
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 3960)
- Error404.exe (PID: 5392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:26:14+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| FileDescription: | XBOXApp |
| FileVersion: | 1.0.0 |
| LegalCopyright: | Copyright © 2025 Error404 |
| ProductName: | Error404 |
| ProductVersion: | 1.0.0 |
Total processes
166
Monitored processes
33
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 272 | net session | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 408 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 408 | C:\WINDOWS\system32\cmd.exe /d /s /c "net session" | C:\Windows\System32\cmd.exe | — | Error404.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 696 | powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\SystemTemp\4sj6b9'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 876 | C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\WindowsCache\orttvk'"" | C:\Windows\System32\cmd.exe | — | Error404.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1248 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1248 | "C:\Users\admin\AppData\Local\Programs\error404\Error404.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\error404" --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,3710734799809806001,5604151371847522538,262144 --enable-features=EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=LocalNetworkAccessChecks,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=1896 /prefetch:2 | C:\Users\admin\AppData\Local\Programs\error404\Error404.exe | — | Error404.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: LOW Description: XBOXApp Version: 1.0.0 Modules
| |||||||||||||||
| 1312 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1552 | "C:\WINDOWS\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Error404.exe" /FO csv | "C:\WINDOWS\system32\find.exe" "Error404.exe" | C:\Windows\SysWOW64\cmd.exe | — | Error404Setup1.0.04.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1632 | C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\AppTemp\vi8vvn'"" | C:\Windows\System32\cmd.exe | — | Error404.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
22 866
Read events
22 854
Write events
12
Delete events
0
Modification events
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Programs\error404 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | KeepShortcuts |
Value: true | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | ShortcutName |
Value: Error404 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | DisplayName |
Value: Error404 1.0.0 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\error404\Uninstall Error404.exe" /currentuser | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\error404\Uninstall Error404.exe" /currentuser /S | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | DisplayVersion |
Value: 1.0.0 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Users\admin\AppData\Local\Programs\error404\Error404.exe,0 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | NoRepair |
Value: 1 | |||
Executable files
25
Suspicious files
130
Text files
11
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\app-64.7z | — | |
MD5:— | SHA256:— | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\icudtl.dat | — | |
MD5:— | SHA256:— | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\LICENSES.chromium.html | — | |
MD5:— | SHA256:— | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\StdUtils.dll | executable | |
MD5:C6A6E03F77C313B267498515488C5740 | SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\locales\ar.pak | binary | |
MD5:556CC5B0A1EE3D8007445BA60DF9C0AB | SHA256:9D9FE7A83159F390718C73A9445A30E97901F25B30BCCE02E7AB2D82F07FE38E | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\chrome_100_percent.pak | binary | |
MD5:E7BBDDFF3081EEECF7F56E76CE1D48E4 | SHA256:45D14A4278B1E152B363197401A5604AA5A3CEE6512A6B52DF978038FA521A0F | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\locales\am.pak | binary | |
MD5:8DA0D93417EAA098446F7A53E6F6EF4C | SHA256:7CAB58141B77479D696CA45389BA054A7F6ADDE8F620B14273C09DBA399E1038 | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\locales\af.pak | binary | |
MD5:FC774F629EEF0D028EF6C0D759B86176 | SHA256:CA253121434EF430661C30672E1097E6D238E42821585B700776B56977C05D97 | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\chrome_200_percent.pak | binary | |
MD5:1E1744B9410D29E7D1ED28C4F67D6317 | SHA256:AAFC61B89748D17FCBC9FECD9844A77BE2C584529A81714C98E0C4D453EA9496 | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\locales\cs.pak | binary | |
MD5:09116EE83270F6702D89BABDE5710A97 | SHA256:9C54BEE959830481A000739304CFC4C823D4BCD95D8ACA03A74C98470FF3AC21 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5596 | MoUsoCoreWorker.exe | GET | 200 | 23.55.110.193:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 204 | 92.123.104.19:443 | https://www.bing.com/web/xlsc.aspx?t=5&dl=1&wsbc=1 | unknown | — | — | unknown |
6880 | svchost.exe | GET | 200 | 23.55.110.193:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.55.110.193:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 4.154.209.85:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | unknown |
— | — | POST | 500 | 4.154.185.43:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
6880 | svchost.exe | 23.55.110.193:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
5596 | MoUsoCoreWorker.exe | 23.55.110.193:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 23.55.110.193:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7088 | SearchApp.exe | 2.16.241.207:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
5392 | Error404.exe | 172.67.146.52:443 | root.linahook.com | CLOUDFLARENET | US | whitelisted |
6172 | slui.exe | 4.154.209.85:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
root.linahook.com |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |