| File name: | Error404Setup1.0.04.exe |
| Full analysis: | https://app.any.run/tasks/5899a72e-fbe1-4282-a084-8160ce8c53bc |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | December 03, 2025, 20:36:54 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | AFF03BEB2D22C2E16E9A99521898F9D9 |
| SHA1: | 50CD45121F2CEDCE9823BC050A9C906ED14050C4 |
| SHA256: | C7D5ACA2305595BCB2C05FB7DA6CA08789892D6BDD174FA93FA1AFEB744BFA80 |
| SSDEEP: | 786432:lFJhfyLg8PUGOPghrlevEeRYcA54iPq1wT4L0bsltf2nCM:lFJhfMqGFhpevEeRYca4iswcL0bslWCM |
MALICIOUS
STEALIT has been detected
- Error404.exe (PID: 5392)
Adds path to the Windows Defender exclusion list
- cmd.exe (PID: 2376)
- Error404.exe (PID: 5392)
- cmd.exe (PID: 1632)
- cmd.exe (PID: 876)
Changes Windows Defender settings
- cmd.exe (PID: 2376)
- cmd.exe (PID: 876)
- cmd.exe (PID: 1632)
SUSPICIOUS
Starts CMD.EXE for commands execution
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
The process creates files with name similar to system file names
- Error404Setup1.0.04.exe (PID: 4080)
Get information on the list of running processes
- cmd.exe (PID: 1552)
- Error404Setup1.0.04.exe (PID: 4080)
Process drops legitimate windows executable
- Error404Setup1.0.04.exe (PID: 4080)
There is functionality for taking screenshot (YARA)
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 1248)
Malware-specific behavior (creating "System.dll" in Temp)
- Error404Setup1.0.04.exe (PID: 4080)
Executable content was dropped or overwritten
- Error404Setup1.0.04.exe (PID: 4080)
Drops 7-zip archiver for unpacking
- Error404Setup1.0.04.exe (PID: 4080)
Reads security settings of Internet Explorer
- Error404Setup1.0.04.exe (PID: 4080)
Starts NET.EXE to display or manage information about active sessions
- net.exe (PID: 4164)
- cmd.exe (PID: 4048)
- net.exe (PID: 272)
- net.exe (PID: 5288)
- cmd.exe (PID: 2332)
- cmd.exe (PID: 408)
The process executes VB scripts
- Error404.exe (PID: 3392)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7144)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2376)
- cmd.exe (PID: 1632)
- cmd.exe (PID: 876)
Script adds exclusion path to Windows Defender
- cmd.exe (PID: 2376)
- cmd.exe (PID: 876)
- cmd.exe (PID: 1632)
Application launched itself
- Error404.exe (PID: 5392)
INFO
The sample compiled with english language support
- Error404Setup1.0.04.exe (PID: 4080)
Reads the computer name
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 5392)
- Error404.exe (PID: 1248)
- Error404.exe (PID: 5660)
- Error404.exe (PID: 3960)
Create files in a temporary directory
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Creates files or folders in the user directory
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 5392)
- Error404.exe (PID: 3960)
Manual execution by a user
- Error404.exe (PID: 3392)
Checks supported languages
- Error404.exe (PID: 3392)
- Error404Setup1.0.04.exe (PID: 4080)
- Error404.exe (PID: 5392)
- Error404.exe (PID: 1248)
- Error404.exe (PID: 5660)
- Error404.exe (PID: 3960)
Reads Environment values
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Creates a software uninstall entry
- Error404Setup1.0.04.exe (PID: 4080)
Process checks computer location settings
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Reads product name
- Error404.exe (PID: 3392)
- Error404.exe (PID: 5392)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 696)
- powershell.exe (PID: 3204)
- powershell.exe (PID: 5304)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 696)
- powershell.exe (PID: 5304)
- powershell.exe (PID: 3204)
Reads the machine GUID from the registry
- Error404.exe (PID: 5392)
- Error404.exe (PID: 3960)
Checks proxy server information
- Error404.exe (PID: 5392)
- slui.exe (PID: 3272)
Node.js compiler has been detected
- Error404.exe (PID: 5392)
- Error404.exe (PID: 1248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:26:14+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| FileDescription: | XBOXApp |
| FileVersion: | 1.0.0 |
| LegalCopyright: | Copyright © 2025 Error404 |
| ProductName: | Error404 |
| ProductVersion: | 1.0.0 |
Total processes
166
Monitored processes
33
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 272 | net session | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 408 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 408 | C:\WINDOWS\system32\cmd.exe /d /s /c "net session" | C:\Windows\System32\cmd.exe | — | Error404.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 696 | powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\SystemTemp\4sj6b9'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 876 | C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\WindowsCache\orttvk'"" | C:\Windows\System32\cmd.exe | — | Error404.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1248 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1248 | "C:\Users\admin\AppData\Local\Programs\error404\Error404.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\error404" --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,3710734799809806001,5604151371847522538,262144 --enable-features=EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=LocalNetworkAccessChecks,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=1896 /prefetch:2 | C:\Users\admin\AppData\Local\Programs\error404\Error404.exe | — | Error404.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: LOW Description: XBOXApp Version: 1.0.0 Modules
| |||||||||||||||
| 1312 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1552 | "C:\WINDOWS\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Error404.exe" /FO csv | "C:\WINDOWS\system32\find.exe" "Error404.exe" | C:\Windows\SysWOW64\cmd.exe | — | Error404Setup1.0.04.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1632 | C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\AppTemp\vi8vvn'"" | C:\Windows\System32\cmd.exe | — | Error404.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
22 866
Read events
22 854
Write events
12
Delete events
0
Modification events
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Programs\error404 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | KeepShortcuts |
Value: true | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | ShortcutName |
Value: Error404 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | DisplayName |
Value: Error404 1.0.0 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\error404\Uninstall Error404.exe" /currentuser | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\error404\Uninstall Error404.exe" /currentuser /S | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | DisplayVersion |
Value: 1.0.0 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Users\admin\AppData\Local\Programs\error404\Error404.exe,0 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
| (PID) Process: | (4080) Error404Setup1.0.04.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9735e062-5712-5aaf-b1aa-9a7de6c5f445 |
| Operation: | write | Name: | NoRepair |
Value: 1 | |||
Executable files
25
Suspicious files
130
Text files
11
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\app-64.7z | — | |
MD5:— | SHA256:— | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\icudtl.dat | — | |
MD5:— | SHA256:— | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\LICENSES.chromium.html | — | |
MD5:— | SHA256:— | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\StdUtils.dll | executable | |
MD5:C6A6E03F77C313B267498515488C5740 | SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\locales\af.pak | binary | |
MD5:FC774F629EEF0D028EF6C0D759B86176 | SHA256:CA253121434EF430661C30672E1097E6D238E42821585B700776B56977C05D97 | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\locales\de.pak | binary | |
MD5:30D8CF66615CE99E25D9EB36E0C427AB | SHA256:4213D226B2D3246748CF58D770810E491E490C3B204C8B7BD8887D746F9D1771 | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\nsis7z.dll | executable | |
MD5:80E44CE4895304C6A3A831310FBF8CD0 | SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592 | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\nsExec.dll | executable | |
MD5:EC0504E6B8A11D5AAD43B296BEEB84B2 | SHA256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962 | |||
| 4080 | Error404Setup1.0.04.exe | C:\Users\admin\AppData\Local\Temp\nsr4972.tmp\7z-out\locales\am.pak | binary | |
MD5:8DA0D93417EAA098446F7A53E6F6EF4C | SHA256:7CAB58141B77479D696CA45389BA054A7F6ADDE8F620B14273C09DBA399E1038 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 204 | 92.123.104.19:443 | https://www.bing.com/web/xlsc.aspx?t=5&dl=1&wsbc=1 | unknown | — | — | unknown |
5596 | MoUsoCoreWorker.exe | GET | 200 | 23.55.110.193:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
6880 | svchost.exe | GET | 200 | 23.55.110.193:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | GET | 200 | 23.55.110.193:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | POST | 500 | 4.154.185.43:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | — | — | unknown |
— | — | POST | 500 | 4.154.209.85:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
6880 | svchost.exe | 23.55.110.193:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
5596 | MoUsoCoreWorker.exe | 23.55.110.193:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 23.55.110.193:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7088 | SearchApp.exe | 2.16.241.207:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
5392 | Error404.exe | 172.67.146.52:443 | root.linahook.com | CLOUDFLARENET | US | whitelisted |
6172 | slui.exe | 4.154.209.85:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
root.linahook.com |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |