File name:

windowsdesktop-runtime-8.0.6-win-x64.exe

Full analysis: https://app.any.run/tasks/3d4da35c-f9a9-44bb-b6b6-54f4d8fe8216
Verdict: Malicious activity
Analysis date: July 03, 2024, 05:49:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7F6280D2828B5C61944E245856FB406A

SHA1:

4AFCDA856F5157648A79485919F5F7CFF0810426

SHA256:

CBD8B84A8489C0433DCED37B7DCFBA108AD1F85915D069294D9818702EC8F12A

SSDEEP:

98304:d1svXJG6gIS6zF7tkQ/seSr8/f+GTMOR0JnSbye/ynZb1qtTthkYd7xWlUqz10yw:EmS4KUS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)

    • Searches for installed software

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Executable content was dropped or overwritten

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

  • INFO

    • Checks supported languages

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Reads the computer name

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Create files in a temporary directory

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:22 22:14:43+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 314368
InitializedDataSize: 164352
UninitializedDataSize: -
EntryPoint: 0x302e5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 8.0.6.33720
ProductVersionNumber: 8.0.6.33720
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Desktop Runtime - 8.0.6 (x64)
FileVersion: 8.0.6.33720
InternalName: setup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: windowsdesktop-runtime-8.0.6-win-x64.exe
ProductName: Microsoft Windows Desktop Runtime - 8.0.6 (x64)
ProductVersion: 8.0.6.33720
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windowsdesktop-runtime-8.0.6-win-x64.exe windowsdesktop-runtime-8.0.6-win-x64.exe

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Users\admin\AppData\Local\Temp\windowsdesktop-runtime-8.0.6-win-x64.exe" C:\Users\admin\AppData\Local\Temp\windowsdesktop-runtime-8.0.6-win-x64.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 8.0.6 (x64)
Version:
8.0.6.33720
Modules
Images
c:\users\admin\appdata\local\temp\windowsdesktop-runtime-8.0.6-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3416"C:\Users\admin\AppData\Local\Temp\{9F546072-A53B-40FB-AA88-34AAF9BB237F}\.cr\windowsdesktop-runtime-8.0.6-win-x64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\windowsdesktop-runtime-8.0.6-win-x64.exe" -burn.filehandle.attached=156 -burn.filehandle.self=164 C:\Users\admin\AppData\Local\Temp\{9F546072-A53B-40FB-AA88-34AAF9BB237F}\.cr\windowsdesktop-runtime-8.0.6-win-x64.exe
windowsdesktop-runtime-8.0.6-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 8.0.6 (x64)
Version:
8.0.6.33720
Modules
Images
c:\users\admin\appdata\local\temp\{9f546072-a53b-40fb-aa88-34aaf9bb237f}\.cr\windowsdesktop-runtime-8.0.6-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 098
Read events
1 098
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\wixstdba.dllexecutable
MD5:F68F43F809840328F4E993A54B0D5E62
SHA256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1033\thm.wxlxml
MD5:D5070CB3387A0A22B7046AE5AB53F371
SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1029\thm.wxlxml
MD5:27411946EF45B3B8236319421770E5AD
SHA256:C92D3EFD72D6D14148F9931128EE4143AFFD1DA517EB358AB88ED4138C1434A4
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\thm.xmlxml
MD5:302563A713B142EE41B59E3EEAC53A90
SHA256:83CA096F7BA2C83FC3B3AEB697B8139A788FA35EB8632943E26BB9FFF7C78E63
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\bg.pngimage
MD5:9EB0320DFBF2BD541E6A55C01DDC9F20
SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1040\thm.wxlxml
MD5:347BE63418F507E7F2A086726E96FCA8
SHA256:344ACD0D3665BA489EB30EBC0F902C625E1AD33A4E2B5BA7CDD7E463658D5557
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1028\thm.wxlxml
MD5:B9428C94444693B5E3A392C8D0B95170
SHA256:C0413EDFD13FD27EEAB7B8CE60963668236466C48F4173C29F84093011C281AF
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1036\thm.wxlxml
MD5:9F779700FF90DF7211AE3A3340DDD5FC
SHA256:6AF5C2BC88B1E5CE188A97DD9204061D66369EC2689B3657AFF1DC6188F44F22
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1041\thm.wxlxml
MD5:E5FD798D4BBDD419A602423A699E2854
SHA256:00AEC52B4564BC07302881FCFD510F7CCA535AC9E05CFD95A86738171626F6C4
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\thm.wxlxml
MD5:D5070CB3387A0A22B7046AE5AB53F371
SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
239.255.255.250:3702
whitelisted
224.0.0.252:5355
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
windowsdesktop-runtime-8.0.6-win-x64.exe