File name:

windowsdesktop-runtime-8.0.6-win-x64.exe

Full analysis: https://app.any.run/tasks/3d4da35c-f9a9-44bb-b6b6-54f4d8fe8216
Verdict: Malicious activity
Analysis date: July 03, 2024, 05:49:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7F6280D2828B5C61944E245856FB406A

SHA1:

4AFCDA856F5157648A79485919F5F7CFF0810426

SHA256:

CBD8B84A8489C0433DCED37B7DCFBA108AD1F85915D069294D9818702EC8F12A

SSDEEP:

98304:d1svXJG6gIS6zF7tkQ/seSr8/f+GTMOR0JnSbye/ynZb1qtTthkYd7xWlUqz10yw:EmS4KUS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Process drops legitimate windows executable

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)

    • Executable content was dropped or overwritten

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Searches for installed software

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

  • INFO

    • Checks supported languages

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Create files in a temporary directory

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3380)
      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)

    • Reads the computer name

      • windowsdesktop-runtime-8.0.6-win-x64.exe (PID: 3416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:22 22:14:43+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 314368
InitializedDataSize: 164352
UninitializedDataSize: -
EntryPoint: 0x302e5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 8.0.6.33720
ProductVersionNumber: 8.0.6.33720
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Desktop Runtime - 8.0.6 (x64)
FileVersion: 8.0.6.33720
InternalName: setup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: windowsdesktop-runtime-8.0.6-win-x64.exe
ProductName: Microsoft Windows Desktop Runtime - 8.0.6 (x64)
ProductVersion: 8.0.6.33720
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windowsdesktop-runtime-8.0.6-win-x64.exe windowsdesktop-runtime-8.0.6-win-x64.exe

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Users\admin\AppData\Local\Temp\windowsdesktop-runtime-8.0.6-win-x64.exe" C:\Users\admin\AppData\Local\Temp\windowsdesktop-runtime-8.0.6-win-x64.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 8.0.6 (x64)
Version:
8.0.6.33720
Modules
Images
c:\users\admin\appdata\local\temp\windowsdesktop-runtime-8.0.6-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3416"C:\Users\admin\AppData\Local\Temp\{9F546072-A53B-40FB-AA88-34AAF9BB237F}\.cr\windowsdesktop-runtime-8.0.6-win-x64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\windowsdesktop-runtime-8.0.6-win-x64.exe" -burn.filehandle.attached=156 -burn.filehandle.self=164 C:\Users\admin\AppData\Local\Temp\{9F546072-A53B-40FB-AA88-34AAF9BB237F}\.cr\windowsdesktop-runtime-8.0.6-win-x64.exe
windowsdesktop-runtime-8.0.6-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 8.0.6 (x64)
Version:
8.0.6.33720
Modules
Images
c:\users\admin\appdata\local\temp\{9f546072-a53b-40fb-aa88-34aaf9bb237f}\.cr\windowsdesktop-runtime-8.0.6-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 098
Read events
1 098
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\bg.pngimage
MD5:9EB0320DFBF2BD541E6A55C01DDC9F20
SHA256:9095BF7B6BAA0107B40A4A6D727215BE077133A190F4CA9BD89A176842141E79
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1028\thm.wxlxml
MD5:B9428C94444693B5E3A392C8D0B95170
SHA256:C0413EDFD13FD27EEAB7B8CE60963668236466C48F4173C29F84093011C281AF
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\thm.wxlxml
MD5:D5070CB3387A0A22B7046AE5AB53F371
SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\3082\thm.wxlxml
MD5:1474C297B47C24D9E8E937CCBF50C4B2
SHA256:FAB76FA9382A7793309C9B07D5BAAA3EFD8553172D46F8B69E22E30B635BB146
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\thm.xmlxml
MD5:302563A713B142EE41B59E3EEAC53A90
SHA256:83CA096F7BA2C83FC3B3AEB697B8139A788FA35EB8632943E26BB9FFF7C78E63
3380windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{9F546072-A53B-40FB-AA88-34AAF9BB237F}\.cr\windowsdesktop-runtime-8.0.6-win-x64.exeexecutable
MD5:06D322E819A7ADB25748C3B389831908
SHA256:F3D4E358135C533CE225BA64370119D41F4C84E643D2670FC99C82807EE708D1
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1031\thm.wxlxml
MD5:B45249A2238A5568B377E58D4CE89E9A
SHA256:0C4203A81DCD01D53378036AF78CFFCF9E9A5AF7754DFBDD56584AE74C21CC61
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1033\thm.wxlxml
MD5:D5070CB3387A0A22B7046AE5AB53F371
SHA256:81A68046B06E09385BE8449373E7CEB9E79F7724C3CF11F0B18A4489A8D4926A
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1036\thm.wxlxml
MD5:9F779700FF90DF7211AE3A3340DDD5FC
SHA256:6AF5C2BC88B1E5CE188A97DD9204061D66369EC2689B3657AFF1DC6188F44F22
3416windowsdesktop-runtime-8.0.6-win-x64.exeC:\Users\admin\AppData\Local\Temp\{13220428-F679-4755-8AA6-70C068ABE0B6}\.ba\1049\thm.wxlxml
MD5:1D628F2E1DBAA25BDD8CF2D7F2A9CAF2
SHA256:C7CC8E0BDD4F82DA33984F553B576412DF69C5E1E5B8479542D024CB6B41D050
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
1372
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
239.255.255.250:3702
unknown
224.0.0.252:5355
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
unknown
1372
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
unknown
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.42
unknown
www.microsoft.com
  • 184.30.21.171
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
windowsdesktop-runtime-8.0.6-win-x64.exe