Malware analysis Setup (2).exe Malicious activity | ANY.RUN

Add for printing

File name:	Setup (2).exe
Full analysis:	https://app.any.run/tasks/f9d45b03-7f75-4b73-adf1-613eda519aae
Verdict:	Malicious activity
Analysis date:	August 06, 2024, 10:56:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	07647EA02633A079476C00C5AF95F41C
SHA1:	D9284BA22CC3666EFBEC978107D43F07608B7867
SHA256:	DFF6884B1FC3F0ADC2BC80A619C0288A1E20A18320C64571DFF3E2274CCD378D
SSDEEP:	3072:aefw3AuNAP+5g3WBo9A/BwdKIkIXgtqr4ge:a0wP3g4o9AWxHwtWC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
- Changes the autorun value in the registry
  - nsp7B67.tmp (PID: 8180)
- Scans artifacts that could help determine the target
  - Watchdog.exe (PID: 7820)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
- The process creates files with name similar to system file names
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
- Reads security settings of Internet Explorer
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
  - Watchdog.exe (PID: 7820)
- Checks Windows Trust Settings
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
  - Watchdog.exe (PID: 7820)
- Searches for installed software
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
- Executable content was dropped or overwritten
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
- Starts application with an unusual extension
  - Setup (2).exe (PID: 6532)
- Process drops legitimate windows executable
  - nsp7B67.tmp (PID: 8180)
- Creates a software uninstall entry
  - nsp7B67.tmp (PID: 8180)
- Application launched itself
  - NW_store.exe (PID: 1748)
  - NW_store.exe (PID: 7756)
- The process checks if it is being run in the virtual environment
  - NW_store.exe (PID: 1748)
INFO
- Create files in a temporary directory
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
  - NW_store.exe (PID: 1748)
- Checks proxy server information
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
  - Watchdog.exe (PID: 7820)
  - NW_store.exe (PID: 1748)
- Checks supported languages
  - Setup (2).exe (PID: 6532)
  - identity_helper.exe (PID: 7980)
  - nsp7B67.tmp (PID: 8180)
  - PcAppStore.exe (PID: 6528)
  - Watchdog.exe (PID: 7820)
  - NW_store.exe (PID: 1748)
  - NW_store.exe (PID: 7756)
  - NW_store.exe (PID: 5940)
  - NW_store.exe (PID: 4128)
  - NW_store.exe (PID: 6052)
  - NW_store.exe (PID: 7388)
  - NW_store.exe (PID: 6540)
  - NW_store.exe (PID: 7236)
  - identity_helper.exe (PID: 1076)
  - TextInputHost.exe (PID: 6964)
  - msiexec.exe (PID: 7516)
  - NW_store.exe (PID: 8364)
  - NW_store.exe (PID: 7544)
  - NW_store.exe (PID: 8008)
- Reads the computer name
  - Setup (2).exe (PID: 6532)
  - identity_helper.exe (PID: 7980)
  - nsp7B67.tmp (PID: 8180)
  - Watchdog.exe (PID: 7820)
  - PcAppStore.exe (PID: 6528)
  - NW_store.exe (PID: 7756)
  - NW_store.exe (PID: 1748)
  - NW_store.exe (PID: 6052)
  - NW_store.exe (PID: 4128)
  - NW_store.exe (PID: 7236)
  - msiexec.exe (PID: 7516)
  - TextInputHost.exe (PID: 6964)
  - NW_store.exe (PID: 8364)
  - NW_store.exe (PID: 8008)
  - identity_helper.exe (PID: 1076)
  - NW_store.exe (PID: 7544)
  - NW_store.exe (PID: 6540)
- Reads the software policy settings
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
  - Watchdog.exe (PID: 7820)
  - PcAppStore.exe (PID: 6528)
- Creates files or folders in the user directory
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
  - Watchdog.exe (PID: 7820)
  - NW_store.exe (PID: 7756)
  - NW_store.exe (PID: 1748)
  - NW_store.exe (PID: 4128)
- Reads the machine GUID from the registry
  - Setup (2).exe (PID: 6532)
  - nsp7B67.tmp (PID: 8180)
  - Watchdog.exe (PID: 7820)
  - NW_store.exe (PID: 1748)
- Reads Environment values
  - Setup (2).exe (PID: 6532)
  - identity_helper.exe (PID: 7980)
  - NW_store.exe (PID: 7756)
  - PcAppStore.exe (PID: 6528)
  - identity_helper.exe (PID: 1076)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 6752)
  - Setup (2).exe (PID: 6532)
  - NW_store.exe (PID: 1748)
  - msedge.exe (PID: 6984)
- Application launched itself
  - msedge.exe (PID: 6752)
  - msedge.exe (PID: 6984)
- Process checks computer location settings
  - NW_store.exe (PID: 1748)
  - NW_store.exe (PID: 7388)
  - NW_store.exe (PID: 6540)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	186880
UninitializedDataSize:	2048
EntryPoint:	0x352d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1091
ProductVersionNumber:	1.0.0.1091
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Fast Corporation LTD
FileDescription:	PC App Store Setup
LegalCopyright:	Fast Corporation LTD
ProductName:	PC App Store
ProductVersion:	1.0.0.1091p

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

211

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

936

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4992 --field-trial-handle=2348,i,13553191092338500094,7947981282834997389,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1076

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4400 --field-trial-handle=2348,i,13553191092338500094,7947981282834997389,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1164

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3688 --field-trial-handle=2540,i,7501634733207520667,17070095901458523974,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1432

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5460 --field-trial-handle=2540,i,7501634733207520667,17070095901458523974,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1748

.\nwjs\NW_store.exe .\ui\.

C:\Users\admin\PCAppStore\nwjs\NW_store.exe

PcAppStore.exe

User:

admin

Company:

The NW.js Community

Integrity Level:

MEDIUM

Description:

nwjs

Exit code:

3221225477

Version:

0.85.0

Modules

Images
c:\users\admin\pcappstore\nwjs\nw_store.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\version.dll
c:\users\admin\pcappstore\nwjs\nw_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

2396

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6176 --field-trial-handle=2540,i,7501634733207520667,17070095901458523974,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2904

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4528 --field-trial-handle=2540,i,7501634733207520667,17070095901458523974,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2960

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2488 --field-trial-handle=2348,i,13553191092338500094,7947981282834997389,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3144

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=4464 --field-trial-handle=2540,i,7501634733207520667,17070095901458523974,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3864

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4892 --field-trial-handle=2540,i,7501634733207520667,17070095901458523974,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

38 245

Read events

38 053

Write events

187

Delete events

Modification events


(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6532) Setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PCAppStore
Operation:	write	Name:	Version
Value: fa.1091q
(PID) Process:	(6752) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0

Add for printing

Executable files

Suspicious files

327

Text files

248

Unknown types

Dropped files

PID	Process	Filename		Type
6532	Setup (2).exe	C:\Users\admin\AppData\Local\Temp\nsx5BD8.tmp\nsJSON.dll		executable
		MD5:F4D89D9A2A3E2F164AEA3E93864905C9	SHA256:64B3EFDF3DE54E338D4DB96B549A7BDB7237BB88A82A0A63AEF570327A78A6FB
6532	Setup (2).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE		der
		MD5:BDCB4FA453C55CBED58823777848E5B6	SHA256:985E0E8918A7A5CDCF4A5EDF783DB2AD8DBEDA77E5C120E93728817675D8586F
6752	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe7d59.TMP		—
		MD5:—	SHA256:—
6752	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6752	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFe7d69.TMP		—
		MD5:—	SHA256:—
6752	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
6532	Setup (2).exe	C:\Users\admin\AppData\Local\Temp\nsx5BD8.tmp\System.dll		executable
		MD5:CFF85C549D536F651D4FB8387F1976F2	SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6532	Setup (2).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE		binary
		MD5:D1A22D229C08B524CE7C890D0C48608C	SHA256:850D33EDF03E2E93748D93B4178130DC0EFC70F50110E76C67175EDEB685C2DD
6532	Setup (2).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0		binary
		MD5:A3EE3D3628DFF8AD98437D3B6801B63F	SHA256:AEB98F6E0B34A19252EE71C30BA8DF8C896E91A93B0AC799C6757E1BC6F328D6
6532	Setup (2).exe	C:\Users\admin\AppData\Local\Temp\nsx5BD8.tmp\image.gif		image
		MD5:1636218C14C357455B5C872982E2A047	SHA256:9B8B6285BF65F086E08701EEE04E57F2586E973A49C5A38660C9C6502A807045

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

172

DNS requests

111

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6532	Setup (2).exe	GET	200	192.229.221.95:80	http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAJsJgstJqiVbIfWU4Raykw%3D	unknown	—	—	whitelisted
6532	Setup (2).exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6532	Setup (2).exe	GET	200	184.24.77.54:80	http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEgQu3y6FDNdivRXuDwAOFB59Tw%3D%3D	unknown	—	—	whitelisted
5484	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5988	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2968	svchost.exe	GET	304	69.192.161.44:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted
6292	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1723482626&P2=404&P3=2&P4=kw%2bt0D3Rq%2bMb459P8yRMHMydL00irxSCa8g2qndGWLZBQT56QLC14rGEk5oMJ1xMT6OuAJTr2cXjhgc54O15Jg%3d%3d	unknown	—	—	whitelisted
7180	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6292	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1723482626&P2=404&P3=2&P4=kw%2bt0D3Rq%2bMb459P8yRMHMydL00irxSCa8g2qndGWLZBQT56QLC14rGEk5oMJ1xMT6OuAJTr2cXjhgc54O15Jg%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5040	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5796	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6532	Setup (2).exe	45.32.1.23:443	pcapp.store	AS-CHOOPA	US	unknown
6532	Setup (2).exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6532	Setup (2).exe	138.199.37.40:443	delivery.pcapp.store	Datacamp Limited	DE	unknown
6532	Setup (2).exe	184.24.77.54:80	e6.o.lencr.org	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.206	whitelisted
pcapp.store	45.32.1.23 104.248.126.225 209.222.21.115 207.246.91.177 64.176.203.93 167.99.235.203 159.223.126.41	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
status.rapidssl.com	192.229.221.95	whitelisted
delivery.pcapp.store	138.199.37.40 195.181.170.18 138.199.37.35 195.181.175.41 212.102.56.178 156.146.33.15 138.199.37.38	unknown
e6.o.lencr.org	184.24.77.54 184.24.77.71 184.24.77.56 184.24.77.57 184.24.77.65 184.24.77.62 184.24.77.48 184.24.77.77 184.24.77.53	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.67	whitelisted

Threats

No threats detected

Add for printing

Process	Message
NW_store.exe	[0806/105810.328:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\3fe985cc-8fe0-497e-b908-4ed5f9e59284: The system cannot find the file specified. (0x2)
NW_store.exe	[0806/105810.333:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\3fe985cc-8fe0-497e-b908-4ed5f9e59284: The system cannot find the file specified. (0x2)
NW_store.exe	[0806/105810.334:ERROR:directory_reader_win.cc(44)] FindFirstFile: The system cannot find the path specified. (0x3)
NW_store.exe	[0806/105810.406:ERROR:http_transport_win.cc(181)] WinHttpCrackUrl: The operation completed successfully. (0x0)
NW_store.exe	[0806/105810.408:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\3fe985cc-8fe0-497e-b908-4ed5f9e59284: The system cannot find the file specified. (0x2)
NW_store.exe	[0806/105810.416:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\3fe985cc-8fe0-497e-b908-4ed5f9e59284: The system cannot find the file specified. (0x2)
NW_store.exe	[0806/105810.417:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\3fe985cc-8fe0-497e-b908-4ed5f9e59284: The system cannot find the file specified. (0x2)
NW_store.exe	[0806/105902.989:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\3fe985cc-8fe0-497e-b908-4ed5f9e59284: The system cannot find the file specified. (0x2)
NW_store.exe	[0806/105903.036:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\3fe985cc-8fe0-497e-b908-4ed5f9e59284: The system cannot find the file specified. (0x2)
NW_store.exe	[0806/105903.036:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\pc_app_store\User Data\Crashpad\attachments\abc96275-d9c9-48d1-acbb-23304b4b119a: The system cannot find the file specified. (0x2)

General Info

Setup (2).exe

07647EA02633A079476C00C5AF95F41C

D9284BA22CC3666EFBEC978107D43F07608B7867

DFF6884B1FC3F0ADC2BC80A619C0288A1E20A18320C64571DFF3E2274CCD378D

3072:aefw3AuNAP+5g3WBo9A/BwdKIkIXgtqr4ge:a0wP3g4o9AWxHwtWC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Scans artifacts that could help determine the target

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Searches for installed software

Executable content was dropped or overwritten

Starts application with an unusual extension

Process drops legitimate windows executable

Creates a software uninstall entry

Application launched itself

The process checks if it is being run in the virtual environment

INFO

Create files in a temporary directory

Checks proxy server information

Checks supported languages

Reads the computer name

Reads the software policy settings

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads Environment values

Reads Microsoft Office registry keys

Application launched itself

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings