File name:

MediaCreationTool2004.exe

Full analysis: https://app.any.run/tasks/9e26c23c-49e6-4e4d-a9e3-69fdf1a67d38
Verdict: Malicious activity
Analysis date: November 23, 2024, 14:30:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

A4675D3D20056C263C4419369DC785EC

SHA1:

4C68EE92E72B2F5B36132C8721711509F5F9CEA8

SHA256:

E230E99A0836C468F8CA98FBE0CEDB7B73CE88229409035D1E5353B88397A781

SSDEEP:

98304:L/jxTNjkaL+/n3eBIkEytQrC9S8zqkDA0a233eOs2saqavhHt60VQ6x8CK0goNgn:/tI4+dcyzD4k3cRnzIr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • SetupHost.exe (PID: 1468)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MediaCreationTool2004.exe (PID: 5560)

    • Starts a Microsoft application from unusual location

      • MediaCreationTool2004.exe (PID: 5696)
      • MediaCreationTool2004.exe (PID: 5560)

    • Detected use of alternative data streams (AltDS)

      • SetupHost.exe (PID: 1468)

    • Executable content was dropped or overwritten

      • MediaCreationTool2004.exe (PID: 5560)

    • The process creates files with name similar to system file names

      • MediaCreationTool2004.exe (PID: 5560)

  • INFO

    • Checks supported languages

      • MediaCreationTool2004.exe (PID: 5560)
      • SetupHost.exe (PID: 1468)
      • DiagTrackRunner.exe (PID: 5240)

    • Reads the computer name

      • MediaCreationTool2004.exe (PID: 5560)
      • SetupHost.exe (PID: 1468)
      • DiagTrackRunner.exe (PID: 5240)

    • Creates files in the program directory

      • SetupHost.exe (PID: 1468)
      • DiagTrackRunner.exe (PID: 5240)

    • Checks proxy server information

      • SetupHost.exe (PID: 1468)
      • DiagTrackRunner.exe (PID: 5240)

    • Reads Environment values

      • SetupHost.exe (PID: 1468)

    • Reads the machine GUID from the registry

      • SetupHost.exe (PID: 1468)
      • DiagTrackRunner.exe (PID: 5240)

    • Process checks computer location settings

      • SetupHost.exe (PID: 1468)

    • Reads CPU info

      • SetupHost.exe (PID: 1468)

    • Reads the software policy settings

      • SetupHost.exe (PID: 1468)
      • DiagTrackRunner.exe (PID: 5240)

    • Sends debugging messages

      • DiagTrackRunner.exe (PID: 5240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1997:05:12 19:38:42+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.2
CodeSize: 508928
InitializedDataSize: 11058176
UninitializedDataSize: -
EntryPoint: 0x76ec0
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: ‎‎إعداد Windows 10
FileVersion: 10.0.19041.1 (vb_release.191206-1406)
InternalName: SetupPrep.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SetupPrep.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mediacreationtool2004.exe setuphost.exe vdsldr.exe no specs vdsldr.exe no specs diagtrackrunner.exe conhost.exe no specs mediacreationtool2004.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1468"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.exe
MediaCreationTool2004.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
3247440404
Version:
10.0.19041.1 (vb_release.191206-1406)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2796C:\WINDOWS\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDiagTrackRunner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5240C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnlyC:\$Windows.~WS\Sources\DiagTrackRunner.exe
SetupHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Diagnostics Tracking Runner
Exit code:
0
Version:
10.0.10586.0 (th2_release.151029-1700)
Modules
Images
c:\$windows.~ws\sources\diagtrackrunner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5560"C:\Users\admin\Desktop\MediaCreationTool2004.exe" C:\Users\admin\Desktop\MediaCreationTool2004.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
3247440404
Version:
10.0.19041.1 (vb_release.191206-1406)
Modules
Images
c:\users\admin\desktop\mediacreationtool2004.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5696"C:\Users\admin\Desktop\MediaCreationTool2004.exe" C:\Users\admin\Desktop\MediaCreationTool2004.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 10 Setup
Exit code:
3221226540
Version:
10.0.19041.1 (vb_release.191206-1406)
Modules
Images
c:\users\admin\desktop\mediacreationtool2004.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6016C:\WINDOWS\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 387
Read events
7 285
Write events
97
Delete events
5

Modification events

(PID) Process:(5560) MediaCreationTool2004.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete keyName:(default)
Value:
(PID) Process:(5560) MediaCreationTool2004.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup
Operation:delete valueName:CorrelationVector
Value:
IYXEGxww/0WC95lB.37
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup
Operation:writeName:CorrelationVector
Value:
7vgTMVoqkEOPOIHp.0
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360
Operation:writeName:ETag
Value:
1275:66A2A386
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360
Operation:writeName:RefreshInterval
Value:
1275
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:writeName:os
Value:
windows
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:writeName:osver
Value:
10.0.19041.4046.amd64fre.vb_release.191206-1406
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:writeName:scenarioId
Value:
7
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:writeName:platformEdition
Value:
Professional
(PID) Process:(1468) SetupHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:writeName:platformInstallationType
Value:
Client
Executable files
19
Suspicious files
8
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\DU.dllexecutable
MD5:E9288F69F282FA12B3D715B347C53AB4
SHA256:B747C8B8CDCEEA10015FB1C77CC69D640E66EFE0736D3BB5D21021361E3A12AC
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\DiagTrack.dllexecutable
MD5:6C3F6A6BC5EDE978E9DFE1ACCE386339
SHA256:B55D66F2943F1C63EA9B39DAE88AA2A4F91775CEFFFEFD263BD302866A7BD91C
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\setupplatform.cfgtext
MD5:033E7ADC314C248CC29A9F14906C21E5
SHA256:C40FDDBB16853406D12D30E01E170DE8474728BB8EC24794DB721DE0A7F67927
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\unbcl.dllexecutable
MD5:83A55F4CD54303B3AC7801EA4DCAA216
SHA256:8B78F4201F922B4AB073DFBEC9D8D16282B2C75FE8D26696801B6B6092157AE0
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\setupplatform.dllexecutable
MD5:708E1174EC0BFE638C7A51E21274925B
SHA256:3F1CB47A212684362F616AC53788CCA9AADEADB07ABD8CAA2BC4004C83C564D8
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\wdscsl.dllexecutable
MD5:4D6E0C125EA8E681867F306A7823FDB8
SHA256:FE7491C23EA2CDC6C61313BCB9E62E28B464AD7F8FCF12A7D4375F2B47916D64
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\wdsclientapi.dllexecutable
MD5:9AEEAEDFC9974738DDEDDF2EC7388EA5
SHA256:FA4E33AD23AA83A94513FF6D19CB7319713708BB484155B3995E91477E901E70
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\Diager.dllexecutable
MD5:933B36ECC94EAAF470797CEC0D585D94
SHA256:12E443FA12CD3D2C2FC9E9973C041EEDB821D3ACAF10A83BE639B7B17C21E247
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\DiagTrackRunner.exeexecutable
MD5:76F30A1E149792D2542A253B920CBEF6
SHA256:488CBC8330952DD13B797BB40E4E30610ED03483C25919C39555F7B334A3C159
5560MediaCreationTool2004.exeC:\$Windows.~WS\Sources\wdsutil.dllexecutable
MD5:64F04F79148DB2B4A962A9AB979CF85C
SHA256:4746667666DEAAA96880CDFA2273D142322B8050B687343DF32366E15FAA0DCB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
27
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3560
svchost.exe
GET
200
2.18.121.151:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
173.223.117.131:443
https://go.microsoft.com/fwlink/?LinkId=841361
unknown
unknown
HEAD
200
173.223.117.131:443
https://download.microsoft.com/download/7/9/c/79cbc22a-0eea-4a0d-89c0-054a1b3aa8e0/products.cab
unknown
unknown
HEAD
302
173.223.117.131:443
https://go.microsoft.com/fwlink/?LinkId=841361
unknown
unknown
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v2.0/telemetry/ASM-WindowsDefault?os=windows&deviceId=20444405-9D7F-43CD-AEDA-100DC65426CD&sampleId=24830449&deviceClass=Windows.Desktop&sku=48&osVer=10.0.19041.4046.amd64fre.vb_release.191206-1406&locale=en-US
unknown
binary
137 Kb
whitelisted
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v2.0/utc/app?os=windows&deviceId=20444405-9D7F-43CD-AEDA-100DC65426CD&sampleId=24830449&deviceClass=Windows.Desktop&sku=48&osVer=10.0.19041.4046.amd64fre.vb_release.191206-1406&locale=en-US
unknown
binary
127 Kb
whitelisted
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v2.0/WSD/Setup360?os=windows&osver=10.0.19041.4046.amd64fre.vb_release.191206-1406&scenarioId=7&platformEdition=Professional&platformInstallationType=Client&sku=48&deviceId=%7BBAD99146-31D3-4EC6-A1A4-BE76F32BA5D4%7D&appver=10.0.19041.1&appBuildLab=vb_release
unknown
binary
67 b
whitelisted
3560
svchost.exe
GET
200
173.223.117.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
173.223.117.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.18.121.151:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3560
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.106.207:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3560
svchost.exe
2.18.121.151:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
4712
MoUsoCoreWorker.exe
2.18.121.151:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
3560
svchost.exe
173.223.117.131:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4712
MoUsoCoreWorker.exe
173.223.117.131:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.16.106.207
  • 2.16.106.196
  • 2.16.106.200
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 2.18.121.151
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 173.223.117.131
whitelisted
go.microsoft.com
  • 23.210.18.13
whitelisted
download.microsoft.com
  • 23.48.125.230
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
whitelisted

Threats

No threats detected
Process
Message
DiagTrackRunner.exe
base\diagnosis\diagtrack\include\Utils.h(3489)\diagtrack.dll!7197DE0D: (caller: 71982AA8) ReturnHr(1) tid(13a4) 80070057 The parameter is incorrect.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsjsonparser.cpp(237)\diagtrack.dll!719A9131: (caller: 719A8C58) ReturnHr[PreRelease](3) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsjsonparser.cpp(145)\diagtrack.dll!719A8DEF: (caller: 719A8C68) ReturnHr[PreRelease](1) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsmanager.cpp(928)\diagtrack.dll!7199A080: (caller: 71999034) ReturnHr[PreRelease](6) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsjsonparser.cpp(81)\diagtrack.dll!719A8A84: (caller: 719A90DC) ReturnHr[PreRelease](4) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsmanager.cpp(590)\diagtrack.dll!7199904D: (caller: 7199894E) ReturnHr[PreRelease](7) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsmanager.cpp(472)\diagtrack.dll!71998965: (caller: 7199837B) LogHr(1) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsjsonparser.cpp(237)\diagtrack.dll!719A9131: (caller: 71999FF1) ReturnHr[PreRelease](5) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsjsonparser.cpp(81)\diagtrack.dll!719A8A84: (caller: 719A90DC) ReturnHr[PreRelease](2) tid(13a4) 8007064A The configuration data for this product is corrupt. Contact your support personnel.
DiagTrackRunner.exe
base\diagnosis\diagtrack\engine\settingsmanager.cpp(589)\diagtrack.dll!7199904D: (caller: 71998BC7) ReturnHr[PreRelease](8) tid(13a4) 80070002 The system cannot find the file specified.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MediaCreationTool2004.exe