Malware analysis setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/5d9026c9-b545-4f43-a3d0-89f7d1e33d1d
Verdict:	Malicious activity
Analysis date:	October 29, 2023, 08:37:03
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A2E415FCAC3787D749EEE6F7817B4C4B
SHA1:	8825A257D094D8DAA3D283DE538D126882A52DA7
SHA256:	ED7481B49BACDFC9B2DB2CB1C6203CA29E4CB1F5BD657094F23B29CA8216BF3E
SSDEEP:	12288:a+bT9MaRjVdVbk8KHT7lcocklLtqZZrAttJVVVVVVVVVVVVVVVVVVVOVVVVVVVVR:a+VMaRjEz7BHbH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - msiexec.exe (PID: 3976)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 2800)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 2056)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 2548)
  - mscorsvw.exe (PID: 3424)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 2460)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2260)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 3856)
  - mscorsvw.exe (PID: 3756)
  - mscorsvw.exe (PID: 3532)
  - mscorsvw.exe (PID: 4064)
  - mscorsvw.exe (PID: 2296)
  - mscorsvw.exe (PID: 2440)
- Application was dropped or rewritten from another process
  - NDP472-KB4054531-Web.exe (PID: 948)
  - Setup.exe (PID: 2752)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - SetupUtility.exe (PID: 3940)
  - SetupUtility.exe (PID: 3308)
  - ServiceModelReg.exe (PID: 1120)
  - regtlibv12.exe (PID: 1792)
  - aspnet_regiis.exe (PID: 3488)
  - mscorsvw.exe (PID: 3708)
  - ngen.exe (PID: 568)
  - mscorsvw.exe (PID: 3072)
  - mscorsvw.exe (PID: 2608)
  - ngen.exe (PID: 3500)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 3180)
  - mscorsvw.exe (PID: 4000)
  - mscorsvw.exe (PID: 3040)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 2888)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 2548)
  - mscorsvw.exe (PID: 3052)
  - mscorsvw.exe (PID: 1876)
  - mscorsvw.exe (PID: 2800)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 3424)
  - mscorsvw.exe (PID: 992)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 2056)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2820)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 2260)
  - mscorsvw.exe (PID: 2132)
  - mscorsvw.exe (PID: 3756)
  - mscorsvw.exe (PID: 2460)
  - mscorsvw.exe (PID: 2544)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 3368)
  - mscorsvw.exe (PID: 1304)
  - mscorsvw.exe (PID: 2724)
  - mscorsvw.exe (PID: 3568)
  - mscorsvw.exe (PID: 3412)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 528)
  - mscorsvw.exe (PID: 2100)
  - mscorsvw.exe (PID: 3856)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 2196)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 576)
  - mscorsvw.exe (PID: 3532)
  - mscorsvw.exe (PID: 2420)
  - mscorsvw.exe (PID: 124)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 1688)
  - mscorsvw.exe (PID: 4064)
  - mscorsvw.exe (PID: 2904)
  - mscorsvw.exe (PID: 1052)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 2680)
  - mscorsvw.exe (PID: 3596)
  - mscorsvw.exe (PID: 1988)
  - mscorsvw.exe (PID: 884)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 124)
  - mscorsvw.exe (PID: 2488)
  - mscorsvw.exe (PID: 2028)
  - mscorsvw.exe (PID: 3664)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 3428)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 876)
  - mscorsvw.exe (PID: 2484)
  - mscorsvw.exe (PID: 1240)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 3676)
  - mscorsvw.exe (PID: 2820)
  - mscorsvw.exe (PID: 3480)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 4068)
  - mscorsvw.exe (PID: 3536)
  - mscorsvw.exe (PID: 4028)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 2344)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 3408)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 2296)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 3160)
  - mscorsvw.exe (PID: 2900)
  - mscorsvw.exe (PID: 1908)
  - mscorsvw.exe (PID: 1560)
  - mscorsvw.exe (PID: 1140)
  - mscorsvw.exe (PID: 3600)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 3200)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 2520)
- Creates a writable file the system directory
  - msiexec.exe (PID: 3976)
  - aspnet_regiis.exe (PID: 3488)
- Changes the autorun value in the registry
  - msiexec.exe (PID: 3976)
- Loads dropped or rewritten executable
  - svchost.exe (PID: 752)
  - aspnet_regiis.exe (PID: 3488)
  - mscorsvw.exe (PID: 3708)
  - ngen.exe (PID: 568)
  - msiexec.exe (PID: 3976)
  - mscorsvw.exe (PID: 2608)
  - ngen.exe (PID: 3500)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 3072)
SUSPICIOUS
- Reads the Internet Settings
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Reads security settings of Internet Explorer
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Process drops legitimate windows executable
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - msiexec.exe (PID: 3976)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 2800)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 2056)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 2548)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2260)
  - mscorsvw.exe (PID: 3424)
  - mscorsvw.exe (PID: 2460)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 3856)
  - mscorsvw.exe (PID: 3756)
  - mscorsvw.exe (PID: 3532)
  - mscorsvw.exe (PID: 4064)
  - mscorsvw.exe (PID: 2296)
  - mscorsvw.exe (PID: 2440)
- Reads settings of System Certificates
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Checks Windows Trust Settings
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
  - msiexec.exe (PID: 3976)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 3976)
- Adds/modifies Windows certificates
  - NDP472-KB4054531-Web.exe (PID: 2612)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 3976)
  - mscorsvw.exe (PID: 3188)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 3976)
- Creates/Modifies COM task schedule object
  - msiexec.exe (PID: 3976)
- Checks for the .NET to be installed
  - msiexec.exe (PID: 3976)
- Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest
  - ServiceModelReg.exe (PID: 1120)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - ServiceModelReg.exe (PID: 1120)
- Application launched itself
  - mscorsvw.exe (PID: 3708)
INFO
- Checks supported languages
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - SetupUtility.exe (PID: 3940)
  - SetupUtility.exe (PID: 3308)
  - TMPE14C.tmp.exe (PID: 4088)
  - msiexec.exe (PID: 3976)
  - msiexec.exe (PID: 1884)
  - msiexec.exe (PID: 4032)
  - regtlibv12.exe (PID: 1792)
  - ServiceModelReg.exe (PID: 1120)
  - aspnet_regiis.exe (PID: 3488)
  - mscorsvw.exe (PID: 3708)
  - mscorsvw.exe (PID: 3072)
  - ngen.exe (PID: 568)
  - mscorsvw.exe (PID: 2608)
  - ngen.exe (PID: 3500)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3180)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 4000)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3292)
- Reads the machine GUID from the registry
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - SetupUtility.exe (PID: 3940)
  - msiexec.exe (PID: 3976)
  - msiexec.exe (PID: 4032)
  - msiexec.exe (PID: 1884)
  - aspnet_regiis.exe (PID: 3488)
  - mscorsvw.exe (PID: 3708)
  - mscorsvw.exe (PID: 3072)
  - mscorsvw.exe (PID: 2608)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3180)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 4000)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 1832)
- Create files in a temporary directory
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - Setup.exe (PID: 2752)
  - TMPE14C.tmp.exe (PID: 4088)
  - SetupUtility.exe (PID: 3940)
  - msiexec.exe (PID: 3976)
  - ServiceModelReg.exe (PID: 1120)
  - mofcomp.exe (PID: 976)
  - mofcomp.exe (PID: 1872)
  - aspnet_regiis.exe (PID: 3488)
  - mofcomp.exe (PID: 2688)
- Creates files or folders in the user directory
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Checks proxy server information
  - setup.exe (PID: 1764)
- Reads the computer name
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - SetupUtility.exe (PID: 3940)
  - SetupUtility.exe (PID: 3308)
  - TMPE14C.tmp.exe (PID: 4088)
  - msiexec.exe (PID: 3976)
  - msiexec.exe (PID: 4032)
  - msiexec.exe (PID: 1884)
  - ServiceModelReg.exe (PID: 1120)
  - aspnet_regiis.exe (PID: 3488)
  - ngen.exe (PID: 568)
  - mscorsvw.exe (PID: 3708)
  - mscorsvw.exe (PID: 3072)
  - mscorsvw.exe (PID: 2608)
  - ngen.exe (PID: 3500)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3180)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 4000)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3292)
- Reads Environment values
  - Setup.exe (PID: 2752)
- Reads CPU info
  - Setup.exe (PID: 2752)
- Application launched itself
  - msiexec.exe (PID: 3976)
  - msedge.exe (PID: 3760)
- Manual execution by a user
  - explorer.exe (PID: 2380)
  - msedge.exe (PID: 3760)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3976)
- Creates or modifies Windows services
  - msiexec.exe (PID: 3976)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:04:06 20:30:14+02:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.34
CodeSize:	387072
InitializedDataSize:	167424
UninitializedDataSize:	-
EntryPoint:	0x38be3
OSVersion:	5.1
ImageVersion:	10
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	17.0.33606.225
ProductVersionNumber:	17.0.33606.225
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	-
FileDescription:	Setup
FileVersion:	17.0.33606.225 built by: D17.6
InternalName:	setup.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	setup.exe
ProductName:	-
ProductVersion:	17.0.33606.225

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

321

Monitored processes

263

Malicious processes

185

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 0 -NGENProcess 4ac -Pipe 4b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 0 -NGENProcess 4b8 -Pipe 4e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 0 -NGENProcess 3bc -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 224 -Pipe 220 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mscoree.dll

316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 0 -NGENProcess 484 -Pipe 438 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 0 -NGENProcess 3f0 -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 0 -NGENProcess 3dc -Pipe 444 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Add for printing

Total events

91 746

Read events

85 417

Write events

4 435

Delete events

1 894

Modification events


(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000056010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1764) setup.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(752) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational
Operation:	write	Name:	Enabled
Value: 0

Add for printing

Executable files

2 660

Suspicious files

211

Text files

512

Unknown types

Dropped files

PID	Process	Filename		Type
1764	setup.exe	C:\Users\admin\AppData\Local\Temp\VSDAAC4.tmp\setup.exe		executable
		MD5:A2E415FCAC3787D749EEE6F7817B4C4B	SHA256:ED7481B49BACDFC9B2DB2CB1C6203CA29E4CB1F5BD657094F23B29CA8216BF3E
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		compressed
		MD5:1BFE591A4FE3D91B03CDF26EAACD8F89	SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2612	NDP472-KB4054531-Web.exe	C:\aee80d164f42231c98d7cd221f41f2\Graphics\Print.ico		image
		MD5:D39BAD9DDA7B91613CB29B6BD55F0901	SHA256:D80FFEB020927F047C11FC4D9F34F985E0C7E5DFEA9FB23F2BC134874070E4E6
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:E07070408CD79AE9F3409A1CC97A80DF	SHA256:0F107EB00BDA3188B04F0ABD3F84C3F45B7888913B41FFC08445D83C89053B2F
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956		binary
		MD5:71CC7FE80E7AC741DB188773FB989FB2	SHA256:D78F7EA85AA6AC5FB1337908095C4F2867D7F2C1240E997A2F1B4B6104E31051
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE		binary
		MD5:17935D0900F3E45C520A946731BB25CC	SHA256:82AC0B136AB0A576001BE62AE70B024BB7C7A41F427853F611AB21CA67281756
2612	NDP472-KB4054531-Web.exe	C:\aee80d164f42231c98d7cd221f41f2\DisplayIcon.ico		image
		MD5:F9657D290048E169FFABBBB9C7412BE0	SHA256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:95EA59E5636A1BF3E10BB3A9622FE295	SHA256:41EA357CDBB90FED0F4C71E1CE59F5BE46AFF29998218C1EBC227329C8601C0B
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:A3E883E15529C3B9DC7DA33B98761DAA	SHA256:04DBB3B3BBE0CB6A1358FAD571BE5C0414908AD453DAA0A7DB0B54A128DEADB0
2612	NDP472-KB4054531-Web.exe	C:\aee80d164f42231c98d7cd221f41f2\SplashScreen.bmp		image
		MD5:BC32088BFAA1C76BA4B56639A2DEC592	SHA256:B05141DBC71669A7872A8E735E5E43A7F9713D4363B7A97543E1E05DCD7470A7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=x86&o1=netfx_Full.mzz	unknown	—	—	unknown
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full_x86.msi	unknown	—	—	unknown
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03081.00&sar=amd64&o1=netfx_Patch_x86.msp	unknown	—	—	unknown
1764	setup.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkId=863262&clcid=0x409	unknown	—	—	unknown
864	svchost.exe	HEAD	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03081.00&sar=amd64&o1=netfx_Patch_x86.msp	unknown	—	—	unknown
864	svchost.exe	HEAD	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkId=328846&clcid=0x409	unknown	—	—	unknown
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkId=328846&clcid=0x409	unknown	—	—	unknown
864	svchost.exe	HEAD	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full_x86.msi	unknown	—	—	unknown
1764	setup.exe	GET	200	209.197.3.8:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?69e7b5db3330d6d7	unknown	compressed	4.66 Kb	unknown
1764	setup.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt	unknown	binary	1.87 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1088	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2656	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1764	setup.exe	23.218.210.69:80	go.microsoft.com	AKAMAI-AS	DE	unknown
1764	setup.exe	68.232.34.200:443	download.visualstudio.microsoft.com	EDGECAST	US	whitelisted
1764	setup.exe	209.197.3.8:80	ctldl.windowsupdate.com	STACKPATH-CDN	US	whitelisted
1764	setup.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1764	setup.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
1764	setup.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
go.microsoft.com	23.218.210.69	whitelisted
download.visualstudio.microsoft.com	68.232.34.200	whitelisted
ctldl.windowsupdate.com	209.197.3.8	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
download.microsoft.com	2.19.100.212	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com	67.27.159.252 8.253.95.116 67.27.233.252	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

setup.exe

A2E415FCAC3787D749EEE6F7817B4C4B

8825A257D094D8DAA3D283DE538D126882A52DA7

ED7481B49BACDFC9B2DB2CB1C6203CA29E4CB1F5BD657094F23B29CA8216BF3E

12288:a+bT9MaRjVdVbk8KHT7lcocklLtqZZrAttJVVVVVVVVVVVVVVVVVVVOVVVVVVVVR:a+VMaRjEz7BHbH

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was dropped or rewritten from another process

Creates a writable file the system directory

Changes the autorun value in the registry

Loads dropped or rewritten executable

SUSPICIOUS

Reads the Internet Settings

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Reads settings of System Certificates

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Adds/modifies Windows certificates

The process creates files with name similar to system file names

The process drops C-runtime libraries

Creates/Modifies COM task schedule object

Checks for the .NET to be installed

Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Application launched itself

INFO

Checks supported languages

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Checks proxy server information

Reads the computer name

Reads Environment values

Reads CPU info

Application launched itself

Manual execution by a user

Creates a software uninstall entry

Creates or modifies Windows services

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings