Malware analysis setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/5d9026c9-b545-4f43-a3d0-89f7d1e33d1d
Verdict:	Malicious activity
Analysis date:	October 29, 2023, 08:37:03
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A2E415FCAC3787D749EEE6F7817B4C4B
SHA1:	8825A257D094D8DAA3D283DE538D126882A52DA7
SHA256:	ED7481B49BACDFC9B2DB2CB1C6203CA29E4CB1F5BD657094F23B29CA8216BF3E
SSDEEP:	12288:a+bT9MaRjVdVbk8KHT7lcocklLtqZZrAttJVVVVVVVVVVVVVVVVVVVOVVVVVVVVR:a+VMaRjEz7BHbH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - msiexec.exe (PID: 3976)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 2800)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 3424)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 2460)
  - mscorsvw.exe (PID: 2056)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 2548)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2260)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 3756)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 3856)
  - mscorsvw.exe (PID: 4064)
  - mscorsvw.exe (PID: 3532)
  - mscorsvw.exe (PID: 2296)
  - mscorsvw.exe (PID: 2440)
- Application was dropped or rewritten from another process
  - NDP472-KB4054531-Web.exe (PID: 948)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - Setup.exe (PID: 2752)
  - SetupUtility.exe (PID: 3940)
  - SetupUtility.exe (PID: 3308)
  - ServiceModelReg.exe (PID: 1120)
  - aspnet_regiis.exe (PID: 3488)
  - ngen.exe (PID: 568)
  - mscorsvw.exe (PID: 3708)
  - regtlibv12.exe (PID: 1792)
  - mscorsvw.exe (PID: 3072)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3180)
  - mscorsvw.exe (PID: 4000)
  - mscorsvw.exe (PID: 2608)
  - ngen.exe (PID: 3500)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 2888)
  - mscorsvw.exe (PID: 3052)
  - mscorsvw.exe (PID: 1876)
  - mscorsvw.exe (PID: 2800)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 2548)
  - mscorsvw.exe (PID: 992)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 2056)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 2460)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 3424)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 2132)
  - mscorsvw.exe (PID: 2260)
  - mscorsvw.exe (PID: 3756)
  - mscorsvw.exe (PID: 2196)
  - mscorsvw.exe (PID: 2544)
  - mscorsvw.exe (PID: 3368)
  - mscorsvw.exe (PID: 1304)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 2820)
  - mscorsvw.exe (PID: 2100)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 3856)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 3532)
  - mscorsvw.exe (PID: 3568)
  - mscorsvw.exe (PID: 2724)
  - mscorsvw.exe (PID: 528)
  - mscorsvw.exe (PID: 3412)
  - mscorsvw.exe (PID: 884)
  - mscorsvw.exe (PID: 576)
  - mscorsvw.exe (PID: 1688)
  - mscorsvw.exe (PID: 124)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 1052)
  - mscorsvw.exe (PID: 4064)
  - mscorsvw.exe (PID: 2904)
  - mscorsvw.exe (PID: 3596)
  - mscorsvw.exe (PID: 2680)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 1988)
  - mscorsvw.exe (PID: 2420)
  - mscorsvw.exe (PID: 2028)
  - mscorsvw.exe (PID: 2488)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 3664)
  - mscorsvw.exe (PID: 876)
  - mscorsvw.exe (PID: 2484)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 3676)
  - mscorsvw.exe (PID: 2820)
  - mscorsvw.exe (PID: 1140)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3428)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 124)
  - mscorsvw.exe (PID: 1240)
  - mscorsvw.exe (PID: 3600)
  - mscorsvw.exe (PID: 4068)
  - mscorsvw.exe (PID: 3536)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 2344)
  - mscorsvw.exe (PID: 3408)
  - mscorsvw.exe (PID: 4028)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 3200)
  - mscorsvw.exe (PID: 3160)
  - mscorsvw.exe (PID: 3480)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 2296)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 2900)
  - mscorsvw.exe (PID: 1908)
  - mscorsvw.exe (PID: 1560)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 3400)
- Creates a writable file the system directory
  - msiexec.exe (PID: 3976)
  - aspnet_regiis.exe (PID: 3488)
- Changes the autorun value in the registry
  - msiexec.exe (PID: 3976)
- Loads dropped or rewritten executable
  - svchost.exe (PID: 752)
  - aspnet_regiis.exe (PID: 3488)
  - ngen.exe (PID: 568)
  - msiexec.exe (PID: 3976)
  - ngen.exe (PID: 3500)
  - mscorsvw.exe (PID: 2608)
  - mscorsvw.exe (PID: 3072)
  - mscorsvw.exe (PID: 3708)
  - ngen.exe (PID: 3016)
SUSPICIOUS
- Checks Windows Trust Settings
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
  - msiexec.exe (PID: 3976)
- Process drops legitimate windows executable
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - msiexec.exe (PID: 3976)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 2800)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 1596)
  - mscorsvw.exe (PID: 2056)
  - mscorsvw.exe (PID: 2548)
  - mscorsvw.exe (PID: 3424)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 2452)
  - mscorsvw.exe (PID: 2460)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2260)
  - mscorsvw.exe (PID: 3756)
  - mscorsvw.exe (PID: 3104)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 3856)
  - mscorsvw.exe (PID: 4064)
  - mscorsvw.exe (PID: 3532)
  - mscorsvw.exe (PID: 2296)
  - mscorsvw.exe (PID: 2440)
- Reads security settings of Internet Explorer
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Reads the Internet Settings
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Reads settings of System Certificates
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Adds/modifies Windows certificates
  - NDP472-KB4054531-Web.exe (PID: 2612)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 3976)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 3976)
  - mscorsvw.exe (PID: 3188)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 3976)
- Creates/Modifies COM task schedule object
  - msiexec.exe (PID: 3976)
- Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest
  - ServiceModelReg.exe (PID: 1120)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - ServiceModelReg.exe (PID: 1120)
- Application launched itself
  - mscorsvw.exe (PID: 3708)
- Checks for the .NET to be installed
  - msiexec.exe (PID: 3976)
INFO
- Checks proxy server information
  - setup.exe (PID: 1764)
- Checks supported languages
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - SetupUtility.exe (PID: 3940)
  - SetupUtility.exe (PID: 3308)
  - TMPE14C.tmp.exe (PID: 4088)
  - msiexec.exe (PID: 3976)
  - msiexec.exe (PID: 4032)
  - msiexec.exe (PID: 1884)
  - ServiceModelReg.exe (PID: 1120)
  - Setup.exe (PID: 2752)
  - regtlibv12.exe (PID: 1792)
  - aspnet_regiis.exe (PID: 3488)
  - ngen.exe (PID: 568)
  - mscorsvw.exe (PID: 3708)
  - mscorsvw.exe (PID: 3072)
  - ngen.exe (PID: 3500)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 2608)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3180)
  - mscorsvw.exe (PID: 4000)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 1832)
- Create files in a temporary directory
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - SetupUtility.exe (PID: 3940)
  - TMPE14C.tmp.exe (PID: 4088)
  - msiexec.exe (PID: 3976)
  - ServiceModelReg.exe (PID: 1120)
  - Setup.exe (PID: 2752)
  - mofcomp.exe (PID: 1872)
  - mofcomp.exe (PID: 976)
  - mofcomp.exe (PID: 2688)
  - aspnet_regiis.exe (PID: 3488)
- Reads the computer name
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - Setup.exe (PID: 2752)
  - SetupUtility.exe (PID: 3940)
  - SetupUtility.exe (PID: 3308)
  - TMPE14C.tmp.exe (PID: 4088)
  - msiexec.exe (PID: 3976)
  - msiexec.exe (PID: 4032)
  - msiexec.exe (PID: 1884)
  - ServiceModelReg.exe (PID: 1120)
  - ngen.exe (PID: 568)
  - mscorsvw.exe (PID: 3708)
  - aspnet_regiis.exe (PID: 3488)
  - mscorsvw.exe (PID: 3072)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 2608)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3180)
  - mscorsvw.exe (PID: 4000)
  - ngen.exe (PID: 3500)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3292)
- Reads the machine GUID from the registry
  - setup.exe (PID: 1764)
  - NDP472-KB4054531-Web.exe (PID: 2612)
  - Setup.exe (PID: 2752)
  - SetupUtility.exe (PID: 3940)
  - msiexec.exe (PID: 4032)
  - msiexec.exe (PID: 3976)
  - msiexec.exe (PID: 1884)
  - aspnet_regiis.exe (PID: 3488)
  - mscorsvw.exe (PID: 3072)
  - mscorsvw.exe (PID: 3708)
  - mscorsvw.exe (PID: 3040)
  - ngen.exe (PID: 3016)
  - mscorsvw.exe (PID: 1576)
  - mscorsvw.exe (PID: 2764)
  - mscorsvw.exe (PID: 888)
  - mscorsvw.exe (PID: 3768)
  - mscorsvw.exe (PID: 2312)
  - mscorsvw.exe (PID: 2972)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 300)
  - mscorsvw.exe (PID: 2356)
  - mscorsvw.exe (PID: 2492)
  - mscorsvw.exe (PID: 3084)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3040)
  - mscorsvw.exe (PID: 3508)
  - mscorsvw.exe (PID: 3980)
  - mscorsvw.exe (PID: 1568)
  - mscorsvw.exe (PID: 3180)
  - mscorsvw.exe (PID: 2608)
  - mscorsvw.exe (PID: 2472)
  - mscorsvw.exe (PID: 2568)
  - mscorsvw.exe (PID: 4000)
  - mscorsvw.exe (PID: 1432)
  - mscorsvw.exe (PID: 3376)
  - mscorsvw.exe (PID: 1616)
  - mscorsvw.exe (PID: 2440)
  - mscorsvw.exe (PID: 1012)
  - mscorsvw.exe (PID: 3732)
  - mscorsvw.exe (PID: 3276)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 2272)
  - mscorsvw.exe (PID: 2404)
  - mscorsvw.exe (PID: 3400)
  - mscorsvw.exe (PID: 240)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 3696)
  - mscorsvw.exe (PID: 3300)
  - mscorsvw.exe (PID: 2620)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 3208)
  - mscorsvw.exe (PID: 3652)
  - mscorsvw.exe (PID: 3056)
  - mscorsvw.exe (PID: 1768)
  - mscorsvw.exe (PID: 3188)
  - mscorsvw.exe (PID: 3952)
  - mscorsvw.exe (PID: 1832)
  - mscorsvw.exe (PID: 3780)
  - mscorsvw.exe (PID: 3472)
  - mscorsvw.exe (PID: 584)
  - mscorsvw.exe (PID: 1820)
  - mscorsvw.exe (PID: 272)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 3024)
  - mscorsvw.exe (PID: 2556)
  - mscorsvw.exe (PID: 3940)
  - mscorsvw.exe (PID: 3380)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 3748)
  - mscorsvw.exe (PID: 2892)
  - mscorsvw.exe (PID: 2232)
  - mscorsvw.exe (PID: 3524)
  - mscorsvw.exe (PID: 1628)
  - mscorsvw.exe (PID: 3172)
  - mscorsvw.exe (PID: 3720)
  - mscorsvw.exe (PID: 3036)
  - mscorsvw.exe (PID: 2252)
  - mscorsvw.exe (PID: 664)
  - mscorsvw.exe (PID: 948)
  - mscorsvw.exe (PID: 2480)
  - mscorsvw.exe (PID: 2732)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 3620)
  - mscorsvw.exe (PID: 1612)
  - mscorsvw.exe (PID: 3344)
  - mscorsvw.exe (PID: 3716)
  - mscorsvw.exe (PID: 1812)
  - mscorsvw.exe (PID: 2308)
  - mscorsvw.exe (PID: 568)
  - mscorsvw.exe (PID: 2520)
  - mscorsvw.exe (PID: 2968)
  - mscorsvw.exe (PID: 1804)
  - mscorsvw.exe (PID: 4008)
  - mscorsvw.exe (PID: 2128)
  - mscorsvw.exe (PID: 2600)
  - mscorsvw.exe (PID: 3656)
  - mscorsvw.exe (PID: 3164)
  - mscorsvw.exe (PID: 2380)
  - mscorsvw.exe (PID: 316)
  - mscorsvw.exe (PID: 3872)
  - mscorsvw.exe (PID: 3388)
  - mscorsvw.exe (PID: 2124)
  - mscorsvw.exe (PID: 2816)
  - mscorsvw.exe (PID: 2340)
  - mscorsvw.exe (PID: 2844)
  - mscorsvw.exe (PID: 3672)
  - mscorsvw.exe (PID: 1324)
  - mscorsvw.exe (PID: 3544)
  - mscorsvw.exe (PID: 2436)
  - mscorsvw.exe (PID: 1484)
  - mscorsvw.exe (PID: 3604)
  - mscorsvw.exe (PID: 3744)
  - mscorsvw.exe (PID: 1992)
  - mscorsvw.exe (PID: 3612)
  - mscorsvw.exe (PID: 2360)
  - mscorsvw.exe (PID: 2008)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 916)
  - mscorsvw.exe (PID: 1412)
  - mscorsvw.exe (PID: 3516)
  - mscorsvw.exe (PID: 1608)
  - mscorsvw.exe (PID: 2840)
  - mscorsvw.exe (PID: 148)
  - mscorsvw.exe (PID: 556)
  - mscorsvw.exe (PID: 3496)
  - mscorsvw.exe (PID: 1592)
  - mscorsvw.exe (PID: 1232)
  - mscorsvw.exe (PID: 2264)
  - mscorsvw.exe (PID: 1636)
  - mscorsvw.exe (PID: 1080)
  - mscorsvw.exe (PID: 964)
  - mscorsvw.exe (PID: 3168)
  - mscorsvw.exe (PID: 388)
  - mscorsvw.exe (PID: 1124)
  - mscorsvw.exe (PID: 3248)
  - mscorsvw.exe (PID: 2268)
  - mscorsvw.exe (PID: 520)
  - mscorsvw.exe (PID: 3292)
  - mscorsvw.exe (PID: 1832)
- Creates files or folders in the user directory
  - setup.exe (PID: 1764)
  - Setup.exe (PID: 2752)
- Reads CPU info
  - Setup.exe (PID: 2752)
- Reads Environment values
  - Setup.exe (PID: 2752)
- Application launched itself
  - msiexec.exe (PID: 3976)
  - msedge.exe (PID: 3760)
- Manual execution by a user
  - explorer.exe (PID: 2380)
  - msedge.exe (PID: 3760)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3976)
- Creates or modifies Windows services
  - msiexec.exe (PID: 3976)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:04:06 20:30:14+02:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.34
CodeSize:	387072
InitializedDataSize:	167424
UninitializedDataSize:	-
EntryPoint:	0x38be3
OSVersion:	5.1
ImageVersion:	10
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	17.0.33606.225
ProductVersionNumber:	17.0.33606.225
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	-
FileDescription:	Setup
FileVersion:	17.0.33606.225 built by: D17.6
InternalName:	setup.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	setup.exe
ProductName:	-
ProductVersion:	17.0.33606.225

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

321

Monitored processes

263

Malicious processes

185

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 0 -NGENProcess 4ac -Pipe 4b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 0 -NGENProcess 4b8 -Pipe 4e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 0 -NGENProcess 3bc -Pipe 3c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 224 -Pipe 220 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mscoree.dll

316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 0 -NGENProcess 484 -Pipe 438 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 0 -NGENProcess 3f0 -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll

388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 0 -NGENProcess 3dc -Pipe 444 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.7.3062.0 built by: NET472REL1

Add for printing

Total events

91 746

Read events

85 417

Write events

4 435

Delete events

1 894

Modification events


(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000056010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1764) setup.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1764) setup.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(752) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational
Operation:	write	Name:	Enabled
Value: 0

Add for printing

Executable files

2 660

Suspicious files

211

Text files

512

Unknown types

Dropped files

PID	Process	Filename		Type
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE		binary
		MD5:17935D0900F3E45C520A946731BB25CC	SHA256:82AC0B136AB0A576001BE62AE70B024BB7C7A41F427853F611AB21CA67281756
1764	setup.exe	C:\Users\admin\AppData\Local\Temp\VSDAAC4.tmp\setup.exe		executable
		MD5:A2E415FCAC3787D749EEE6F7817B4C4B	SHA256:ED7481B49BACDFC9B2DB2CB1C6203CA29E4CB1F5BD657094F23B29CA8216BF3E
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:A3E883E15529C3B9DC7DA33B98761DAA	SHA256:04DBB3B3BBE0CB6A1358FAD571BE5C0414908AD453DAA0A7DB0B54A128DEADB0
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:5274F924E5ACE2A50BE6A2D21E90E464	SHA256:9D1EEEEC668F562658A1FC7B44407FAEE2FC03EC31AC8E3592D479585B5C5DD2
2612	NDP472-KB4054531-Web.exe	C:\aee80d164f42231c98d7cd221f41f2\header.bmp		image
		MD5:41C22EFA84CA74F0CE7076EB9A482E38	SHA256:255025A0D79EF2DAC04BD610363F966EF58328400BF31E1F8915E676478CD750
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F9C57C8B55E84B295CBBD8CF3D95BF44		binary
		MD5:CE02A0499711D1F1A3FCFC3C699A6C97	SHA256:56DA8722AFD94066FFE1E4595473A4854892B843A0827D53FB7D8F4AEED1E18B
1764	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956		binary
		MD5:71CC7FE80E7AC741DB188773FB989FB2	SHA256:D78F7EA85AA6AC5FB1337908095C4F2867D7F2C1240E997A2F1B4B6104E31051
2612	NDP472-KB4054531-Web.exe	C:\aee80d164f42231c98d7cd221f41f2\Graphics\Rotate10.ico		image
		MD5:0CCA04A3468575FDCEFEE9957E32F904	SHA256:B94E68C711B3B06D9A63C80AD013C7C7BBDB5F8E82CBC866B246FF22D99B03FE
2612	NDP472-KB4054531-Web.exe	C:\aee80d164f42231c98d7cd221f41f2\Graphics\Print.ico		image
		MD5:D39BAD9DDA7B91613CB29B6BD55F0901	SHA256:D80FFEB020927F047C11FC4D9F34F985E0C7E5DFEA9FB23F2BC134874070E4E6
2612	NDP472-KB4054531-Web.exe	C:\aee80d164f42231c98d7cd221f41f2\SplashScreen.bmp		image
		MD5:BC32088BFAA1C76BA4B56639A2DEC592	SHA256:B05141DBC71669A7872A8E735E5E43A7F9713D4363B7A97543E1E05DCD7470A7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
864	svchost.exe	HEAD	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full_x86.msi	unknown	—	—	unknown
864	svchost.exe	HEAD	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=x86&o1=netfx_Full.mzz	unknown	—	—	unknown
864	svchost.exe	HEAD	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03081.00&sar=amd64&o1=netfx_Patch_x86.msp	unknown	—	—	unknown
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=x86&o1=netfx_Full.mzz	unknown	—	—	unknown
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03081.00&sar=amd64&o1=netfx_Patch_x86.msp	unknown	—	—	unknown
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net472Rel1&plcid=0x409&clcid=0x409&ar=03062.00&sar=amd64&o1=netfx_Full_x86.msi	unknown	—	—	unknown
864	svchost.exe	HEAD	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkId=328846&clcid=0x409	unknown	—	—	unknown
864	svchost.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkId=328846&clcid=0x409	unknown	—	—	unknown
1764	setup.exe	GET	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkId=863262&clcid=0x409	unknown	—	—	unknown
1764	setup.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	der	1.11 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1088	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2656	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1764	setup.exe	23.218.210.69:80	go.microsoft.com	AKAMAI-AS	DE	unknown
1764	setup.exe	68.232.34.200:443	download.visualstudio.microsoft.com	EDGECAST	US	whitelisted
1764	setup.exe	209.197.3.8:80	ctldl.windowsupdate.com	STACKPATH-CDN	US	whitelisted
1764	setup.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1764	setup.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
1764	setup.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
go.microsoft.com	23.218.210.69	whitelisted
download.visualstudio.microsoft.com	68.232.34.200	whitelisted
ctldl.windowsupdate.com	209.197.3.8	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
download.microsoft.com	2.19.100.212	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com	67.27.159.252 8.253.95.116 67.27.233.252	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

setup.exe

A2E415FCAC3787D749EEE6F7817B4C4B

8825A257D094D8DAA3D283DE538D126882A52DA7

ED7481B49BACDFC9B2DB2CB1C6203CA29E4CB1F5BD657094F23B29CA8216BF3E

12288:a+bT9MaRjVdVbk8KHT7lcocklLtqZZrAttJVVVVVVVVVVVVVVVVVVVOVVVVVVVVR:a+VMaRjEz7BHbH

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was dropped or rewritten from another process

Creates a writable file the system directory

Changes the autorun value in the registry

Loads dropped or rewritten executable

SUSPICIOUS

Checks Windows Trust Settings

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the Internet Settings

Reads settings of System Certificates

Adds/modifies Windows certificates

Reads the Windows owner or organization settings

The process creates files with name similar to system file names

The process drops C-runtime libraries

Creates/Modifies COM task schedule object

Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Application launched itself

Checks for the .NET to be installed

INFO

Checks proxy server information

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads CPU info

Reads Environment values

Application launched itself

Manual execution by a user

Creates a software uninstall entry

Creates or modifies Windows services

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings