File name:

nice_protect_demo.exe

Full analysis: https://app.any.run/tasks/f7df599e-da7b-4bd2-b8ff-fbcbf8a11e2b
Verdict: Malicious activity
Analysis date: March 05, 2024, 23:41:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7809FCAD19F6F27508A63465EA0A6175

SHA1:

2AEA80DB3E1EAF7A5355619F7D5FFC2D2418687E

SHA256:

719F9BAEA1A3D27047B9D8CC3EF161D61269E6143704DFCA98F00B53D2C06E29

SSDEEP:

98304:3wTrAzQQEbHSsOjtmLaSqS2gl6j47MU80xXDxWFP1HSeFOmuZhswKAZ3QmXciHxO:cHXF3qrQUIO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • nice_protect_demo.exe (PID: 3864)
      • nice_protect_demo.exe (PID: 1876)
      • nice_protect_demo.tmp (PID: 1492)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • nice_protect_demo.exe (PID: 3864)
      • nice_protect_demo.exe (PID: 1876)
      • nice_protect_demo.tmp (PID: 1492)

    • Reads the Windows owner or organization settings

      • nice_protect_demo.tmp (PID: 1492)

  • INFO

    • Checks supported languages

      • nice_protect_demo.tmp (PID: 2160)
      • nice_protect_demo.exe (PID: 3864)
      • nice_protect_demo.exe (PID: 1876)
      • nice_protect_demo.tmp (PID: 1492)
      • DotFixNiceProtectDemo.exe (PID: 2856)

    • Reads the computer name

      • nice_protect_demo.tmp (PID: 2160)
      • nice_protect_demo.tmp (PID: 1492)
      • DotFixNiceProtectDemo.exe (PID: 2856)

    • Create files in a temporary directory

      • nice_protect_demo.exe (PID: 3864)
      • nice_protect_demo.exe (PID: 1876)

    • Creates files in the program directory

      • nice_protect_demo.tmp (PID: 1492)

    • Creates a software uninstall entry

      • nice_protect_demo.tmp (PID: 1492)

    • Manual execution by a user

      • DotFixNiceProtectDemo.exe (PID: 2856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41984
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0xaad0
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: DotFix Software
FileDescription: DotFix NiceProtect Demo Setup
FileVersion:
LegalCopyright:
ProductName: DotFix NiceProtect Demo
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start nice_protect_demo.exe nice_protect_demo.tmp no specs nice_protect_demo.exe nice_protect_demo.tmp dotfixniceprotectdemo.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1492"C:\Users\admin\AppData\Local\Temp\is-S3S76.tmp\nice_protect_demo.tmp" /SL5="$19013E,4932826,58368,C:\Users\admin\Downloads\nice_protect_demo.exe" /SPAWNWND=$1A01BC /NOTIFYWND=$E0170 C:\Users\admin\AppData\Local\Temp\is-S3S76.tmp\nice_protect_demo.tmp
nice_protect_demo.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-s3s76.tmp\nice_protect_demo.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1876"C:\Users\admin\Downloads\nice_protect_demo.exe" /SPAWNWND=$1A01BC /NOTIFYWND=$E0170 C:\Users\admin\Downloads\nice_protect_demo.exe
nice_protect_demo.tmp
User:
admin
Company:
DotFix Software
Integrity Level:
HIGH
Description:
DotFix NiceProtect Demo Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\downloads\nice_protect_demo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2160"C:\Users\admin\AppData\Local\Temp\is-55F9C.tmp\nice_protect_demo.tmp" /SL5="$E0170,4932826,58368,C:\Users\admin\Downloads\nice_protect_demo.exe" C:\Users\admin\AppData\Local\Temp\is-55F9C.tmp\nice_protect_demo.tmpnice_protect_demo.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-55f9c.tmp\nice_protect_demo.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2856"C:\Program Files\DotFix NiceProtect Demo\DotFixNiceProtectDemo.exe" C:\Program Files\DotFix NiceProtect Demo\DotFixNiceProtectDemo.exeexplorer.exe
User:
admin
Company:
DotFix Software
Integrity Level:
MEDIUM
Description:
DotFix NiceProtect
Exit code:
0
Version:
7.4.0.0
Modules
Images
c:\program files\dotfix niceprotect demo\dotfixniceprotectdemo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3864"C:\Users\admin\Downloads\nice_protect_demo.exe" C:\Users\admin\Downloads\nice_protect_demo.exe
explorer.exe
User:
admin
Company:
DotFix Software
Integrity Level:
MEDIUM
Description:
DotFix NiceProtect Demo Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\downloads\nice_protect_demo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
3 746
Read events
3 715
Write events
25
Delete events
6

Modification events

(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
D40500003C3930AE566FDA01
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
14DBB893D4494565D8270CD7F8ADE0E2F635C3FFC7CCD59FDB61E168EFB5B1CF
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\DotFix NiceProtect Demo\DotFixNiceProtectDemo.exe
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
76725999B68DD4548D032E7809E7654E03E4036F45882EAFF330222D5C59FFDE
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\DotFix NiceProtect\Registration
Operation:writeName:Name
Value:
DEMO User
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DotFix NiceProtect Demo_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.6.1 (a)
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DotFix NiceProtect Demo_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\DotFix NiceProtect Demo
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DotFix NiceProtect Demo_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\DotFix NiceProtect Demo\
(PID) Process:(1492) nice_protect_demo.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DotFix NiceProtect Demo_is1
Operation:writeName:Inno Setup: Icon Group
Value:
DotFix NiceProtect Demo
Executable files
8
Suspicious files
13
Text files
46
Unknown types
4

Dropped files

PID
Process
Filename
Type
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\is-OBACU.tmpexecutable
MD5:01CE9A9DDD8B6EE3AF44C8279653A2BD
SHA256:3EB0C00383255CFE9CBF19FE5BEFA9BBEFA52CFC4D1718B406FE5D3E0B451978
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\unins000.exeexecutable
MD5:01CE9A9DDD8B6EE3AF44C8279653A2BD
SHA256:3EB0C00383255CFE9CBF19FE5BEFA9BBEFA52CFC4D1718B406FE5D3E0B451978
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\is-CENJP.tmpexecutable
MD5:A716E42AE6578A8ABDE82D1821B87A01
SHA256:BE275F72A653608B6A14D776EB27B0747EE22A5C6E3BAB8302B06D8B22530AEB
3864nice_protect_demo.exeC:\Users\admin\AppData\Local\Temp\is-55F9C.tmp\nice_protect_demo.tmpexecutable
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09
SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\libspv.dllexecutable
MD5:A716E42AE6578A8ABDE82D1821B87A01
SHA256:BE275F72A653608B6A14D776EB27B0747EE22A5C6E3BAB8302B06D8B22530AEB
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\is-SQKNS.tmpexecutable
MD5:B8DC2D3423B966E3FBF619F9ADE61623
SHA256:C11C7B6FD0A66E56D87A41C8588C202362D35936A79DD46A93E8EFE0FDF5B40E
1876nice_protect_demo.exeC:\Users\admin\AppData\Local\Temp\is-S3S76.tmp\nice_protect_demo.tmpexecutable
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09
SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\is-1TTDH.tmpbinary
MD5:CA0E1946762F6BAE6CB3EAC33D87A0FD
SHA256:4D94537C777F65448795118F02D89CE981D1570E70BEA6538FBA7B73F921C794
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\is-3RQD2.tmpchm
MD5:9A4D5C667EC9C0055B551E5D200A9BEA
SHA256:C77F9B1FCF03623458170C9BE21F4874176B1538C2126EDDA5425CB209124EE7
1492nice_protect_demo.tmpC:\Program Files\DotFix NiceProtect Demo\is-QP6V2.tmpbinary
MD5:0927DFA48A59B2D1126998E33D238F97
SHA256:AD9F757613CA41532A12D6470F8D1F3C4B6DAED31C06AF9584FD8A9666B65ED2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nice_protect_demo.exe