File name:

getw7.exe

Full analysis: https://app.any.run/tasks/3da9d399-bbb5-4158-9c03-92b26586dd48
Verdict: Malicious activity
Analysis date: June 11, 2024, 16:48:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

92EA4911D5CB8D8AED4C14659A1D07C9

SHA1:

60069180A63D2EEB3DD087FBCE01881E2E018D9E

SHA256:

72FCFE14CC3DF4B9B765B3026B3012677742AE43A524B844298AC7EEF300055A

SSDEEP:

6144:NfhBJUHG2SI8S7U2+1VVVgEd3z3QVVVf+yUHG2SI8S7UB:tFLI7Y2+1VVVgEd3z3QVVVf+yLI7YB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • getw7.exe (PID: 1200)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • getw7.exe (PID: 1200)

    • Reads the Internet Settings

      • getw7.exe (PID: 1200)

    • Reads security settings of Internet Explorer

      • getw7.exe (PID: 1200)

    • Checks Windows Trust Settings

      • getw7.exe (PID: 1200)

    • Reads settings of System Certificates

      • getw7.exe (PID: 1200)

    • Adds/modifies Windows certificates

      • getw7.exe (PID: 1200)

  • INFO

    • Reads the computer name

      • getw7.exe (PID: 1200)
      • wmpnscfg.exe (PID: 1112)

    • Checks supported languages

      • getw7.exe (PID: 1200)
      • wmpnscfg.exe (PID: 1112)

    • Create files in a temporary directory

      • getw7.exe (PID: 1200)

    • Reads the machine GUID from the registry

      • getw7.exe (PID: 1200)

    • Checks proxy server information

      • getw7.exe (PID: 1200)

    • Reads the software policy settings

      • getw7.exe (PID: 1200)

    • Creates files or folders in the user directory

      • getw7.exe (PID: 1200)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 184832
UninitializedDataSize: 2048
EntryPoint: 0x3552
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start getw7.exe wmpnscfg.exe no specs getw7.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1200"C:\Users\admin\AppData\Local\Temp\getw7.exe" C:\Users\admin\AppData\Local\Temp\getw7.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\getw7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3992"C:\Users\admin\AppData\Local\Temp\getw7.exe" C:\Users\admin\AppData\Local\Temp\getw7.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\getw7.exe
c:\windows\system32\ntdll.dll
Total events
9 161
Read events
9 107
Write events
41
Delete events
13

Modification events

(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1200) getw7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
9
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90binary
MD5:DA66C9CBDBFA6C8DC76E16DFC02D62F5
SHA256:623C6F7B81AF16AD245F3781CFAB7D85438AA268D3F024B699B2C373C9C18973
1200getw7.exeC:\Users\admin\AppData\Local\Temp\nst3432.tmp\INetC.dllexecutable
MD5:0A46716B8C65FAA8614EF64375FDE0DA
SHA256:04CD5643BE7E9F1678CCFED3DA67F781344A60880F4AE5A91CCE530F6168CA33
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90binary
MD5:A5DE3DB4BC796CC649D3074D71010212
SHA256:8FD71FE80A364F97003873422102DDC1FDA3784A4ADBD7CD426E0A7C385E340C
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25binary
MD5:53D5157EB4FB6AF19298A1798974EA8E
SHA256:9B2641A2F7FB62FD6BE7BC9BE59FCF7DDAAA3EEF4B10B29F2889FFB60D23A1E2
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5Cbinary
MD5:A4018C2158CD032A0554688FF69E0FC9
SHA256:7D0F81733A47CC6306E9D00AC422C00B2B442814A20E70A7ED28BF49DD8A0FB5
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:60082A4452952B4A44F86A786F02D0A7
SHA256:0F3AF023808F9306FCFDC8B08A87BB8A27FD6395E3300A524474600434374C41
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5Cbinary
MD5:C66DE3D945CC1FBA91FC12546B15281D
SHA256:C8319F21A6698F98138B87ECCDE0723E4169A0A862AD0617121A2D901DF089EE
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:598D1D1096132CCC12A498E3EB48B4E5
SHA256:2A0DDF660DCEB1C60DC3753D8A104F345C7CD3ADE8155261B8227979D9DB9CBE
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:EE4F23DBE684DA25C7C69E344C1136EF
SHA256:627A11099815F457A042F62523947FB608082DDB3C31E2AEB0CD76F3491D6772
1200getw7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25binary
MD5:A079966A735A85EDB191728AC374D882
SHA256:847FD95BBD9DAB4CB751F79EE9269F4A03E53F2E53968688DE0802FAA4C3C895
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1200
getw7.exe
GET
302
188.114.97.3:80
http://r8p.teknixstuff.com/dev/w7.php
unknown
unknown
1200
getw7.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cfe0a7f8e7962138
unknown
unknown
1200
getw7.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd
unknown
unknown
1200
getw7.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
unknown
1200
getw7.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
unknown
1200
getw7.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEE4o94a2bBo7lCzSxA63QqU%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1200
getw7.exe
188.114.97.3:80
r8p.teknixstuff.com
CLOUDFLARENET
NL
unknown
1200
getw7.exe
140.82.121.4:443
github.com
GITHUB
US
unknown
1200
getw7.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1200
getw7.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
1200
getw7.exe
185.199.110.133:443
objects.githubusercontent.com
FASTLY
US
unknown
1200
getw7.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
r8p.teknixstuff.com
  • 188.114.97.3
  • 188.114.96.3
unknown
github.com
  • 140.82.121.4
shared
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
shared
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
1200
getw7.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
getw7.exe