File name:

Mario Coleccion.exe

Full analysis: https://app.any.run/tasks/5933082c-1f01-44fb-9898-2c7418cba354
Verdict: Malicious activity
Analysis date: May 15, 2024, 01:32:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EE1AF0FDB25559B16295B45316762C6B

SHA1:

838E282334E22CFD3C80965FB8F114A1DA03419A

SHA256:

985BC1027AD2C2656EDE64CA442A4A264B7A93595BAC07015A03619B3E87D894

SSDEEP:

98304:xIZaWyCIb6BRxzKgwpPg6MUmOvAuKuz/x6+DTtnlsJJEz0W6ZsdMuDMH/MKrQ2zQ:tjBD+dRm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Mario Coleccion.exe (PID: 3976)
      • Mario bros.exe (PID: 124)
      • Merio and Luigi.exe (PID: 524)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Mario Coleccion.exe (PID: 3976)
      • Mario bros.exe (PID: 124)
      • Merio and Luigi.exe (PID: 524)

    • Reads security settings of Internet Explorer

      • autorun.exe (PID: 3992)
      • Mario bros.exe (PID: 124)
      • Merio and Luigi.exe (PID: 524)

    • Reads the Internet Settings

      • autorun.exe (PID: 3992)
      • Mario bros.exe (PID: 124)
      • Merio and Luigi.exe (PID: 524)

    • Starts CMD.EXE for commands execution

      • Mario bros.exe (PID: 124)
      • Merio and Luigi.exe (PID: 524)

    • Executing commands from a ".bat" file

      • Mario bros.exe (PID: 124)
      • Merio and Luigi.exe (PID: 524)

    • The executable file from the user directory is run by the CMD process

      • VirtuaNES.exe (PID: 328)
      • VirtuaNES.exe (PID: 616)

  • INFO

    • Checks supported languages

      • autorun.exe (PID: 3992)
      • Mario Coleccion.exe (PID: 3976)
      • Mario bros.exe (PID: 124)
      • VirtuaNES.exe (PID: 328)
      • Merio and Luigi.exe (PID: 524)
      • VirtuaNES.exe (PID: 616)

    • Reads the computer name

      • autorun.exe (PID: 3992)
      • Mario bros.exe (PID: 124)
      • VirtuaNES.exe (PID: 328)
      • Merio and Luigi.exe (PID: 524)
      • VirtuaNES.exe (PID: 616)

    • Create files in a temporary directory

      • Mario Coleccion.exe (PID: 3976)
      • Mario bros.exe (PID: 124)
      • Merio and Luigi.exe (PID: 524)
      • VirtuaNES.exe (PID: 616)
      • VirtuaNES.exe (PID: 328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:11:06 19:06:44+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 192512
InitializedDataSize: 102400
UninitializedDataSize: -
EntryPoint: 0x173a6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 7.1.1000.0
ProductVersionNumber: 7.1.1000.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Created with AutoPlay Media Studio 7.0
CompanyName: -
FileDescription: AutoPlay Application
FileVersion: 7.1.1000.0
InternalName: ams70_launch
LegalCopyright: Runtime Engine Copyright © 2007 Indigo Rose Corporation (www.indigorose.com)
LegalTrademarks: AutoPlay Media Studio is a Trademark of Indigo Rose Corporation
OriginalFileName: ams70_launch.exe
PrivateBuild: -
ProductName: AutoPlay Media Studio 7.0 Launcher
ProductVersion: 7.1.1000.0
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mario coleccion.exe autorun.exe no specs mario bros.exe cmd.exe no specs virtuanes.exe merio and luigi.exe cmd.exe no specs virtuanes.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Mario bros.exe" C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Mario bros.exe
autorun.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autoplay\docs\mario bros.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
328VirtuaNES.EXE MarioBros.nesC:\Users\admin\AppData\Local\Temp\RarSFX0\VirtuaNES.exe
cmd.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
VirtuaNES NES emulator for Win32
Exit code:
0
Version:
0.60
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\virtuanes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
524"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Merio and Luigi.exe" C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Merio and Luigi.exe
autorun.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autoplay\docs\merio and luigi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
616VirtuaNES.EXE MarioandLuigi.nesC:\Users\admin\AppData\Local\Temp\RarSFX1\VirtuaNES.exe
cmd.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
VirtuaNES NES emulator for Win32
Exit code:
0
Version:
0.60
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx1\virtuanes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1652C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX1\Launch.bat" "C:\Windows\System32\cmd.exeMerio and Luigi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2028C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\Launch.bat" "C:\Windows\System32\cmd.exeMario bros.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3976"C:\Users\admin\AppData\Local\Temp\Mario Coleccion.exe" C:\Users\admin\AppData\Local\Temp\Mario Coleccion.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AutoPlay Application
Exit code:
0
Version:
7.1.1000.0
Modules
Images
c:\users\admin\appdata\local\temp\mario coleccion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3992"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\admin\AppData\Local\Temp\Mario Coleccion.exe"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exeMario Coleccion.exe
User:
admin
Integrity Level:
MEDIUM
Description:
By Thunder Hack Gold
Exit code:
3221225547
Version:
7.1.1000.0
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
9 920
Read events
9 884
Write events
36
Delete events
0

Modification events

(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(124) Mario bros.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(124) Mario bros.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(124) Mario bros.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(124) Mario bros.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(328) VirtuaNES.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
VirtuaNES.exe
(PID) Process:(328) VirtuaNES.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:ID
Value:
Executable files
14
Suspicious files
7
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\mario.ico
MD5:
SHA256:
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\MARIO BROS.bmpimage
MD5:73643A817A82C94E160732FD7195B4E1
SHA256:26E306C6A9636D937E1EAEA64C6605F461258E10ADD6BD3BB33A63212DFE0FD1
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Super Mario Bros.exeexecutable
MD5:6A23798D3BA86CE1F532EFDA702E8BD5
SHA256:D964DF0BC4AD209F9BD2967890D15F73309CDAE932063E09982972BDF0902A40
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\super Mario Bros 3.exeexecutable
MD5:20E8A61799D90D9DE02C1BAB748E5E04
SHA256:6E6BA3671BAD5A764B383C5F1FA60D24AF8755282A4D7B3AB76070E158B6EAA0
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\SUP MARIO 3.bmpimage
MD5:D7A6CB4CF1620EDAF8D11E6EB84FCA64
SHA256:D616A526599C2DD0B914BE563C8B05E833234803694098BDA4D08BDBE1E10679
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cddcompressed
MD5:4A3AEB6F2F6D614A255ED42B06D5DB53
SHA256:1E83CA84DA872D93D0CBAFD799A24FD6739E938B2D76817D470DB1EA8149F466
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\mario image.jpgimage
MD5:3C162E9F893E128CF96488CE4E1EBA0D
SHA256:3E783804AC977619D59A3D0CA62F6CA49F9A72F00D09AE25846E73EC394C3E3B
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\SUP MARIO 2.bmpimage
MD5:B2D1E0E4B9DF144A07258F564108553A
SHA256:EB7B52D8D17E0014226D62744D97A9C91587662555A2B71520917DBF333EBDB6
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Icons\mario.icoimage
MD5:46E873B47605DCC3D4F1D85F1CFB60A1
SHA256:ED7E169C0E754FBDD76848A45D4AAAC00123C25206FB780E00E4348EA19B46EB
3976Mario Coleccion.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\MARIO Y LUIGI.bmpimage
MD5:83BBD0EF82683D86E2AD63EDD48868B6
SHA256:2F1A8A2C65E92DB0EA14C0730BA3442628AB771085908EBFBA5EF483C811A382
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
VirtuaNES.exe
DebugWindow ‚ª‚ ‚è‚Ü‚¹‚ñ
VirtuaNES.exe
DebugWindow ‚ª‚ ‚è‚Ü‚¹‚ñ
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Mario Coleccion.exe