analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

AI_WEBLAUNCHER32bit.exe

Full analysis: https://app.any.run/tasks/02ed2a50-b994-4b49-86dd-54a366c5e405
Verdict: Malicious activity
Analysis date: May 20, 2019, 09:57:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1F2E979B359B63CC6062926B51B82974

SHA1:

FC189DCE35C9A2A82F904B77EEABC97950C69042

SHA256:

9E072769F7DFF2E9B0F5853DAFA268DFC7E9EE0034477B7390E8225576C2B73A

SSDEEP:

393216:d8DkKCNSBjRmV9jfmbTFaDxPb3Yrfpp3SntvpKkjG96jIZcrEgS1aggT5dHiksUy:d8DPCNS309joaVPMDSxpxjG9WocrFS1T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • unpack200.exe (PID: 2360)
      • unpack200.exe (PID: 3228)
      • unpack200.exe (PID: 2700)
      • unpack200.exe (PID: 3496)
      • unpack200.exe (PID: 756)
      • unpack200.exe (PID: 3700)
      • unpack200.exe (PID: 3980)
      • unpack200.exe (PID: 2812)
      • unpack200.exe (PID: 2724)
      • unpack200.exe (PID: 2976)
      • unpack200.exe (PID: 2448)
      • unpack200.exe (PID: 3328)
      • unpack200.exe (PID: 3440)
      • unpack200.exe (PID: 2312)
      • unpack200.exe (PID: 3280)
      • unpack200.exe (PID: 3160)
      • unpack200.exe (PID: 3528)
      • unpack200.exe (PID: 4036)
      • java.exe (PID: 3988)
      • unpack200.exe (PID: 2992)
    • Loads dropped or rewritten executable

      • unpack200.exe (PID: 2700)
      • unpack200.exe (PID: 3496)
      • unpack200.exe (PID: 2976)
      • unpack200.exe (PID: 3228)
      • unpack200.exe (PID: 756)
      • unpack200.exe (PID: 3700)
      • unpack200.exe (PID: 2812)
      • unpack200.exe (PID: 2360)
      • unpack200.exe (PID: 2724)
      • unpack200.exe (PID: 3328)
      • unpack200.exe (PID: 2448)
      • unpack200.exe (PID: 3980)
      • unpack200.exe (PID: 3160)
      • unpack200.exe (PID: 2312)
      • unpack200.exe (PID: 3440)
      • unpack200.exe (PID: 3528)
      • unpack200.exe (PID: 3280)
      • AI_WEBLAUNCHER32bit.exe (PID: 3644)
      • unpack200.exe (PID: 2992)
      • java.exe (PID: 3988)
      • AI_WEBLAUNCHER32bit.exe (PID: 3756)
      • unpack200.exe (PID: 4036)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AI_WEBLAUNCHER32bit.exe (PID: 3644)
    • Application launched itself

      • AI_WEBLAUNCHER32bit.exe (PID: 3644)
    • Creates files in the user directory

      • AI_WEBLAUNCHER32bit.exe (PID: 3644)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (35.6)
.exe | Win32 EXE PECompact compressed (generic) (34.4)
.exe | Win64 Executable (generic) (22.8)
.exe | Win32 Executable (generic) (3.7)
.exe | Generic Win/DOS Executable (1.6)

EXIF

EXE

InternalName: AIWL
OriginalFileName: AI_WEBLAUNCHER32bit.exe
ProductVersion: 1.0.4
ProductName: AI WEBLAUNCHER
LegalCopyright: Administration Intelligence AG
FileVersion: 1.0.4
FileDescription: AI WEBLAUNCHER
CompanyName: Administration Intelligence AG
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Unknown
FileOS: Win32
FileFlags: Debug
FileFlagsMask: 0x0017
ProductVersionNumber: 1.0.4.0
FileVersionNumber: 1.0.4.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x25bc0
UninitializedDataSize: -
InitializedDataSize: 268288
CodeSize: 231936
LinkerVersion: 9
PEType: PE32
TimeStamp: 2018:08:29 11:28:48+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Aug-2018 09:28:48
Detected languages:
  • English - United States
CompanyName: Administration Intelligence AG
FileDescription: AI WEBLAUNCHER
FileVersion: 1.0.4
LegalCopyright: Administration Intelligence AG
ProductName: AI WEBLAUNCHER
ProductVersion: 1.0.4
OriginalFilename: AI_WEBLAUNCHER32bit.exe
InternalName: AIWL

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 29-Aug-2018 09:28:48
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00038985
0x00038A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.68074
.rdata
0x0003A000
0x00019336
0x00019400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.3222
.data
0x00054000
0x00012EE4
0x00001E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.10186
.rsrc
0x00067000
0x00011800
0x00011800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.83824
.reloc
0x00079000
0x00003BB4
0x00003C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.66663

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20645
1488
UNKNOWN
UNKNOWN
RT_MANIFEST
101
3.19761
302
UNKNOWN
English - United States
RT_DIALOG
103
3.05366
286
UNKNOWN
English - United States
RT_DIALOG
104
2.62517
226
UNKNOWN
English - United States
RT_DIALOG
1001
1.98048
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
OLEAUT32.dll
USER32.dll
ole32.dll

Exports

Title
Ordinal
Address
_Java_com_install4j_runtime_installer_platform_win32_ACLHandling_addACE@40
1
0x0001742A
_Java_com_install4j_runtime_installer_platform_win32_FileVersion_compare0@16
2
0x00017D87
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getDriveType0@12
3
0x000181F4
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getPathFromRegistry0@12
4
0x00018046
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getShortPathName0@12
5
0x00018253
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getSpecialFolder0@16
6
0x0001800C
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getSystemDirectory0@8
7
0x00018192
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getUniversalPathName0@12
8
0x000182DA
_Java_com_install4j_runtime_installer_platform_win32_FolderInfo_getWindowsDirectory0@8
9
0x00018102
_Java_com_install4j_runtime_installer_platform_win32_Misc_broadcastSettingChange0@8
10
0x000191D5
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
22
Malicious processes
2
Suspicious processes
10

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start start ai_weblauncher32bit.exe unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs unpack200.exe no specs java.exe no specs ai_weblauncher32bit.exe

Process information

PID
CMD
Path
Indicators
Parent process
3644"C:\Users\admin\AppData\Local\Temp\AI_WEBLAUNCHER32bit.exe" C:\Users\admin\AppData\Local\Temp\AI_WEBLAUNCHER32bit.exe
explorer.exe
User:
admin
Company:
Administration Intelligence AG
Integrity Level:
MEDIUM
Description:
AI WEBLAUNCHER
Version:
1.0.4
2700-r "jre\lib\charsets.jar.pack" "jre\lib\charsets.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
3496-r "jre\lib\jce.jar.pack" "jre\lib\jce.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
2360-r "jre\lib\jsse.jar.pack" "jre\lib\jsse.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
3228-r "jre\lib\management-agent.jar.pack" "jre\lib\management-agent.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
756-r "jre\lib\resources.jar.pack" "jre\lib\resources.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
2976-r "jre\lib\rt.jar.pack" "jre\lib\rt.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
3980-r "jre\lib\ext\access-bridge-32.jar.pack" "jre\lib\ext\access-bridge-32.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
2812-r "jre\lib\ext\access-bridge.jar.pack" "jre\lib\ext\access-bridge.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
3700-r "jre\lib\ext\cldrdata.jar.pack" "jre\lib\ext\cldrdata.jar"C:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre\bin\unpack200.exeAI_WEBLAUNCHER32bit.exe
User:
admin
Company:
Azul Systems Inc.
Integrity Level:
MEDIUM
Description:
Zulu Platform x32 Architecture
Exit code:
0
Version:
8.36.0.4
Total events
377
Read events
365
Write events
11
Delete events
1

Modification events

(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j\pids
Operation:writeName:c:\users\admin\appdata\local\temp\ai_weblauncher32bit.exe
Value:
3644
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j\jvms\c:/users/admin/appdata/local/temp/e4j14e9.tmp_dir1558346257/jre/bin/java.exe
Operation:writeName:LastWriteTime
Value:
42308274F20ED501
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j\jvms\c:/users/admin/appdata/local/temp/e4j14e9.tmp_dir1558346257/jre/bin/java.exe
Operation:writeName:Version
Value:
1.8.0_202
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j
Operation:writeName:InstallStarted_3644
Value:
1
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j
Operation:writeName:InstallStarted
Value:
1
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j
Operation:writeName:InstallStarted_3644
Value:
0
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j
Operation:writeName:InstallStarted
Value:
0
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3644) AI_WEBLAUNCHER32bit.exeKey:HKEY_CURRENT_USER\Software\ej-technologies\exe4j
Operation:delete valueName:InstallStarted_3644
Value:
0
Executable files
79
Suspicious files
22
Text files
267
Unknown types
7

Dropped files

PID
Process
Filename
Type
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\i4j_nlog_1.logtext
MD5:808D1B7946E5ED8E430A8E59D12AC492
SHA256:E9A5E9DFD51A2D92D7128E36FDF9A584F248ABAB9A07344D6B93517FCB32AD3A
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\jre.tar.gz
MD5:
SHA256:
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\i4jruntime.jarcompressed
MD5:2A49E288450888F00555917A18266189
SHA256:A4C88F87212C11E28C7DCB4F34E2BB703E7696AC06C07AFDD6B12C0019DB5AE1
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\MessagesDefaulttext
MD5:CDB52F89ADE5948798B33719D364A2CD
SHA256:AAD8C2109686ADF1D15C13EC307FFB4A1FDEF6971EC2EC1EC4419A59FEB967C5
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\i4j_extf_5_o58qrz_1wl3iou.pngimage
MD5:20D507E20B6125147F48A95A159D0696
SHA256:E84647E2BA38BD1529686D652CC339E951600D339A2B0F49722A656BAC4EBDE5
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\i4j_extf_3_o58qrz_bj00r.icnsimage
MD5:18680B5AFBC3159BF6E6F79B5CF2F398
SHA256:ED92A51737567F5948FFA03C7B08F24DD96BBE1EB38AF8E0103494D2191212D8
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\i4jparams.confxml
MD5:FCFA559CB75166D1174A144013BBCA5A
SHA256:A8FA2096005F9A400017CA707F572ABEF144D48769AC0E786A98BEE6DC33868E
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\i4j_extf_1_o58qrz.utf8text
MD5:B6CF8459EAA6BD6962A08A683A2587D0
SHA256:56C959DB8C214A1C3ED2FED089762DE0CEBF4BBDC48A8C118F643901827FFCDE
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\i4j_extf_2_o58qrz.txttext
MD5:8EFDCA124F24A957ED4AE910A19C4CC7
SHA256:674B66213BC04205E14B3EBCD609D73BAB84B2930FBB03554FB0759CDDB2ABB6
3644AI_WEBLAUNCHER32bit.exeC:\Users\admin\AppData\Local\Temp\e4j14E9.tmp_dir1558346257\i4j_extf_4_o58qrz_1s7s3fo.icoimage
MD5:3E17D5F96F40CAF066912E49CB4E04D3
SHA256:EE7B72BFFA5AAEB4E53F8B7FDC33968BB7D2CC25DB7D3FDBEFAFE96182F4BA75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info