File name:

Arquivos.exe

Full analysis: https://app.any.run/tasks/a741da16-d3e1-4832-85c3-5a52eb9db811
Verdict: Malicious activity
Analysis date: July 03, 2021, 11:59:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E5474D4C43167E74058092BD10D185AE

SHA1:

BEF217689703D3FE16AB4C479667707E16E74520

SHA256:

AC93D7A1E939600DA957D3E8BD656110B445099143541DA6B9D651BB2304C636

SSDEEP:

49152:CUAzbm3SV2yGqC2Zq9V+oeGjDkp7Gf+sqX+QpV67JSk2Msjs+DQxCZLoeWgGinHJ:CjGZjDkp7zsqJeJw99ZLo8fg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • Arquivos.exe (PID: 1752)

    • Changes the autorun value in the registry

      • Arquivos.exe (PID: 1752)

    • UAC/LUA settings modification

      • Arquivos.exe (PID: 1752)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Arquivos.exe (PID: 1752)

    • Drops a file with a compile date too recent

      • Arquivos.exe (PID: 1752)

    • Drops a file that was compiled in debug mode

      • Arquivos.exe (PID: 1752)

    • Application launched itself

      • taskmgr.exe (PID: 4072)

  • INFO

    • Manual execution by user

      • taskmgr.exe (PID: 4072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x139974
UninitializedDataSize: -
InitializedDataSize: 5896704
CodeSize: 1278464
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 2012:02:17 23:25:39+01:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start arquivos.exe taskmgr.exe no specs taskmgr.exe arquivos.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1716"C:\Windows\system32\taskmgr.exe" /1C:\Windows\system32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1752"C:\Users\admin\AppData\Local\Temp\Arquivos.exe" C:\Users\admin\AppData\Local\Temp\Arquivos.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\arquivos.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3244"C:\Users\admin\AppData\Local\Temp\Arquivos.exe" C:\Users\admin\AppData\Local\Temp\Arquivos.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\arquivos.exe
c:\systemroot\system32\ntdll.dll
4072"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
69
Read events
56
Write events
13
Delete events
0

Modification events

(PID) Process:(1752) Arquivos.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:EnableBalloonTips
Value:
0
(PID) Process:(1752) Arquivos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(1752) Arquivos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Kernel System
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exe"
(PID) Process:(1752) Arquivos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Control Network
Value:
"C:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exe"
(PID) Process:(4072) taskmgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(4072) taskmgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4072) taskmgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
30030000E803000001000000010000000A0000000A000000A2010000F00100000100000001000000000000000000000001000000000000000100000000000000000000000200000004000000090000001D000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009C00000040000000210000004600000052000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000002000000010000000300000004000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0500000000000000FFFFFFFF00000000020000000300000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000630060003C005A00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000010000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0400000000000000FFFFFFFF00000000FFFFFFFF4F00000028000000500000003400000050000000000000000100000002000000030000000400000000000000FFFFFFFF43000000000000000000000001000000
(PID) Process:(4072) taskmgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Operation:writeName:UsrColumnSettings
Value:
1C0C0000340400000000000050000000010000001D0C0000350400000000000023000000010000001E0C000036040000000000003C000000010000001F0C000039040000000000004E00000001000000200C000037040000000000004E00000001000000
Executable files
6
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1752Arquivos.exeC:\Users\admin\AppData\Local\Microsoft Windows\Config.initext
MD5:2F6711974A9E669E965706B48A7EB0D9
SHA256:98AD0CCD4C0BD1400048DCE4E7056FC8D115AC88DFA7FD3F8C48CF64CF885E4A
1752Arquivos.exeC:\Users\admin\AppData\Local\Microsoft Windows\taskWin.exeexecutable
MD5:9B6BF5B960EBD4D8EBE92089D670FD4C
SHA256:7491BDED3D6DA3AD573149CBD3826F274A6FB1DA09F0FB2C6049A818EEA83B75
1752Arquivos.exeC:\Users\admin\AppData\Local\Microsoft Windows\ssleay32.dllexecutable
MD5:A02F9DD21FA2E39BDF1BC8D8C8C63F21
SHA256:189A70D8C1311CC09FF14FD43EC67595531B1F0AEEAF6964D4239D5F32830F03
1752Arquivos.exeC:\Users\admin\AppData\Local\Microsoft Windows\winPrsv.exeexecutable
MD5:DA1CB6BFED050ECA74AC921135DDB152
SHA256:C3FF6FE117B8BECAEFB3F36E267284C8CC0F9392035439DBBD4EF2D51D2DCFE2
1752Arquivos.exeC:\Users\admin\AppData\Local\Microsoft Windows\sqlite3.dllexecutable
MD5:D9E9F9BAF324BB1B954751FB22884B41
SHA256:D3D8EB6A038766AF126C84D56DD8BB4192B84F8C78F6515493ED32108F7A41BD
1752Arquivos.exeC:\Users\admin\AppData\Local\Microsoft Windows\default.exeexecutable
MD5:E5474D4C43167E74058092BD10D185AE
SHA256:AC93D7A1E939600DA957D3E8BD656110B445099143541DA6B9D651BB2304C636
1752Arquivos.exeC:\Users\admin\AppData\Local\Microsoft Windows\libeay32.dllexecutable
MD5:C337C251661977D92B5AC8BBC840421B
SHA256:D376DDC6B93772EC2429D9DFDCE6C11F1A771E84304F2E3D12AF6235558A2733
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Arquivos.exe