File name: | Windows 7,XP, Vista Activator.exe |
Full analysis: | https://app.any.run/tasks/db9cb826-efc0-4ed3-9819-98ed319441fa |
Verdict: | Malicious activity |
Analysis date: | May 26, 2024, 12:44:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C0827BFDFA8A4E9E52A098584569F8F8 |
SHA1: | 71691BFA130C1F97F7C639C77CEFEC453BC2DB52 |
SHA256: | C5B2AD888403A5BB05FCAA02363477594EEE07693F7BFB6B7615773EE72EC33F |
SSDEEP: | 98304:p3lMudgBXcer3Yio4WvoIOhM1SCkt7Y39T8u60HGsl2SZ85RRfh9Nwkk9jzqt101:1mxnX8d |
.exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
---|---|---|
.exe | | | Win64 Executable (generic) (31.7) |
.scr | | | Windows screen saver (15) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
SpecialBuild: | - |
---|---|
ProductVersion: | 7.5.1004.0 |
ProductName: | AutoPlay Media Studio Launcher |
PrivateBuild: | - |
OriginalFileName: | ams_launch.exe |
LegalTrademarks: | AutoPlay Media Studio is a Trademark of Indigo Rose Corporation |
LegalCopyright: | Runtime Engine Copyright © 2008 Indigo Rose Corporation (www.indigorose.com) |
InternalName: | ams_launch |
FileVersion: | 7.5.1004.0 |
FileDescription: | AutoPlay Application |
CompanyName: | - |
Comments: | Created with AutoPlay Media Studio |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 7.5.1004.0 |
FileVersionNumber: | 7.5.1004.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x173a6 |
UninitializedDataSize: | - |
InitializedDataSize: | 118784 |
CodeSize: | 192512 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2008:10:28 13:09:46+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3976 | "C:\Users\admin\AppData\Local\Temp\Windows 7,XP, Vista Activator.exe" | C:\Users\admin\AppData\Local\Temp\Windows 7,XP, Vista Activator.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: AutoPlay Application Exit code: 0 Version: 7.5.1004.0 Modules
| |||||||||||||||
3992 | "C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\admin\AppData\Local\Temp\Windows 7,XP, Vista Activator.exe" | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | — | Windows 7,XP, Vista Activator.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: AutoPlay Application Exit code: 3221225547 Version: 7.5.1004.0 Modules
| |||||||||||||||
124 | "C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe" | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe | — | autorun.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
1772 | "C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe" | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe | autorun.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
1580 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\XPAntiWAT.cmd" " | C:\Windows\System32\cmd.exe | — | nec-XPact.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1488 | "C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe" | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe | — | autorun.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
2052 | "C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe" | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe | autorun.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2092 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX1\setup.bat" " | C:\Windows\System32\cmd.exe | — | Vis7act.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1640 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument http://h33t.com/userdetails.php?id=190488 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | autorun.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
2240 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0x138,0x13c,0x140,0x10c,0x148,0x6da4f598,0x6da4f5a8,0x6da4f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
|
(PID) Process: | (3992) autorun.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3992) autorun.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3992) autorun.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3992) autorun.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1772) nec-XPact.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1772) nec-XPact.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1772) nec-XPact.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1772) nec-XPact.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2052) Vis7act.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2052) Vis7act.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | executable | |
MD5:2E5D84F170A33ED44A9EADA85F58ED03 | SHA256:F659CA020B97340542C45516FE8C3E97491A8ADC769EC13602A3ACE462A6E773 | |||
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\27.jpg | image | |
MD5:9B17C3E997AB3F77B31C16B6CC4C64F1 | SHA256:931D62C825182F3C50C6826F668914D8899E93E7C251011384C5B44255A7CA97 | |||
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe | executable | |
MD5:3368244E54E2A52DDFD7BA54BFE825D5 | SHA256:15EAA1DF7D023F3644D9BB617561EFC855F65DFBB938EBD6EAD29498684B8595 | |||
2052 | Vis7act.exe | C:\Users\admin\AppData\Local\Temp\RarSFX1\bootinst.exe | executable | |
MD5:70C5F6F69CDC6C5B8240622CF7D90380 | SHA256:D7ABA1FA037041412052BFDC0127D44BD63597BF01151058D3EDF585186387BE | |||
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg | ogg | |
MD5:93270C4FA492E4E4EDEE872A2B961DDE | SHA256:25D49CBBD65D48AD462455F1143F73EE997DF8F747E7D2213DAAB18E321C028B | |||
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe | executable | |
MD5:0B48649F0FE043D41E49DAE43FB79DB7 | SHA256:F20E0B43CE218B69F7BC0BA847056B066F35474A5B49D6CCEE4744268BC7F3C5 | |||
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Green.btn | compressed | |
MD5:7080014182EB394217C3D725CB70B3D6 | SHA256:C3186BE9B4016CBBA99DF3D74E2C88B366CB75BB7AC335DC5F0794D2E1950FC8 | |||
1772 | nec-XPact.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\X86\AntiWaT.dll | executable | |
MD5:11BEB85B8F34A70D25AA8FA73FC1F99F | SHA256:FCDA8608F6CCECD3D18873A1DA5B937E52445AB6C8FF5CB3179166ADE6F8AB4B | |||
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd | compressed | |
MD5:6C30686B0CE179474CA5570D404AA223 | SHA256:4DE0D2D5905C802B68FBF2EB88D1D294FB562325E41BE924F363EC0F650E57FE | |||
3976 | Windows 7,XP, Vista Activator.exe | C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg | ogg | |
MD5:FC2A595F574B1EAD82A6DCF06492C985 | SHA256:EE9A4903A8DF90EFF4C5B65A8073E564A3581CF73772A72EB82396E69932E769 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2508 | msedge.exe | 49.13.77.253:80 | h33t.com | Hetzner Online GmbH | DE | unknown |
1640 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
2508 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2508 | msedge.exe | 204.79.197.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2508 | msedge.exe | 2.19.193.138:443 | www.bing.com | Akamai International B.V. | TR | unknown |
2508 | msedge.exe | 88.221.88.50:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | Akamai International B.V. | GB | unknown |
Domain | IP | Reputation |
---|---|---|
h33t.com |
| unknown |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |