analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Windows 7,XP, Vista Activator.exe

Full analysis: https://app.any.run/tasks/db9cb826-efc0-4ed3-9819-98ed319441fa
Verdict: Malicious activity
Analysis date: May 26, 2024, 12:44:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C0827BFDFA8A4E9E52A098584569F8F8

SHA1:

71691BFA130C1F97F7C639C77CEFEC453BC2DB52

SHA256:

C5B2AD888403A5BB05FCAA02363477594EEE07693F7BFB6B7615773EE72EC33F

SSDEEP:

98304:p3lMudgBXcer3Yio4WvoIOhM1SCkt7Y39T8u60HGsl2SZ85RRfh9Nwkk9jzqt101:1mxnX8d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • Windows 7,XP, Vista Activator.exe (PID: 3976)
      • nec-XPact.exe (PID: 1772)
      • Vis7act.exe (PID: 2052)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Windows 7,XP, Vista Activator.exe (PID: 3976)
      • nec-XPact.exe (PID: 1772)
      • Vis7act.exe (PID: 2052)
    • Reads security settings of Internet Explorer

      • autorun.exe (PID: 3992)
      • nec-XPact.exe (PID: 1772)
      • Vis7act.exe (PID: 2052)
    • Reads the Internet Settings

      • autorun.exe (PID: 3992)
      • nec-XPact.exe (PID: 1772)
      • Vis7act.exe (PID: 2052)
    • Starts CMD.EXE for commands execution

      • nec-XPact.exe (PID: 1772)
      • Vis7act.exe (PID: 2052)
    • Executing commands from ".cmd" file

      • nec-XPact.exe (PID: 1772)
    • Process drops legitimate windows executable

      • Vis7act.exe (PID: 2052)
    • Executing commands from a ".bat" file

      • Vis7act.exe (PID: 2052)
  • INFO

    • Checks supported languages

      • Windows 7,XP, Vista Activator.exe (PID: 3976)
      • autorun.exe (PID: 3992)
      • nec-XPact.exe (PID: 1772)
      • Vis7act.exe (PID: 2052)
      • wmpnscfg.exe (PID: 2384)
    • Create files in a temporary directory

      • Windows 7,XP, Vista Activator.exe (PID: 3976)
      • nec-XPact.exe (PID: 1772)
      • Vis7act.exe (PID: 2052)
    • Reads the computer name

      • nec-XPact.exe (PID: 1772)
      • autorun.exe (PID: 3992)
      • Vis7act.exe (PID: 2052)
      • wmpnscfg.exe (PID: 2384)
    • Manual execution by a user

      • wmpnscfg.exe (PID: 2384)
    • Application launched itself

      • msedge.exe (PID: 1640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

SpecialBuild: -
ProductVersion: 7.5.1004.0
ProductName: AutoPlay Media Studio Launcher
PrivateBuild: -
OriginalFileName: ams_launch.exe
LegalTrademarks: AutoPlay Media Studio is a Trademark of Indigo Rose Corporation
LegalCopyright: Runtime Engine Copyright © 2008 Indigo Rose Corporation (www.indigorose.com)
InternalName: ams_launch
FileVersion: 7.5.1004.0
FileDescription: AutoPlay Application
CompanyName: -
Comments: Created with AutoPlay Media Studio
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 7.5.1004.0
FileVersionNumber: 7.5.1004.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x173a6
UninitializedDataSize: -
InitializedDataSize: 118784
CodeSize: 192512
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2008:10:28 13:09:46+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
23
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start windows 7,xp, vista activator.exe autorun.exe no specs nec-xpact.exe no specs nec-xpact.exe cmd.exe no specs vis7act.exe no specs vis7act.exe cmd.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Users\admin\AppData\Local\Temp\Windows 7,XP, Vista Activator.exe" C:\Users\admin\AppData\Local\Temp\Windows 7,XP, Vista Activator.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AutoPlay Application
Exit code:
0
Version:
7.5.1004.0
Modules
Images
c:\users\admin\appdata\local\temp\windows 7,xp, vista activator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3992"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\admin\AppData\Local\Temp\Windows 7,XP, Vista Activator.exe"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exeWindows 7,XP, Vista Activator.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AutoPlay Application
Exit code:
3221225547
Version:
7.5.1004.0
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
124"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe" C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exeautorun.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autoplay\docs\nec-xpact.exe
c:\windows\system32\ntdll.dll
1772"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe" C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exe
autorun.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autoplay\docs\nec-xpact.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1580C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\XPAntiWAT.cmd" "C:\Windows\System32\cmd.exenec-XPact.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1488"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe" C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exeautorun.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autoplay\docs\vis7act.exe
c:\windows\system32\ntdll.dll
2052"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe" C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exe
autorun.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autoplay\docs\vis7act.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2092C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RarSFX1\setup.bat" "C:\Windows\System32\cmd.exeVis7act.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1640"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument http://h33t.com/userdetails.php?id=190488C:\Program Files\Microsoft\Edge\Application\msedge.exe
autorun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2240"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0x138,0x13c,0x140,0x10c,0x148,0x6da4f598,0x6da4f5a8,0x6da4f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
10 728
Read events
10 665
Write events
57
Delete events
6

Modification events

(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3992) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1772) nec-XPact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1772) nec-XPact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1772) nec-XPact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1772) nec-XPact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2052) Vis7act.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2052) Vis7act.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
8
Suspicious files
68
Text files
48
Unknown types
2

Dropped files

PID
Process
Filename
Type
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exeexecutable
MD5:2E5D84F170A33ED44A9EADA85F58ED03
SHA256:F659CA020B97340542C45516FE8C3E97491A8ADC769EC13602A3ACE462A6E773
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\27.jpgimage
MD5:9B17C3E997AB3F77B31C16B6CC4C64F1
SHA256:931D62C825182F3C50C6826F668914D8899E93E7C251011384C5B44255A7CA97
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\nec-XPact.exeexecutable
MD5:3368244E54E2A52DDFD7BA54BFE825D5
SHA256:15EAA1DF7D023F3644D9BB617561EFC855F65DFBB938EBD6EAD29498684B8595
2052Vis7act.exeC:\Users\admin\AppData\Local\Temp\RarSFX1\bootinst.exeexecutable
MD5:70C5F6F69CDC6C5B8240622CF7D90380
SHA256:D7ABA1FA037041412052BFDC0127D44BD63597BF01151058D3EDF585186387BE
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.oggogg
MD5:93270C4FA492E4E4EDEE872A2B961DDE
SHA256:25D49CBBD65D48AD462455F1143F73EE997DF8F747E7D2213DAAB18E321C028B
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Vis7act.exeexecutable
MD5:0B48649F0FE043D41E49DAE43FB79DB7
SHA256:F20E0B43CE218B69F7BC0BA847056B066F35474A5B49D6CCEE4744268BC7F3C5
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Green.btncompressed
MD5:7080014182EB394217C3D725CB70B3D6
SHA256:C3186BE9B4016CBBA99DF3D74E2C88B366CB75BB7AC335DC5F0794D2E1950FC8
1772nec-XPact.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\X86\AntiWaT.dllexecutable
MD5:11BEB85B8F34A70D25AA8FA73FC1F99F
SHA256:FCDA8608F6CCECD3D18873A1DA5B937E52445AB6C8FF5CB3179166ADE6F8AB4B
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cddcompressed
MD5:6C30686B0CE179474CA5570D404AA223
SHA256:4DE0D2D5905C802B68FBF2EB88D1D294FB562325E41BE924F363EC0F650E57FE
3976Windows 7,XP, Vista Activator.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.oggogg
MD5:FC2A595F574B1EAD82A6DCF06492C985
SHA256:EE9A4903A8DF90EFF4C5B65A8073E564A3581CF73772A72EB82396E69932E769
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
12
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
2508
msedge.exe
49.13.77.253:80
h33t.com
Hetzner Online GmbH
DE
unknown
1640
msedge.exe
239.255.255.250:1900
unknown
2508
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2508
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2508
msedge.exe
2.19.193.138:443
www.bing.com
Akamai International B.V.
TR
unknown
2508
msedge.exe
88.221.88.50:443
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
h33t.com
  • 49.13.77.253
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
www.bing.com
  • 2.19.193.138
  • 2.19.193.17
  • 2.19.193.25
  • 2.19.193.8
  • 2.19.193.18
  • 2.19.193.27
  • 2.19.193.19
  • 2.19.193.16
  • 2.19.193.32
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 88.221.88.50
  • 88.221.88.58
whitelisted

Threats

No threats detected
No debug info