File name:

autoplay.exe

Full analysis: https://app.any.run/tasks/6026871d-68e8-401b-99dc-011341d65c3c
Verdict: Malicious activity
Analysis date: January 16, 2025, 04:44:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

0829043F449E2C2E5B8892314CD9E0F9

SHA1:

19A4D985DD6F01AF7AD343524459FC7BE36E8E0C

SHA256:

C7D01D0489848BD069BAF4D27FF1358ACDBA405AE46543D1FD17FAE1BCFF47D8

SSDEEP:

49152:g26DVWwFnP/xaLmzsKs+L6UTBQvCLM4t3C34xDy7zncJUkfEijb+boZNjM0vO6p7:G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • autoplay.exe (PID: 6512)
      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 3836)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 6820)
      • autoplay.exe (PID: 628)
      • autoplay.exe (PID: 3576)
      • autoplay.exe (PID: 5576)

    • Changes the autorun value in the registry

      • reg.exe (PID: 6688)

    • XORed URL has been found (YARA)

      • autoplay.exe (PID: 6512)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • autoplay.exe (PID: 6512)
      • autoplay.exe (PID: 3836)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 6820)
      • autoplay.exe (PID: 3576)
      • autoplay.exe (PID: 628)
      • autoplay.exe (PID: 5576)

    • Reads security settings of Internet Explorer

      • autoplay.exe (PID: 6512)
      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 3836)
      • autoplay.exe (PID: 6820)
      • autoplay.exe (PID: 5576)

    • Starts CMD.EXE for commands execution

      • ftp.exe (PID: 6608)
      • ftp.exe (PID: 6720)
      • cmd.exe (PID: 6776)
      • ftp.exe (PID: 7024)
      • cmd.exe (PID: 7080)
      • cmd.exe (PID: 5748)
      • ftp.exe (PID: 4076)
      • cmd.exe (PID: 6640)
      • ftp.exe (PID: 6888)
      • ftp.exe (PID: 6692)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 7048)
      • ftp.exe (PID: 2144)
      • cmd.exe (PID: 1200)
      • ftp.exe (PID: 4716)

    • Executable content was dropped or overwritten

      • autoplay.exe (PID: 6512)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6672)

    • Executing commands from ".cmd" file

      • ftp.exe (PID: 6720)
      • cmd.exe (PID: 6776)
      • ftp.exe (PID: 7024)
      • cmd.exe (PID: 7080)
      • cmd.exe (PID: 5748)
      • ftp.exe (PID: 4076)
      • cmd.exe (PID: 6640)
      • ftp.exe (PID: 6888)
      • ftp.exe (PID: 6692)
      • cmd.exe (PID: 6992)
      • ftp.exe (PID: 2144)
      • cmd.exe (PID: 7048)
      • ftp.exe (PID: 4716)
      • cmd.exe (PID: 1200)

    • Application launched itself

      • cmd.exe (PID: 6776)
      • cmd.exe (PID: 7080)
      • cmd.exe (PID: 5748)
      • cmd.exe (PID: 7048)
      • cmd.exe (PID: 6640)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 1200)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6792)
      • cmd.exe (PID: 7096)
      • cmd.exe (PID: 4592)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 7016)
      • cmd.exe (PID: 7088)
      • cmd.exe (PID: 4932)

    • The executable file from the user directory is run by the CMD process

      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 3836)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 6820)
      • autoplay.exe (PID: 3576)
      • autoplay.exe (PID: 628)
      • autoplay.exe (PID: 5576)

  • INFO

    • Reads the computer name

      • autoplay.exe (PID: 6512)
      • autoplay.exe (PID: 3836)
      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 6820)
      • autoplay.exe (PID: 3576)
      • autoplay.exe (PID: 5576)

    • Checks supported languages

      • autoplay.exe (PID: 6512)
      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 3836)
      • autoplay.exe (PID: 6820)
      • autoplay.exe (PID: 3576)
      • autoplay.exe (PID: 5576)

    • Create files in a temporary directory

      • autoplay.exe (PID: 6512)
      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 3576)
      • autoplay.exe (PID: 628)

    • Checks proxy server information

      • autoplay.exe (PID: 6512)
      • autoplay.exe (PID: 6892)
      • autoplay.exe (PID: 6308)
      • autoplay.exe (PID: 3836)
      • autoplay.exe (PID: 6820)
      • autoplay.exe (PID: 3576)
      • autoplay.exe (PID: 5576)

    • UPX packer has been detected

      • autoplay.exe (PID: 6512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:12 23:44:26+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 7232000
InitializedDataSize: 44544
UninitializedDataSize: -
EntryPoint: 0x6d8744
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
CompanyName: Adobe Systems Incorporated
FileDescription: AutoPlay
FileVersion: 6
InternalName: AutoPlay
LegalCopyright: © 1990-2008 Adobe Systems Incorporated
OriginalFileName: AutoPlay.exe
ProductName: Autoplay
ProductVersion: 6
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
187
Monitored processes
61
Malicious processes
21
Suspicious processes
9

Behavior graph

Click at the process to see the details
start #XOR-URL autoplay.exe ftp.exe no specs conhost.exe no specs cmd.exe no specs reg.exe ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Users\admin\AppData\Local\Temp\autoplay.exe" C:\Users\admin\AppData\Local\Temp\autoplay.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
AutoPlay
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\autoplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
776Xcopy /E /I "C:\Users\admin\AppData\Local\Temp\Autoplay" "C:\Users\admin\AppData\Local\Temp\Autoplay" C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devobj.dll
1200C:\WINDOWS\system32\cmd.exe /C start /b C:\Users\admin\AppData\Local\Temp\__winexp_tmp.cmdC:\Windows\System32\cmd.exeftp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2144C:\Windows\System32\ftp.exe -s:C:\Users\admin\AppData\Local\Temp\__winexp_log.txtC:\Windows\System32\ftp.exeautoplay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File Transfer Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ftp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
2792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeftp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3436Xcopy /E /I "C:\Users\admin\AppData\Local\Temp\Autoplay" "C:\Users\admin\AppData\Local\Temp\Autoplay" C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\ulib.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devobj.dll
3524\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeftp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3576"C:\Users\admin\AppData\Local\Temp\autoplay.exe" C:\Users\admin\AppData\Local\Temp\autoplay.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
AutoPlay
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\autoplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3836"C:\Users\admin\AppData\Local\Temp\autoplay.exe" C:\Users\admin\AppData\Local\Temp\autoplay.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
AutoPlay
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\autoplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4076C:\Windows\System32\ftp.exe -s:C:\Users\admin\AppData\Local\Temp\__winexp_log.txtC:\Windows\System32\ftp.exeautoplay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File Transfer Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ftp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\napinsp.dll
Total events
5 417
Read events
5 416
Write events
1
Delete events
0

Modification events

(PID) Process:(6688) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AdobeUpdater
Value:
C:\Users\admin\AppData\Local\Temp\AdobeUpdater.exe
Executable files
1
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6512autoplay.exeC:\Users\admin\AppData\Local\Temp\__winexp_log.txtbinary
MD5:B37B51DA89A40833E15D9DEE2ABE69BA
SHA256:87852C3ACD9737B1F11C0A6829738CFFE5CF9A1E104F12A05B30013DB398323B
6512autoplay.exeC:\Users\admin\AppData\Local\Temp\AdobeUpdater.exeexecutable
MD5:0829043F449E2C2E5B8892314CD9E0F9
SHA256:C7D01D0489848BD069BAF4D27FF1358ACDBA405AE46543D1FD17FAE1BCFF47D8
6512autoplay.exeC:\Users\admin\AppData\Local\Temp\__winexp_tmp.cmdtext
MD5:F831C311278E99B889C75BE1A758EA3C
SHA256:465D6E4855607577638862492F8531692DCF837141B9449A66ED2AFE29D8151E
6512autoplay.exeC:\Users\admin\AppData\Local\Temp\__ms_edge_cachebinary
MD5:F92B48E377F1BC1CA0B2AA3473610901
SHA256:20898A6E67FF82292B5D40AA79013B8E7896D1858FE6AC89254FBDDDEBA97DC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6532
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3696
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6532
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3628
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.64
whitelisted
djkd0eio3mkvfkseow.com
unknown
go.microsoft.com
  • 2.23.242.9
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
autoplay.exe