File name:

autoplay.exe

Full analysis: https://app.any.run/tasks/ecd248d7-3294-4fad-a2e1-b848caea3013
Verdict: Malicious activity
Analysis date: January 16, 2025, 05:20:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

0829043F449E2C2E5B8892314CD9E0F9

SHA1:

19A4D985DD6F01AF7AD343524459FC7BE36E8E0C

SHA256:

C7D01D0489848BD069BAF4D27FF1358ACDBA405AE46543D1FD17FAE1BCFF47D8

SSDEEP:

49152:g26DVWwFnP/xaLmzsKs+L6UTBQvCLM4t3C34xDy7zncJUkfEijb+boZNjM0vO6p7:G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • autoplay.exe (PID: 6404)
      • autoplay.exe (PID: 6992)
      • autoplay.exe (PID: 7020)
      • autoplay.exe (PID: 7092)

    • XORed URL has been found (YARA)

      • autoplay.exe (PID: 6404)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • autoplay.exe (PID: 6404)

    • Executable content was dropped or overwritten

      • autoplay.exe (PID: 6404)

    • Executing commands from ".cmd" file

      • ftp.exe (PID: 6812)
      • cmd.exe (PID: 6872)

    • Starts CMD.EXE for commands execution

      • ftp.exe (PID: 6812)
      • cmd.exe (PID: 6872)

    • Application launched itself

      • cmd.exe (PID: 6872)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6888)

    • The executable file from the user directory is run by the CMD process

      • autoplay.exe (PID: 6992)
      • autoplay.exe (PID: 7020)
      • autoplay.exe (PID: 7092)

  • INFO

    • Reads the computer name

      • autoplay.exe (PID: 6404)
      • autoplay.exe (PID: 7092)

    • Checks proxy server information

      • autoplay.exe (PID: 6404)

    • Checks supported languages

      • autoplay.exe (PID: 6404)
      • autoplay.exe (PID: 7092)

    • Create files in a temporary directory

      • autoplay.exe (PID: 6404)

    • The sample compiled with english language support

      • autoplay.exe (PID: 6404)

    • The process uses the downloaded file

      • cmd.exe (PID: 6888)

    • UPX packer has been detected

      • autoplay.exe (PID: 6404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:12 23:44:26+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 7232000
InitializedDataSize: 44544
UninitializedDataSize: -
EntryPoint: 0x6d8744
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
CompanyName: Adobe Systems Incorporated
FileDescription: AutoPlay
FileVersion: 6
InternalName: AutoPlay
LegalCopyright: © 1990-2008 Adobe Systems Incorporated
OriginalFileName: AutoPlay.exe
ProductName: Autoplay
ProductVersion: 6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
11
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start #XOR-URL autoplay.exe ftp.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs timeout.exe no specs autoplay.exe no specs autoplay.exe no specs autoplay.exe

Process information

PID
CMD
Path
Indicators
Parent process
6404"C:\Users\admin\Desktop\autoplay.exe" C:\Users\admin\Desktop\autoplay.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
AutoPlay
Version:
6.0
Modules
Images
c:\users\admin\desktop\autoplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6812C:\Windows\System32\ftp.exe -s:C:\Users\admin\AppData\Local\Temp\__winexp_log.txtC:\Windows\System32\ftp.exeautoplay.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
File Transfer Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ftp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
6824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeftp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6872C:\WINDOWS\system32\cmd.exe /C start /b C:\Users\admin\AppData\Local\Temp\__winexp_tmp.cmdC:\Windows\System32\cmd.exeftp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6888C:\WINDOWS\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\__winexp_tmp.cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6916Xcopy /E /I "C:\Users\admin\Desktop\Adobe 2024" "C:\Users\admin\AppData\Local\Temp\Adobe 2024" C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ulib.dll
6940Xcopy /E /I "C:\Users\admin\Desktop\Autoplay" "C:\Users\admin\AppData\Local\Temp\Autoplay" C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devobj.dll
6964timeout 3 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6992"C:\Users\admin\AppData\Local\Temp\autoplay.exe" C:\Users\admin\AppData\Local\Temp\autoplay.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
AutoPlay
Exit code:
3221226540
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\autoplay.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7020"C:\Users\admin\AppData\Local\Temp\autoplay.exe" C:\Users\admin\AppData\Local\Temp\autoplay.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
AutoPlay
Exit code:
3221226540
Version:
6.0
Modules
Images
c:\users\admin\appdata\local\temp\autoplay.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
1 033
Read events
1 033
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6404autoplay.exeC:\Users\admin\AppData\Local\Temp\AdobeUpdater.exeexecutable
MD5:0829043F449E2C2E5B8892314CD9E0F9
SHA256:C7D01D0489848BD069BAF4D27FF1358ACDBA405AE46543D1FD17FAE1BCFF47D8
6404autoplay.exeC:\Users\admin\AppData\Local\Temp\autoplay.exeexecutable
MD5:76EF16E94F77454AAFFDFA4C700BE85F
SHA256:3B9DABD99DC58A5242616CB6D1D876BCA3046119A9B150C7D7868BF02202EA82
6404autoplay.exeC:\Users\admin\AppData\Local\Temp\__winexp_log.txtbinary
MD5:B37B51DA89A40833E15D9DEE2ABE69BA
SHA256:87852C3ACD9737B1F11C0A6829738CFFE5CF9A1E104F12A05B30013DB398323B
6404autoplay.exeC:\Users\admin\AppData\Local\Temp\__winexp_tmp.cmdtext
MD5:BEF2BBBB30484ABF6626B6DBD950FBBE
SHA256:F1A65BAA9341FC89B992D3B2EAAFE729E4819C359F38DEBE813D506DFC250315
6404autoplay.exeC:\Users\admin\AppData\Local\Temp\__ms_edge_cachebinary
MD5:7960B003747515DF0DDD9C2801ADAD8C
SHA256:81EB52AB4C351BDFA3DD71E6DBE59A2D28F3BE22B0AFED0F4743B41FECD701E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
31
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5788
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5788
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6016
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.14
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.134
whitelisted
djkd0eio3mkvfkseow.com
unknown
go.microsoft.com
  • 2.23.242.9
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
autoplay.exe