File name:

ac-11_30.exe

Full analysis: https://app.any.run/tasks/24ed1356-dfc2-4ca1-b6ef-afc3647d0ab6
Verdict: Malicious activity
Analysis date: January 18, 2024, 15:50:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FDACA0B08450AA333665BE8E76453999

SHA1:

1B5991E4957E6CABBC98E7462C5198F624A0E69B

SHA256:

C84A505D381A2B6959CBC488948B315D797E73F84C7D40474395F04950F1334A

SSDEEP:

98304:3+cD4dn/BU9AOdS85aSMQZr+05+IHt30/V1SA4gnxkaM/oAkoXFbWAU27VYZcXEa:/K2sW72h545

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ac-11_30.exe (PID: 2036)
      • ac-11_30.exe (PID: 548)
      • ac-11_30.tmp (PID: 532)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ac-11_30.tmp (PID: 532)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ac-11_30.exe (PID: 548)
      • ac-11_30.tmp (PID: 532)
      • ac-11_30.exe (PID: 2036)

    • Reads the Windows owner or organization settings

      • ac-11_30.tmp (PID: 532)

  • INFO

    • Checks supported languages

      • ac-11_30.exe (PID: 2036)
      • ac-11_30.tmp (PID: 1404)
      • ac-11_30.exe (PID: 548)
      • ac-11_30.tmp (PID: 532)
      • acmain.exe (PID: 1496)

    • Reads the computer name

      • ac-11_30.tmp (PID: 1404)
      • ac-11_30.tmp (PID: 532)

    • Create files in a temporary directory

      • ac-11_30.exe (PID: 2036)
      • ac-11_30.exe (PID: 548)
      • ac-11_30.tmp (PID: 532)

    • Creates files in the program directory

      • ac-11_30.tmp (PID: 532)

    • Manual execution by a user

      • acmain.exe (PID: 1496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 15:54:16+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 57344
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1130.2023.10.14
ProductVersionNumber: 1130.2023.10.14
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Romain Petges
FileDescription: Attribute Changer Installer for 32/64 bit Windows
FileVersion: 1130.2023.10.14
LegalCopyright: Copyright 1999 - 2023 Romain Petges
OriginalFileName:
ProductName: Attribute Changer
ProductVersion: 11.30
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ac-11_30.exe ac-11_30.tmp no specs ac-11_30.exe ac-11_30.tmp regsvr32.exe no specs acmain.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Users\admin\AppData\Local\Temp\is-H3CES.tmp\ac-11_30.tmp" /SL5="$501AC,4434317,800256,C:\Users\admin\AppData\Local\Temp\ac-11_30.exe" /SPAWNWND=$501B2 /NOTIFYWND=$301AA C:\Users\admin\AppData\Local\Temp\is-H3CES.tmp\ac-11_30.tmp
ac-11_30.exe
User:
admin
Company:
Romain Petges
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-h3ces.tmp\ac-11_30.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
548"C:\Users\admin\AppData\Local\Temp\ac-11_30.exe" /SPAWNWND=$501B2 /NOTIFYWND=$301AA C:\Users\admin\AppData\Local\Temp\ac-11_30.exe
ac-11_30.tmp
User:
admin
Company:
Romain Petges
Integrity Level:
HIGH
Description:
Attribute Changer Installer for 32/64 bit Windows
Exit code:
0
Version:
1130.2023.10.14
Modules
Images
c:\users\admin\appdata\local\temp\ac-11_30.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
1404"C:\Users\admin\AppData\Local\Temp\is-TAAKU.tmp\ac-11_30.tmp" /SL5="$301AA,4434317,800256,C:\Users\admin\AppData\Local\Temp\ac-11_30.exe" C:\Users\admin\AppData\Local\Temp\is-TAAKU.tmp\ac-11_30.tmpac-11_30.exe
User:
admin
Company:
Romain Petges
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-taaku.tmp\ac-11_30.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1496"C:\Program Files\Attribute Changer\acmain.exe" C:\Program Files\Attribute Changer\acmain.exeexplorer.exe
User:
admin
Company:
Romain Petges
Integrity Level:
MEDIUM
Description:
Attribute Changer
Exit code:
0
Version:
1130.2023.10.14
Modules
Images
c:\program files\attribute changer\acmain.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1632"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Attribute Changer\acshell.dll"C:\Windows\System32\regsvr32.exeac-11_30.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2036"C:\Users\admin\AppData\Local\Temp\ac-11_30.exe" C:\Users\admin\AppData\Local\Temp\ac-11_30.exe
explorer.exe
User:
admin
Company:
Romain Petges
Integrity Level:
MEDIUM
Description:
Attribute Changer Installer for 32/64 bit Windows
Exit code:
0
Version:
1130.2023.10.14
Modules
Images
c:\users\admin\appdata\local\temp\ac-11_30.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
1 385
Read events
1 385
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
5
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2036ac-11_30.exeC:\Users\admin\AppData\Local\Temp\is-TAAKU.tmp\ac-11_30.tmpexecutable
MD5:DD55A747F5A14AEF9181095092BFDCF8
SHA256:1C610132C3735B4FFF0CE7EC39BFF0085AF3F2B1103366819437951B592E5245
532ac-11_30.tmpC:\Users\admin\AppData\Local\Temp\is-DS228.tmp\paypal.bmpimage
MD5:80E5F46DC234B65DE72748B0345759C2
SHA256:BA217938924ACCAEA4FA3E840DB108B3C35EAC41DC8EDD821B62647F5DAC73E3
548ac-11_30.exeC:\Users\admin\AppData\Local\Temp\is-H3CES.tmp\ac-11_30.tmpexecutable
MD5:DD55A747F5A14AEF9181095092BFDCF8
SHA256:1C610132C3735B4FFF0CE7EC39BFF0085AF3F2B1103366819437951B592E5245
532ac-11_30.tmpC:\Program Files\Attribute Changer\unins000.exeexecutable
MD5:988E15050EFF81FBF20879A6FBC84F9E
SHA256:1EC4F3C740722E1768252D310B38A68CBF5F5DD3F5BC2246E52256FE09148F16
532ac-11_30.tmpC:\Program Files\Attribute Changer\is-J2RKU.tmpexecutable
MD5:F410671213B4F486058574997182CA5C
SHA256:C03DC800F40E8E66B9F620AC53DCA693B5B5CF551C2F4808A7F3CF952D9FDBAB
532ac-11_30.tmpC:\Program Files\Attribute Changer\acmain.exeexecutable
MD5:F410671213B4F486058574997182CA5C
SHA256:C03DC800F40E8E66B9F620AC53DCA693B5B5CF551C2F4808A7F3CF952D9FDBAB
532ac-11_30.tmpC:\Program Files\Attribute Changer\acshell.dllexecutable
MD5:77D5E6700743CC1C7899B229F594B00C
SHA256:2E64F14957FEAB63EA0F8D300885B5BD9EF4110D099CED93197536BD46AAF01C
532ac-11_30.tmpC:\Program Files\Attribute Changer\is-HVGTE.tmpexecutable
MD5:77D5E6700743CC1C7899B229F594B00C
SHA256:2E64F14957FEAB63EA0F8D300885B5BD9EF4110D099CED93197536BD46AAF01C
532ac-11_30.tmpC:\Program Files\Attribute Changer\is-2L3GG.tmpexecutable
MD5:988E15050EFF81FBF20879A6FBC84F9E
SHA256:1EC4F3C740722E1768252D310B38A68CBF5F5DD3F5BC2246E52256FE09148F16
532ac-11_30.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Attribute Changer\User Guide.lnkbinary
MD5:DB58C690AF16F0BAB5B2103468AFD151
SHA256:F8966BEC76C7AA802F05F195559354FD134644B295B8B0DFA4948BC724BD5604
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ac-11_30.exe