File name:

openBVE-1.9.2.7-setup.exe

Full analysis: https://app.any.run/tasks/f4abfa36-f653-44d7-ac90-8a98eab1a554
Verdict: Malicious activity
Analysis date: March 09, 2024, 06:16:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

20BB64D5CFE9B89ED9CCBF0B3EFE9758

SHA1:

FEF888B3A5EC4ABB8523D5BF5C117D2397CB24CB

SHA256:

CF9C71B87B73ABE039B6C0E528F8D3B8289313D72A26CB5255CC9EC3E502FB6B

SSDEEP:

196608:YQ3uI2qABuMcDxXTQaWpUAewSHdd5kQLHmN:3lWuaurk5N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • openBVE-1.9.2.7-setup.exe (PID: 3864)
      • openBVE-1.9.2.7-setup.exe (PID: 3944)
      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • openBVE-1.9.2.7-setup.exe (PID: 3944)
      • openBVE-1.9.2.7-setup.exe (PID: 3864)
      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

    • Reads the Windows owner or organization settings

      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

    • Process drops legitimate windows executable

      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

    • Reads the Internet Settings

      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

    • Reads security settings of Internet Explorer

      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

    • Non-standard symbols in registry

      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

  • INFO

    • Reads the computer name

      • openBVE-1.9.2.7-setup.tmp (PID: 1432)
      • openBVE-1.9.2.7-setup.tmp (PID: 3228)
      • OpenBve.exe (PID: 2908)

    • Checks supported languages

      • openBVE-1.9.2.7-setup.exe (PID: 3944)
      • openBVE-1.9.2.7-setup.tmp (PID: 1432)
      • openBVE-1.9.2.7-setup.tmp (PID: 3228)
      • openBVE-1.9.2.7-setup.exe (PID: 3864)
      • OpenBve.exe (PID: 2908)

    • Create files in a temporary directory

      • openBVE-1.9.2.7-setup.exe (PID: 3944)
      • openBVE-1.9.2.7-setup.exe (PID: 3864)

    • Creates files in the program directory

      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

    • Creates a software uninstall entry

      • openBVE-1.9.2.7-setup.tmp (PID: 3228)

    • Creates files or folders in the user directory

      • OpenBve.exe (PID: 2908)

    • Reads the machine GUID from the registry

      • OpenBve.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:12 11:15:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 37888
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: The OpenBVE Project
FileDescription: openBVE Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: openBVE
ProductVersion: 1.9.2.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start openbve-1.9.2.7-setup.exe openbve-1.9.2.7-setup.tmp no specs openbve-1.9.2.7-setup.exe openbve-1.9.2.7-setup.tmp openbve.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1432"C:\Users\admin\AppData\Local\Temp\is-TA32V.tmp\openBVE-1.9.2.7-setup.tmp" /SL5="$E0170,13557397,721408,C:\Users\admin\AppData\Local\Temp\openBVE-1.9.2.7-setup.exe" C:\Users\admin\AppData\Local\Temp\is-TA32V.tmp\openBVE-1.9.2.7-setup.tmpopenBVE-1.9.2.7-setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ta32v.tmp\openbve-1.9.2.7-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2908"C:\Program Files\openBVE\OpenBve.exe" C:\Program Files\openBVE\OpenBve.exeopenBVE-1.9.2.7-setup.tmp
User:
admin
Integrity Level:
HIGH
Description:
OpenBVE
Exit code:
0
Version:
1.9.2.7
Modules
Images
c:\program files\openbve\openbve.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3228"C:\Users\admin\AppData\Local\Temp\is-4SDEU.tmp\openBVE-1.9.2.7-setup.tmp" /SL5="$100130,13557397,721408,C:\Users\admin\AppData\Local\Temp\openBVE-1.9.2.7-setup.exe" /SPAWNWND=$18013E /NOTIFYWND=$E0170 C:\Users\admin\AppData\Local\Temp\is-4SDEU.tmp\openBVE-1.9.2.7-setup.tmp
openBVE-1.9.2.7-setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-4sdeu.tmp\openbve-1.9.2.7-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3864"C:\Users\admin\AppData\Local\Temp\openBVE-1.9.2.7-setup.exe" C:\Users\admin\AppData\Local\Temp\openBVE-1.9.2.7-setup.exe
explorer.exe
User:
admin
Company:
The OpenBVE Project
Integrity Level:
MEDIUM
Description:
openBVE Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\openbve-1.9.2.7-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3944"C:\Users\admin\AppData\Local\Temp\openBVE-1.9.2.7-setup.exe" /SPAWNWND=$18013E /NOTIFYWND=$E0170 C:\Users\admin\AppData\Local\Temp\openBVE-1.9.2.7-setup.exe
openBVE-1.9.2.7-setup.tmp
User:
admin
Company:
The OpenBVE Project
Integrity Level:
HIGH
Description:
openBVE Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\openbve-1.9.2.7-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 322
Read events
6 275
Write events
41
Delete events
6

Modification events

(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
9C0C000002C0A14BE971DA01
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
3DBDC2B63E1D1C0F3A87F09B79E131E19AB8A132982AA10553A5E7A45BD8B71E
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\openBVE\AssimpParser.dll
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
CE2E44BE35B80273FFE1CE80859A87418CF8224D78600BFDB12D80984CCFB3FE
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D617A45D-C2F6-44D1-A85C-CA7FFA91F7FC}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.3 (u)
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D617A45D-C2F6-44D1-A85C-CA7FFA91F7FC}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\openBVE
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D617A45D-C2F6-44D1-A85C-CA7FFA91F7FC}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\openBVE\
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D617A45D-C2F6-44D1-A85C-CA7FFA91F7FC}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
openBVE
(PID) Process:(3228) openBVE-1.9.2.7-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D617A45D-C2F6-44D1-A85C-CA7FFA91F7FC}_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
170
Suspicious files
45
Text files
1 527
Unknown types
30

Dropped files

PID
Process
Filename
Type
3864openBVE-1.9.2.7-setup.exeC:\Users\admin\AppData\Local\Temp\is-TA32V.tmp\openBVE-1.9.2.7-setup.tmpexecutable
MD5:84DB4B4205F705DA71471DC6ECC061F5
SHA256:647983EBDE53E0501FF1AF8EF6190DFEEA5CCC64CAF7DCE808F1E3D98FB66A3C
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\AssimpParser.dllexecutable
MD5:B05CD2C6D62BFFC2037C6B22F670E72B
SHA256:61DA64A23FEA00475A0236E3B52346EF06C28FA7A9074B4B958FB8C36E2B7419
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\is-RGPKL.tmpexecutable
MD5:B12AA6C7611F3A1973EFF582B0B1D0C3
SHA256:F0EE3843872DD93C5FCBABFC521A6438B8396D2BE111C59E3FF3ECB874DC22EC
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\unins000.exeexecutable
MD5:B12AA6C7611F3A1973EFF582B0B1D0C3
SHA256:F0EE3843872DD93C5FCBABFC521A6438B8396D2BE111C59E3FF3ECB874DC22EC
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\is-BRKBG.tmpxml
MD5:9C643FF93C60721F729E172274124B7F
SHA256:363EC7F9548FEAE0407279FDFF87EAB05616C6DA9D4BFF9AF9E936FC55C4F568
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\CarXmlConvertor.exeexecutable
MD5:5C43840B92EB302EB7ED314C066021A8
SHA256:105F49F73CD8F4F9C52E0C2CCD0DBAA4114602FB62C0FF6DD96AA974EF839AD3
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\is-87QD5.tmpexecutable
MD5:5C43840B92EB302EB7ED314C066021A8
SHA256:105F49F73CD8F4F9C52E0C2CCD0DBAA4114602FB62C0FF6DD96AA974EF839AD3
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\is-DTV4E.tmpxml
MD5:233985D93B2DC59EB5E2FF8C0BC505AB
SHA256:28D7474E24FBB2E9ED3784B7158F34F2F8813C7959CEBBA6D524F8CE5127AF85
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\CarXmlConvertor.exe.configxml
MD5:233985D93B2DC59EB5E2FF8C0BC505AB
SHA256:28D7474E24FBB2E9ED3784B7158F34F2F8813C7959CEBBA6D524F8CE5127AF85
3228openBVE-1.9.2.7-setup.tmpC:\Program Files\openBVE\is-82VC5.tmpbinary
MD5:8C6DAEBAF839DA37D596E393E96AE019
SHA256:47304C5E01406C0C78D8A481E980D9031BF9D5CD991570304C25AE3B238A401C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
openBVE-1.9.2.7-setup.exe