File name:

NewActive.exe

Full analysis: https://app.any.run/tasks/5a2de05f-b3a3-4118-9ed8-25c97a9e7838
Verdict: Malicious activity
Analysis date: March 20, 2024, 11:09:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

48646C40120925C774754E5DE36C33CC

SHA1:

35B7CF02001365714A75861809BA59C462E253D8

SHA256:

D2C3E10AACA5234FB3FEECC01E5637170F1B60F02DC676FE5EA7C54F1B97B7AD

SSDEEP:

98304:ECE8bCjumk44SJBy1ngCzCDkei07ssB4d55sWAc8NNzBn783FUhXoEFvidaVsaCN:L2IPXARjtxTJEkCr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Registers / Runs the DLL via REGSVR32.EXE

      • irsetup.exe (PID: 1496)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Reads the Internet Settings

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Reads security settings of Internet Explorer

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Reads the Windows owner or organization settings

      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 1496)

    • Starts CMD.EXE for commands execution

      • irsetup.exe (PID: 1496)

    • Executing commands from a ".bat" file

      • irsetup.exe (PID: 1496)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1888)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2184)

  • INFO

    • Checks supported languages

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Reads the computer name

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Create files in a temporary directory

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 1496)

    • Creates files in the program directory

      • irsetup.exe (PID: 1496)

    • Manual execution by a user

      • uninstall.exe (PID: 1808)
      • uninstall.exe (PID: 2788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.8)
.exe | Win32 EXE Yoda's Crypter (36.4)
.dll | Win32 Dynamic Link Library (generic) (9)
.exe | Win32 Executable (generic) (6.1)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:14 16:16:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 22528
InitializedDataSize: 48128
UninitializedDataSize: -
EntryPoint: 0x29e1
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.1.0.0
ProductVersionNumber: 9.1.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Created with Setup Factory
FileDescription: Setup Application
FileVersion: 9.1.0.0
InternalName: suf_launch
LegalCopyright: Setup Engine Copyright © 2004-2012 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFileName: suf_launch.exe
ProductName: Setup Factory Runtime
ProductVersion: 9.1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
11
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start newactive.exe irsetup.exe regsvr32.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs uninstall.exe no specs uninstall.exe newactive.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npGuide.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1496"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\admin\Desktop\NewActive.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
NewActive.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_0\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1572reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npGuide.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1808"C:\Windows\NetSurveillance\uninstall.exe" "/U:C:\Windows\NetSurveillance\Uninstall\uninstall.xml"C:\Windows\NetSurveillance\uninstall.exeexplorer.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.1.0.0
Modules
Images
c:\windows\netsurveillance\uninstall.exe
c:\windows\system32\ntdll.dll
1860reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npWebPlugin.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1888C:\Windows\system32\cmd.exe /c ""C:\Program Files\NetSurveillance\CMS\reg.bat" "C:\Windows\System32\cmd.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1992reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npWebPlugin.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2120"C:\Users\admin\Desktop\NewActive.exe" C:\Users\admin\Desktop\NewActive.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.1.0.0
Modules
Images
c:\users\admin\desktop\newactive.exe
c:\windows\system32\ntdll.dll
2184"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\NetSurveillance\CMS\web.ocx"C:\Windows\System32\regsvr32.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2292"C:\Users\admin\Desktop\NewActive.exe" C:\Users\admin\Desktop\NewActive.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.1.0.0
Modules
Images
c:\users\admin\desktop\newactive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
4 872
Read events
4 842
Write events
30
Delete events
0

Modification events

(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:DisplayName
Value:
NetSurveillance
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:NoModify
Value:
1
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:NoRepair
Value:
1
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:UninstallString
Value:
"C:\Windows\NetSurveillance\uninstall.exe" "/U:C:\Windows\NetSurveillance\Uninstall\uninstall.xml"
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:Contact
Value:
Ö§³Ö²¿ÃÅ
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:InstallLocation
Value:
C:\Program Files\NetSurveillance\CMS
Executable files
13
Suspicious files
6
Text files
45
Unknown types
3

Dropped files

PID
Process
Filename
Type
1496irsetup.exeC:\Program Files\NetSurveillance\CMS\mp_channel.JPGimage
MD5:0C47ED6CD47314B14314E876DC08DE0A
SHA256:2F6ED1882504D41908EF5E4106A392257010F24D2094D534457E5FA4C3A967D5
1496irsetup.exeC:\Windows\NetSurveillance\Uninstall\uninstall.datbinary
MD5:8C5020D652C9E77D4BCD68AC8B7180A3
SHA256:802DEF85AEB79C9DF455C768115E5503AEBE88DFF20116E74523E7967B1A0D6F
2292NewActive.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllexecutable
MD5:B5FC476C1BF08D5161346CC7DD4CB0BA
SHA256:12CB9B8F59C00EF40EA8F28BFC59A29F12DC28332BF44B1A5D8D6A8823365650
1496irsetup.exeC:\Program Files\NetSurveillance\CMS\ConfigModule.iniini
MD5:B9C60F4370A3DEB17AE3731907549A91
SHA256:EA1D6B6A7FC0040FCFDCCED6EA1877ED7EDF77BD3F118A5F6A3CC4BC06DE4385
1496irsetup.exeC:\Program Files\NetSurveillance\CMS\dlg_right.bmpimage
MD5:43D2127525BDF1D889FB3446AB89C08C
SHA256:BFE6B2D6E7A25E8CA44A09476CCDFAC4AA87EC77D88CC39CE0FC2B389AA601C2
1496irsetup.exeC:\Windows\NetSurveillance\Uninstall\uni68F6.tmpbinary
MD5:D16A9BF0513C609BE4F0E7537E284FE6
SHA256:40AD3CE414405615D1A2BA50A9D41CA36DAD9512DA8775E81A1DCAA67374C0A3
1496irsetup.exeC:\Program Files\NetSurveillance\CMS\mp_thumb.JPGimage
MD5:019B6EF1743DD24A6D9A970979B65255
SHA256:5079C33ACED132997F65C49BB70ADCA663C565B2A6653E29705720D1AD265192
1496irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPGimage
MD5:8D774F6D54492A39B8C10832BDFE44FA
SHA256:F68D37B790E727228A0846996024F7624CDDD463730CD087123A4BD9B3ED4389
1496irsetup.exeC:\Program Files\NetSurveillance\CMS\ConfigModule.dllexecutable
MD5:9439BBC6C6FEA58D47794AF6CCD6D422
SHA256:F14F35F95C1F0EA6E2D52D9F54016013B77ABD5E170861B5585191FBC17ADCFF
1496irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.datbinary
MD5:F9A9AA09ADD991E9F8F622995CEE44D4
SHA256:2C78BDA6A7EAB2EFDCD3CACBD5B9244FD76467016CCAA9204C89E04D1FA14471
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NewActive.exe