File name:

NewActive.exe

Full analysis: https://app.any.run/tasks/5a2de05f-b3a3-4118-9ed8-25c97a9e7838
Verdict: Malicious activity
Analysis date: March 20, 2024, 11:09:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

48646C40120925C774754E5DE36C33CC

SHA1:

35B7CF02001365714A75861809BA59C462E253D8

SHA256:

D2C3E10AACA5234FB3FEECC01E5637170F1B60F02DC676FE5EA7C54F1B97B7AD

SSDEEP:

98304:ECE8bCjumk44SJBy1ngCzCDkei07ssB4d55sWAc8NNzBn783FUhXoEFvidaVsaCN:L2IPXARjtxTJEkCr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Registers / Runs the DLL via REGSVR32.EXE

      • irsetup.exe (PID: 1496)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Reads the Internet Settings

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Reads security settings of Internet Explorer

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)

    • Reads the Windows owner or organization settings

      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 1496)

    • Starts CMD.EXE for commands execution

      • irsetup.exe (PID: 1496)

    • Executing commands from a ".bat" file

      • irsetup.exe (PID: 1496)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1888)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2184)

  • INFO

    • Checks supported languages

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Reads the computer name

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Create files in a temporary directory

      • NewActive.exe (PID: 2292)
      • irsetup.exe (PID: 1496)
      • uninstall.exe (PID: 2788)

    • Creates files in the program directory

      • irsetup.exe (PID: 1496)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 1496)

    • Manual execution by a user

      • uninstall.exe (PID: 1808)
      • uninstall.exe (PID: 2788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.8)
.exe | Win32 EXE Yoda's Crypter (36.4)
.dll | Win32 Dynamic Link Library (generic) (9)
.exe | Win32 Executable (generic) (6.1)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:14 16:16:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 22528
InitializedDataSize: 48128
UninitializedDataSize: -
EntryPoint: 0x29e1
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.1.0.0
ProductVersionNumber: 9.1.0.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Created with Setup Factory
FileDescription: Setup Application
FileVersion: 9.1.0.0
InternalName: suf_launch
LegalCopyright: Setup Engine Copyright © 2004-2012 Indigo Rose Corporation
LegalTrademarks: Setup Factory is a trademark of Indigo Rose Corporation.
OriginalFileName: suf_launch.exe
ProductName: Setup Factory Runtime
ProductVersion: 9.1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
11
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start newactive.exe irsetup.exe regsvr32.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs uninstall.exe no specs uninstall.exe newactive.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npGuide.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1496"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\admin\Desktop\NewActive.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
NewActive.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_0\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1572reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npGuide.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1808"C:\Windows\NetSurveillance\uninstall.exe" "/U:C:\Windows\NetSurveillance\Uninstall\uninstall.xml"C:\Windows\NetSurveillance\uninstall.exeexplorer.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.1.0.0
Modules
Images
c:\windows\netsurveillance\uninstall.exe
c:\windows\system32\ntdll.dll
1860reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npWebPlugin.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1888C:\Windows\system32\cmd.exe /c ""C:\Program Files\NetSurveillance\CMS\reg.bat" "C:\Windows\System32\cmd.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1992reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files\NetSurveillance\CMS\npWebPlugin.dll" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2120"C:\Users\admin\Desktop\NewActive.exe" C:\Users\admin\Desktop\NewActive.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.1.0.0
Modules
Images
c:\users\admin\desktop\newactive.exe
c:\windows\system32\ntdll.dll
2184"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\NetSurveillance\CMS\web.ocx"C:\Windows\System32\regsvr32.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2292"C:\Users\admin\Desktop\NewActive.exe" C:\Users\admin\Desktop\NewActive.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.1.0.0
Modules
Images
c:\users\admin\desktop\newactive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
4 872
Read events
4 842
Write events
30
Delete events
0

Modification events

(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2292) NewActive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:DisplayName
Value:
NetSurveillance
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:NoModify
Value:
1
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:NoRepair
Value:
1
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:UninstallString
Value:
"C:\Windows\NetSurveillance\uninstall.exe" "/U:C:\Windows\NetSurveillance\Uninstall\uninstall.xml"
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:Contact
Value:
Ö§³Ö²¿ÃÅ
(PID) Process:(1496) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetSurveillance
Operation:writeName:InstallLocation
Value:
C:\Program Files\NetSurveillance\CMS
Executable files
13
Suspicious files
6
Text files
45
Unknown types
3

Dropped files

PID
Process
Filename
Type
2292NewActive.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:DEC931E86140139380EA0DF57CD132B6
SHA256:5FFD4B20DCCFB84C8890ABDB780184A7651E760AEFBA4AB0C6FBA5B2A81F97D9
2292NewActive.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllexecutable
MD5:B5FC476C1BF08D5161346CC7DD4CB0BA
SHA256:12CB9B8F59C00EF40EA8F28BFC59A29F12DC28332BF44B1A5D8D6A8823365650
1496irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPGimage
MD5:977A39DF5F3A185495A661947F960FEE
SHA256:D47D72BB6F9F3667CA83B5F7F25D76CAA305B495C8F265EF467575D6BC5B2A35
1496irsetup.exeC:\Windows\NetSurveillance\Uninstall\uni68F6.tmpbinary
MD5:D16A9BF0513C609BE4F0E7537E284FE6
SHA256:40AD3CE414405615D1A2BA50A9D41CA36DAD9512DA8775E81A1DCAA67374C0A3
1496irsetup.exeC:\Windows\NetSurveillance\uninstall.exeexecutable
MD5:DEC931E86140139380EA0DF57CD132B6
SHA256:5FFD4B20DCCFB84C8890ABDB780184A7651E760AEFBA4AB0C6FBA5B2A81F97D9
1496irsetup.exeC:\Windows\NetSurveillance\Uninstall\uninstall.datbinary
MD5:8C5020D652C9E77D4BCD68AC8B7180A3
SHA256:802DEF85AEB79C9DF455C768115E5503AEBE88DFF20116E74523E7967B1A0D6F
1496irsetup.exeC:\Program Files\NetSurveillance\CMS\ConfigModule.iniini
MD5:B9C60F4370A3DEB17AE3731907549A91
SHA256:EA1D6B6A7FC0040FCFDCCED6EA1877ED7EDF77BD3F118A5F6A3CC4BC06DE4385
1496irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.datbinary
MD5:F9A9AA09ADD991E9F8F622995CEE44D4
SHA256:2C78BDA6A7EAB2EFDCD3CACBD5B9244FD76467016CCAA9204C89E04D1FA14471
1496irsetup.exeC:\Windows\NetSurveillance\lua5.1.dllexecutable
MD5:B5FC476C1BF08D5161346CC7DD4CB0BA
SHA256:12CB9B8F59C00EF40EA8F28BFC59A29F12DC28332BF44B1A5D8D6A8823365650
1496irsetup.exeC:\Windows\NetSurveillance\Uninstall\uninstall.xmlxml
MD5:70F457B46DEAA9609DBF16BCB784E4B1
SHA256:C5410551E3ED6F341C7F9C71C9D9ECEDF3803FFF45ECE02BE3CE5A058865FDC6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NewActive.exe