File name:

WinCustomizer (No Escape).exe

Full analysis: https://app.any.run/tasks/513cc954-69fb-477a-85a1-1290296f50ba
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 07, 2024, 00:12:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
takemyfile
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:

989AE3D195203B323AA2B3ADF04E9833

SHA1:

31A45521BC672ABCF64E50284CA5D4E6B3687DC8

SHA256:

D30D7676A3B4C91B77D403F81748EBF6B8824749DB5F860E114A8A204BCA5B8F

SSDEEP:

12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TBJ:s487pcZEgwcDpg1L2tbPR2tJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinCustomizer (No Escape).exe (PID: 4000)
      • msiexec.exe (PID: 1856)
      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)

    • Changes the login/logoff helper path in the registry

      • msiexec.exe (PID: 1856)

    • Connects to the CnC server

      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 2400)

    • TAKEMYFILE has been detected (SURICATA)

      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 2400)

  • SUSPICIOUS

    • Reads the Internet Settings

      • WinCustomizer (No Escape).exe (PID: 4000)
      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 2400)

    • Reads security settings of Internet Explorer

      • WinCustomizer (No Escape).exe (PID: 4000)
      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 2400)

    • Application launched itself

      • WinCustomizer (No Escape).exe (PID: 4000)

    • Executable content was dropped or overwritten

      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1856)
      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)

  • INFO

    • Checks supported languages

      • WinCustomizer (No Escape).exe (PID: 4000)
      • WinCustomizer (No Escape).exe (PID: 864)
      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • msiexec.exe (PID: 1856)
      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 2232)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)
      • wmpnscfg.exe (PID: 444)
      • msiexec.exe (PID: 1028)
      • msiexec.exe (PID: 2400)

    • Reads the computer name

      • WinCustomizer (No Escape).exe (PID: 4000)
      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • msiexec.exe (PID: 1856)
      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 2232)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)
      • wmpnscfg.exe (PID: 444)
      • msiexec.exe (PID: 1028)
      • msiexec.exe (PID: 2400)

    • Manual execution by a user

      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • wmpnscfg.exe (PID: 444)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)

    • Reads Environment values

      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • msiexec.exe (PID: 2092)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)
      • msiexec.exe (PID: 2400)

    • Creates files or folders in the user directory

      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)

    • Reads the machine GUID from the registry

      • Winlocker AKA (WinFix) Virus.exe (PID: 1580)
      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 1856)
      • msiexec.exe (PID: 2232)
      • Winlocker AKA (WinFix) Virus.exe (PID: 2324)
      • msiexec.exe (PID: 2400)
      • msiexec.exe (PID: 1028)

    • Application launched itself

      • msiexec.exe (PID: 1856)

    • Create files in a temporary directory

      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 1856)
      • msiexec.exe (PID: 2400)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1856)

    • Checks proxy server information

      • msiexec.exe (PID: 2092)
      • msiexec.exe (PID: 2400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:29 09:09:24+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 14.28
CodeSize: 15360
InitializedDataSize: 1832960
UninitializedDataSize: -
EntryPoint: 0x1c640e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.6.6.6
ProductVersionNumber: 6.6.6.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Endermanch
FileDescription: Windows Customization Tool
FileVersion: 6.6.6.6
InternalName: WinCustomize.exe
LegalCopyright: Copyright (C) 2020
OriginalFileName: WinCustomize.exe
ProductName: Customization Tool
ProductVersion: 6.6.6.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
12
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wincustomizer (no escape).exe no specs wincustomizer (no escape).exe winlocker aka (winfix) virus.exe msiexec.exe msiexec.exe no specs #TAKEMYFILE msiexec.exe msiexec.exe no specs wmpnscfg.exe no specs winlocker aka (winfix) virus.exe msiexec.exe no specs #TAKEMYFILE msiexec.exe msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
864"C:\Users\admin\AppData\Local\Temp\WinCustomizer (No Escape).exe" C:\Users\admin\AppData\Local\Temp\WinCustomizer (No Escape).exe
WinCustomizer (No Escape).exe
User:
admin
Company:
Endermanch
Integrity Level:
HIGH
Description:
Windows Customization Tool
Exit code:
0
Version:
6.6.6.6
Modules
Images
c:\users\admin\appdata\local\temp\wincustomizer (no escape).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
1028C:\Windows\system32\MsiExec.exe -Embedding 313C156D1B4FD0D4203B2991636CFC51 E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1580"C:\Users\admin\Desktop\Winlocker AKA (WinFix) Virus.exe" C:\Users\admin\Desktop\Winlocker AKA (WinFix) Virus.exe
explorer.exe
User:
admin
Company:
Windows
Integrity Level:
MEDIUM
Description:
This installer database contains the logic and data required to install Error file remover.
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\winlocker aka (winfix) virus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1604"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH="C:\Users\admin\Desktop\Winlocker AKA (WinFix) Virus.exe" SETUPEXEDIR=C:\Users\admin\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "C:\Windows\System32\msiexec.exeWinlocker AKA (WinFix) Virus.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1856C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2092C:\Windows\system32\MsiExec.exe -Embedding 74D0DBD0DDA7F5BBE9C28ECEA0B618C1C:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2232C:\Windows\system32\MsiExec.exe -Embedding AAC9B62E54B653D785E981A8D9AD9633 E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2324"C:\Users\admin\Desktop\Winlocker AKA (WinFix) Virus.exe" C:\Users\admin\Desktop\Winlocker AKA (WinFix) Virus.exe
explorer.exe
User:
admin
Company:
Windows
Integrity Level:
MEDIUM
Description:
This installer database contains the logic and data required to install Error file remover.
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\winlocker aka (winfix) virus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2400C:\Windows\system32\MsiExec.exe -Embedding ADC0CF46841C189491C5C0DE17BE4EDBC:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
11 715
Read events
11 532
Write events
141
Delete events
42

Modification events

(PID) Process:(4000) WinCustomizer (No Escape).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4000) WinCustomizer (No Escape).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4000) WinCustomizer (No Escape).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4000) WinCustomizer (No Escape).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1856) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
400700004C3E9B8F6FB8DA01
(PID) Process:(1856) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
792DFBB1D399FCD00CDB817DD5ACED760CB838F683CAC129F3270B95A4E8BD95
(PID) Process:(1856) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1856) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(1856) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\117d10.rbs
Value:
31111287
(PID) Process:(1856) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\117d10.rbsLow
Value:
Executable files
33
Suspicious files
21
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1856msiexec.exeC:\Windows\Installer\117d0d.msiexecutable
MD5:27BC9540828C59E1CA1997CF04F6C467
SHA256:05C18698C3DC3B2709AFD3355AD5B91A60B2121A52E5FCC474E4E47FB8E95E2A
1856msiexec.exeC:\Windows\Installer\MSI7E49.tmpexecutable
MD5:4083CB0F45A747D8E8AB0D3E060616F2
SHA256:252B7423B01FF81AEA6FE7B40DE91ABF49F515E9C0C7B95AA982756889F8AC1A
1580Winlocker AKA (WinFix) Virus.exeC:\Users\admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msiexecutable
MD5:27BC9540828C59E1CA1997CF04F6C467
SHA256:05C18698C3DC3B2709AFD3355AD5B91A60B2121A52E5FCC474E4E47FB8E95E2A
1856msiexec.exeC:\Windows\Installer\MSI7E08.tmpexecutable
MD5:D552DD4108B5665D306B4A8BD6083DDE
SHA256:A0367875B68B1699D2647A748278EBCE64D5BE633598580977AA126A81CF57C5
1856msiexec.exeC:\Windows\Installer\MSI7EC7.tmpexecutable
MD5:D552DD4108B5665D306B4A8BD6083DDE
SHA256:A0367875B68B1699D2647A748278EBCE64D5BE633598580977AA126A81CF57C5
2092msiexec.exeC:\Users\admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{BFAD3209-026F-4164-B959-FBCB38B6BA59}.sessiontext
MD5:7300BC176F59F45927EF269C7FEB2CD9
SHA256:998433C3B25AF005ECE30E9BFC94446A1C5827476D82C5B03D47DD6FD9A750F0
1856msiexec.exeC:\Windows\Installer\MSI7E28.tmpexecutable
MD5:4083CB0F45A747D8E8AB0D3E060616F2
SHA256:252B7423B01FF81AEA6FE7B40DE91ABF49F515E9C0C7B95AA982756889F8AC1A
1580Winlocker AKA (WinFix) Virus.exeC:\Users\admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dllexecutable
MD5:3531CF7755B16D38D5E9E3C43280E7D2
SHA256:76133E832C15AA5CBC49FB3BA09E0B8DD467C307688BE2C9E85E79D3BF62C089
1856msiexec.exeC:\Windows\Installer\MSI7D99.tmpexecutable
MD5:D552DD4108B5665D306B4A8BD6083DDE
SHA256:A0367875B68B1699D2647A748278EBCE64D5BE633598580977AA126A81CF57C5
1856msiexec.exeC:\Windows\Installer\MSI8015.tmpexecutable
MD5:3CAB78D0DC84883BE2335788D387601E
SHA256:604E79FE970C5ED044517A9A35E4690EA6F7D959D21173EBEF45CDD3D3A22BDD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
6
DNS requests
1
Threats
64

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2400
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2400
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
2092
msiexec.exe
POST
402
54.225.152.37:80
http://collect.installeranalytics.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
2092
msiexec.exe
54.225.152.37:80
collect.installeranalytics.com
AMAZON-AES
US
unknown
2400
msiexec.exe
54.225.152.37:80
collect.installeranalytics.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
collect.installeranalytics.com
  • 54.225.152.37
  • 52.87.91.76
unknown

Threats

Found threats are available for the paid subscriptions
64 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WinCustomizer (No Escape).exe