File name:

AnVir.exe

Full analysis: https://app.any.run/tasks/ddf8098d-306e-4b29-9fdf-52dd6d3035be
Verdict: Malicious activity
Analysis date: May 01, 2024, 15:54:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4F43C88D7F927530E5E07D4D20E60071

SHA1:

D229E9ABD1EAE3A8B17B93182282F4B463103F79

SHA256:

E0CBF935B59A329B25581611FF509CBAE7D023ACC4E312F26D0CDE43B3F1DB40

SSDEEP:

98304:XE3aQfCwDm55vZ2mpWqAKziinEvYzH6r0Vq5sikGgaDY2ipmU9:0qUCwQ5h2mRAKziXYzH6K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AnVir.exe (PID: 3984)

    • Changes the autorun value in the registry

      • AnVir.exe (PID: 864)

  • SUSPICIOUS

    • Reads the Internet Settings

      • AnVir.exe (PID: 3984)
      • AnVir.exe (PID: 864)

    • Reads security settings of Internet Explorer

      • AnVir.exe (PID: 3984)
      • AnVir.exe (PID: 864)

    • Application launched itself

      • AnVir.exe (PID: 3984)

    • Reads settings of System Certificates

      • AnVir.exe (PID: 864)

    • Read startup parameters

      • AnVir.exe (PID: 864)

    • Checks Windows Trust Settings

      • AnVir.exe (PID: 864)

    • Adds/modifies Windows certificates

      • AnVir.exe (PID: 864)

  • INFO

    • Checks supported languages

      • AnVir.exe (PID: 3984)
      • AnVir.exe (PID: 864)
      • wmpnscfg.exe (PID: 2304)

    • Reads the machine GUID from the registry

      • AnVir.exe (PID: 3984)
      • AnVir.exe (PID: 864)

    • Reads the computer name

      • AnVir.exe (PID: 3984)
      • AnVir.exe (PID: 864)
      • wmpnscfg.exe (PID: 2304)

    • Checks proxy server information

      • AnVir.exe (PID: 864)

    • Creates files or folders in the user directory

      • AnVir.exe (PID: 864)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2304)

    • Reads the software policy settings

      • AnVir.exe (PID: 864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (53.4)
.exe | Win64 Executable (generic) (35.5)
.exe | Win32 Executable (generic) (5.8)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:08:06 05:39:09+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 978944
InitializedDataSize: 10720768
UninitializedDataSize: -
EntryPoint: 0xc9fef
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.4.0.0
ProductVersionNumber: 9.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: Advanced processes and startup manager with anti-trojan and anti-spyware functions.
CompanyName: AnVir Software
FileDescription: AnVir Task Manager Free
FileVersion: 9.4.0.0
InternalName: AnVir Task Manager Free
LegalCopyright: Copyright (c) 2002-2021. AnVir Software
LegalTrademarks: AnVir Task Manager Free
OriginalFileName: AnVir.exe
ProductName: AnVir Task Manager Free
ProductVersion: 9.4.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anvir.exe no specs anvir.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864"C:\Users\admin\AppData\Local\Temp\AnVir.exe" C:\Users\admin\AppData\Local\Temp\AnVir.exe
AnVir.exe
User:
admin
Company:
AnVir Software
Integrity Level:
HIGH
Description:
AnVir Task Manager Free
Version:
9.4.0.0
Modules
Images
c:\users\admin\appdata\local\temp\anvir.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2304"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3984"C:\Users\admin\AppData\Local\Temp\AnVir.exe" C:\Users\admin\AppData\Local\Temp\AnVir.exeexplorer.exe
User:
admin
Company:
AnVir Software
Integrity Level:
MEDIUM
Description:
AnVir Task Manager Free
Exit code:
0
Version:
9.4.0.0
Modules
Images
c:\users\admin\appdata\local\temp\anvir.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
59 494
Read events
59 278
Write events
197
Delete events
19

Modification events

(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\AnVir
Operation:writeName:Language
Value:
0
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\AnVir
Operation:writeName:FirstLaunch
Value:
1
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\AnVir
Operation:writeName:SplitStartup
Value:
0
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\AnVir
Operation:writeName:ToolTipCtrlOnly
Value:
0
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\AnVir
Operation:writeName:AutoCheckUpdate
Value:
1
(PID) Process:(3984) AnVir.exeKey:HKEY_CURRENT_USER\Software\AnVir
Operation:writeName:CheckFileSignatures
Value:
1
Executable files
0
Suspicious files
2
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
864AnVir.exeC:\Users\admin\AppData\Local\AnVir\version.datbinary
MD5:D2090D6B941ECBC38F0D584DA7A9AE85
SHA256:A571E99891C08EA4EF5E130F664E1A796F0622C8D63A9B893C29BA0123E1513C
864AnVir.exeC:\Users\admin\AppData\Local\AnVir\versionsinfo.datbinary
MD5:AA289371E462C597DB8AE1E44C9529DA
SHA256:13EC5E9DE1022A4C44DC7E65D5A108993D668049074DF17897070B4D4656FB4D
864AnVir.exeC:\Users\admin\AppData\Local\AnVir\Backup\AnVir2024_5.htmhtml
MD5:81643932E583A03214E5F0A95F14EE2B
SHA256:8B0690828DFC05F9EDE3886BB4274FD5EDBE0FD500F33403D7294E8E7F3301C8
864AnVir.exeC:\Users\admin\AppData\Local\AnVir\detectPr.datbinary
MD5:757AF993FC8C11CF6D1D342498498A67
SHA256:9EDFF3CD44BCC9849A29D6A877D3C39DF4B4E6353CCE705C3C0258498C71D482
864AnVir.exeC:\Users\admin\AppData\Local\AnVir\startup.datbinary
MD5:270103C27127DACB880347711D436D82
SHA256:8EAB0E49716C8215FDEA3F9B60C8569245CF3C3C5B049C30DC0C9EB349B6FFD2
864AnVir.exeC:\Users\admin\AppData\Local\AnVir\Backup\AnVir2024_5.regtext
MD5:D76A739A2B6E1E6E608FD35BD43F2E42
SHA256:2956926AEDDE15F9D1534F2B5E805EAB79535D404147551B7CF4E961EC462E7E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
3
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
864
AnVir.exe
GET
200
172.217.16.206:80
http://www.google-analytics.com/collect?v=1&tid=UA-2758427-1&cid=994429369&t=event&ec=Launch%5Ftf&ea=ManualInstalled&el=9.4.0
unknown
unknown
864
AnVir.exe
GET
200
185.221.152.14:80
http://www.anvir.com/version.dat
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
864
AnVir.exe
172.217.16.206:80
www.google-analytics.com
GOOGLE
US
whitelisted
864
AnVir.exe
185.221.152.14:80
www.anvir.com
EuroByte LLC
RU
unknown

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 172.217.16.206
whitelisted
www.anvir.com
  • 185.221.152.14
unknown

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnVir.exe