File name: | 01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1) |
Full analysis: | https://app.any.run/tasks/bcc1f464-a4a0-464d-8a85-58e6779d0935 |
Verdict: | Malicious activity |
Analysis date: | August 19, 2024, 10:49:27 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | FBC16CEDEB1C77234171BE5290ED06B0 |
SHA1: | 51CA56AA40E042439D121C932CBB2AB20EEEEAC2 |
SHA256: | 01ACCF1B08E5349309A6D2CA074CA376D55BE3A79E573FEB051243F7332640E0 |
SSDEEP: | 98304:SrqpPiR0LJI03XMAEbV6ggvpot5hOKZhlmi3WYll6+rS3bqij5ELAdEYDMaQ9+S0:PS6dtYOGG |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
ProductVersion: | 2.0.1.1031 |
---|---|
ProductName: | 看图 |
OriginalFileName: | 360AblumViewer.exe |
LegalCopyright: | (C) 360.cn Inc., All Rights Reserved. |
InternalName: | 360AblumViewer |
FileVersion: | 2.0.1.1031 |
FileDescription: | 看图 |
CompanyName: | 360.cn |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.0.1.1031 |
FileVersionNumber: | 2.0.1.1031 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x152ea3 |
UninitializedDataSize: | - |
InitializedDataSize: | 705536 |
CodeSize: | 2303488 |
LinkerVersion: | 14.16 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
TimeStamp: | 2021:11:11 03:37:53+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6640 | "C:\Users\admin\Desktop\01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1).exe" | C:\Users\admin\Desktop\01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1).exe | explorer.exe | ||||||||||||
User: admin Company: 360.cn Integrity Level: MEDIUM Description: 看图 Exit code: 3221225477 Version: 2.0.1.1031 Modules
| |||||||||||||||
6664 | explorer.exe C:\Users\admin\3389\ | C:\Windows\SysWOW64\explorer.exe | — | 01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1).exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
6696 | C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
6800 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6676 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6640 -s 900 | C:\Windows\SysWOW64\WerFault.exe | 01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1).exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
6664 | "C:\Users\admin\3389\BNZY1O1PB.exe" /f at.dll | C:\Users\admin\3389\BNZY1O1PB.exe | explorer.exe | ||||||||||||
User: admin Company: 深圳市迅雷网络技术有限公司 Integrity Level: MEDIUM Description: 迅雷游戏 Exit code: 0 Version: 1.0.0.32 Modules
| |||||||||||||||
6564 | C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\SysWOW64\dllhost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
6864 | "C:\Users\admin\3389\3dsystem.exe" /f at.dll | C:\Users\admin\3389\3dsystem.exe | dllhost.exe | ||||||||||||
User: admin Company: 深圳市迅雷网络技术有限公司 Integrity Level: HIGH Description: 迅雷游戏 Exit code: 0 Version: 1.0.0.32 Modules
| |||||||||||||||
6896 | "C:\Program Files\Thunder\DirectX.exe" /f at.dll | C:\Program Files\Thunder\DirectX.exe | — | dllhost.exe | |||||||||||
User: admin Company: 深圳市迅雷网络技术有限公司 Integrity Level: HIGH Description: 迅雷游戏 Exit code: 0 Version: 1.0.0.32 Modules
| |||||||||||||||
7068 | "C:\Program Files\Thunder\DirectX.exe" /f at.dll | C:\Program Files\Thunder\DirectX.exe | — | services.exe | |||||||||||
User: SYSTEM Company: 深圳市迅雷网络技术有限公司 Integrity Level: SYSTEM Description: 迅雷游戏 Exit code: 0 Version: 1.0.0.32 Modules
|
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 0400000000000000030000000E0000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0 |
Operation: | write | Name: | MRUListEx |
Value: 0400000006000000010000000500000008000000020000000C0000000B0000000A00000009000000070000000000000003000000FFFFFFFF | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar |
Operation: | write | Name: | Locked |
Value: 1 | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon |
Operation: | write | Name: | MinimizedStateTabletModeOff |
Value: 0 | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon |
Operation: | write | Name: | QatItems |
Value: 3C7369713A637573746F6D554920786D6C6E733A7369713D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F77696E646F77732F323030392F726962626F6E2F716174223E3C7369713A726962626F6E206D696E696D697A65643D2266616C7365223E3C7369713A71617420706F736974696F6E3D2230223E3C7369713A736861726564436F6E74726F6C733E3C7369713A636F6E74726F6C206964513D227369713A3136313238222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3136313239222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333532222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333834222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333336222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333537222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C2F7369713A736861726564436F6E74726F6C733E3C2F7369713A7161743E3C2F7369713A726962626F6E3E3C2F7369713A637573746F6D55493E | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser |
Operation: | write | Name: | ITBar7Layout |
Value: 13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0 |
Operation: | write | Name: | 2 |
Value: 4E003100000000001359325612003333383900003A0009000400EFBE13593256135932562E0000007526000000000D0000000000000000000000000000008ECC28013300330038003900000014000000 | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0\2 |
Operation: | delete value | Name: | MRUList |
Value: | |||
(PID) Process: | (6696) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0 |
Operation: | write | Name: | MRUListEx |
Value: 020000000000000001000000FFFFFFFF |
PID | Process | Filename | Type | |
---|---|---|---|---|
6676 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_01accf1b08e53493_3d1073a7edcf31aba9a4a09577f2eccaa7f664_ace953fe_be366de8-350b-4b78-95df-77090c4fbb82\Report.wer | — | |
MD5:— | SHA256:— | |||
6640 | 01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1).exe | C:\Users\admin\3389\BNZY1O1PB.exe | executable | |
MD5:BA7BA700C39C576330F18819E075D6BE | SHA256:13675A7BC3274837F9E53C192646180B98B57AC9CDC675FC67C2CF2BF14DF053 | |||
6864 | 3dsystem.exe | C:\Program Files\Thunder\at.dll | binary | |
MD5:4D203806F4AE0355B490BA538794A686 | SHA256:5DAF973EB400FC29AE151AEF633DED1097C9F30575DB222879D903A9BE5C1D61 | |||
6664 | BNZY1O1PB.exe | C:\Users\admin\3389\3dsystem.exe | executable | |
MD5:BA7BA700C39C576330F18819E075D6BE | SHA256:13675A7BC3274837F9E53C192646180B98B57AC9CDC675FC67C2CF2BF14DF053 | |||
6864 | 3dsystem.exe | C:\Windows\SysWOW64\DirectX.exe | executable | |
MD5:BA7BA700C39C576330F18819E075D6BE | SHA256:13675A7BC3274837F9E53C192646180B98B57AC9CDC675FC67C2CF2BF14DF053 | |||
6864 | 3dsystem.exe | C:\Windows\SysWOW64\at.dll | binary | |
MD5:4D203806F4AE0355B490BA538794A686 | SHA256:5DAF973EB400FC29AE151AEF633DED1097C9F30575DB222879D903A9BE5C1D61 | |||
6676 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7FC.tmp.WERInternalMetadata.xml | xml | |
MD5:B15534D77B6695BC2A084223FBCB7E8A | SHA256:3F7E11BF4FA90DFA812C30AB31AD7A212213C687FC6D6E534B6F48ECFB7F46C7 | |||
6640 | 01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1).exe | C:\Users\admin\3389\at.dll | binary | |
MD5:4D203806F4AE0355B490BA538794A686 | SHA256:5DAF973EB400FC29AE151AEF633DED1097C9F30575DB222879D903A9BE5C1D61 | |||
6640 | 01accf1b08e5349309a6d2ca074ca376d55be3a79e573feb051243f7332640e0 (1).exe | C:\Users\admin\3389\libexpat.dll | executable | |
MD5:3C6D7543F7DA78D10F33DB5CECF99F63 | SHA256:21E45345242F87FB1889919ED47DA370FFA72907126C5FE4C54B3476B8ACAC51 | |||
6864 | 3dsystem.exe | C:\Program Files\Thunder\libexpat.dll | executable | |
MD5:3C6D7543F7DA78D10F33DB5CECF99F63 | SHA256:21E45345242F87FB1889919ED47DA370FFA72907126C5FE4C54B3476B8ACAC51 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1432 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
188 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1432 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4324 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6664 | BNZY1O1PB.exe | 185.135.73.29:5000 | — | Gigabit Hosting Sdn Bhd | HK | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
abc.masktable.com |
| unknown |
dns.msftncsi.com |
| whitelisted |