File name:

BOOTICE_102_614556.exe

Full analysis: https://app.any.run/tasks/b6e0a87a-feaa-45ff-87a3-27ea0d28d044
Verdict: Malicious activity
Analysis date: March 25, 2026, 01:42:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
arch-scr
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

F20BFB9F270D6A61BCA6BDC193CB05B0

SHA1:

5A99023E37D32B279B4590CD2E795DE64D6ABCA5

SHA256:

1CCF2EA2D6D6D4D565EA1098482DE7685CBEF8B68D124EE1AA1C43CEA9F16B6D

SSDEEP:

98304:DJCd/sqCqkju4N6mnXmJ5UQRSDxf/uR7LOWdho2HpMGnsLVb7vQBTw3rMB37Rvj7:i7Pt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • BOOTICE_102_614556.exe (PID: 2524)

    • Proxy execution via Explorer

      • BOOTICE_102_614556.exe (PID: 2524)

    • Changes the autorun value in the registry

      • huabaosetup.exe (PID: 1176)

  • SUSPICIOUS

    • Stops a currently running service

      • sc.exe (PID: 2032)
      • sc.exe (PID: 6936)
      • sc.exe (PID: 204)
      • sc.exe (PID: 352)

    • Uses TASKKILL.EXE to kill process

      • BOOTICE_102_614556.exe (PID: 2524)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4504)
      • sc.exe (PID: 5008)
      • sc.exe (PID: 7964)
      • sc.exe (PID: 8096)
      • sc.exe (PID: 4968)
      • sc.exe (PID: 7520)
      • sc.exe (PID: 7624)
      • sc.exe (PID: 4328)
      • sc.exe (PID: 1772)
      • sc.exe (PID: 2328)
      • sc.exe (PID: 6200)
      • sc.exe (PID: 4044)
      • sc.exe (PID: 6840)
      • sc.exe (PID: 7248)
      • sc.exe (PID: 3560)
      • sc.exe (PID: 3152)
      • sc.exe (PID: 6028)
      • sc.exe (PID: 7340)
      • sc.exe (PID: 4684)

    • Creates file in the systems drive root

      • explorer.exe (PID: 2832)
      • duohuipingbao.exe (PID: 5764)

    • Executable content was dropped or overwritten

      • BOOTICE_102_614556.exe (PID: 2524)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)

    • Drops 7-zip archiver for unpacking

      • BOOTICE_102_614556.exe (PID: 2524)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 5240)
      • regsvr32.exe (PID: 7452)

    • The process drops C-runtime libraries

      • BOOTICE_102_614556.exe (PID: 2524)

    • Executes as Windows Service

      • pdfReaderSrv.exe (PID: 7652)
      • cClearSvr.exe (PID: 4172)
      • kUpdateSrv2.exe (PID: 552)
      • winToolBoxSrv.exe (PID: 7408)
      • winInterceptSer.exe (PID: 7924)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • BOOTICE_102_614556.exe (PID: 2524)

    • Sets the service to start on system boot

      • sc.exe (PID: 2164)
      • sc.exe (PID: 6112)
      • sc.exe (PID: 3212)
      • sc.exe (PID: 5788)
      • sc.exe (PID: 6212)

    • The process verifies whether the antivirus software is installed

      • About.exe (PID: 5892)
      • duohuipingbao.exe (PID: 3380)
      • duohuipingbao.exe (PID: 5764)
      • duohuipingbao.exe (PID: 4276)
      • duohuipingbao.exe (PID: 6076)

    • Searches for installed software

      • About.exe (PID: 5892)

    • Application launched itself

      • duohuipingbao.exe (PID: 3380)
      • duohuipingbao.exe (PID: 4276)

  • INFO

    • Reads the machine GUID from the registry

      • BOOTICE_102_614556.exe (PID: 2524)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)
      • duohuipingbao.exe (PID: 5764)
      • huabaosetup.exe (PID: 4116)

    • Reads the computer name

      • BOOTICE_102_614556.exe (PID: 2524)
      • winToolBoxSrv.exe (PID: 7408)
      • cClearSvr.exe (PID: 4172)
      • kUpdateSrv2.exe (PID: 552)
      • pdfReaderSrv.exe (PID: 7652)
      • About.exe (PID: 5892)
      • winInterceptSer.exe (PID: 7924)
      • huabaosetup.exe (PID: 1176)
      • duohuipingbao.exe (PID: 3380)
      • duohuipingbao.exe (PID: 5764)
      • duohuipingbao.exe (PID: 6076)
      • duohuipingbao.exe (PID: 4276)
      • huabaosetup.exe (PID: 4116)

    • The sample compiled with chinese language support

      • BOOTICE_102_614556.exe (PID: 2524)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)

    • Create files in a temporary directory

      • BOOTICE_102_614556.exe (PID: 2524)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)
      • duohuipingbao.exe (PID: 5764)

    • There is functionality for taking screenshot (YARA)

      • BOOTICE_102_614556.exe (PID: 2524)
      • About.exe (PID: 5892)

    • Checks supported languages

      • BOOTICE_102_614556.exe (PID: 2524)
      • winToolBoxSrv.exe (PID: 7408)
      • cClearSvr.exe (PID: 4172)
      • pdfReaderSrv.exe (PID: 7652)
      • kUpdateSrv2.exe (PID: 552)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)
      • winInterceptSer.exe (PID: 7924)
      • duohuipingbao.exe (PID: 3380)
      • duohuipingbao.exe (PID: 4276)
      • duohuipingbao.exe (PID: 5764)
      • duohuipingbao.exe (PID: 6076)
      • huabaosetup.exe (PID: 4116)

    • Reads security settings of Internet Explorer

      • BOOTICE_102_614556.exe (PID: 2524)
      • explorer.exe (PID: 2832)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)
      • duohuipingbao.exe (PID: 5764)
      • huabaosetup.exe (PID: 4116)

    • Creates files or folders in the user directory

      • BOOTICE_102_614556.exe (PID: 2524)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)
      • duohuipingbao.exe (PID: 5764)
      • huabaosetup.exe (PID: 4116)

    • The sample compiled with english language support

      • BOOTICE_102_614556.exe (PID: 2524)
      • About.exe (PID: 5892)
      • huabaosetup.exe (PID: 1176)

    • Creates a software uninstall entry

      • BOOTICE_102_614556.exe (PID: 2524)

    • Launching a file from a Registry key

      • huabaosetup.exe (PID: 1176)

    • Reads CPU info

      • duohuipingbao.exe (PID: 5764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:03:04 08:43:52+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 1961984
InitializedDataSize: 1242112
UninitializedDataSize: -
EntryPoint: 0x18ac03
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.25
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: -
FileDescription:
FileVersion: 1.0.1.25
InternalName: -
LegalCopyright: Copyright (C) 2026
OriginalFileName: -
ProductName: -
ProductVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
98
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start bootice_102_614556.exe taskkill.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs regsvr32.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs regsvr32.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs explorer.exe no specs explorer.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs regsvr32.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs regsvr32.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs wintoolboxsrv.exe no specs sc.exe no specs conhost.exe no specs cclearsvr.exe no specs sc.exe no specs conhost.exe no specs kupdatesrv2.exe no specs sc.exe no specs conhost.exe no specs pdfreadersrv.exe no specs sc.exe no specs netsh.exe no specs conhost.exe no specs conhost.exe no specs wininterceptser.exe no specs about.exe sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs huabaosetup.exe duohuipingbao.exe duohuipingbao.exe no specs duohuipingbao.exe duohuipingbao.exe huabaosetup.exe bootice_102_614556.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204sc stop CClearUpdateSrvC:\Windows\SysWOW64\sc.exeBOOTICE_102_614556.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
352sc stop WinInterceptUpdateSrvC:\Windows\SysWOW64\sc.exeBOOTICE_102_614556.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
552C:\Users\admin\AppData\Local\winToolBox\Tools\zip\kUpdateSrv2.exeC:\Users\admin\AppData\Local\winToolBox\Tools\zip\kUpdateSrv2.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\users\admin\appdata\local\wintoolbox\tools\zip\kupdatesrv2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
880taskkill /f /im ZipMaster.exeC:\Windows\SysWOW64\taskkill.exeBOOTICE_102_614556.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1116taskkill /f /im winToolBoxSrv.exeC:\Windows\SysWOW64\taskkill.exeBOOTICE_102_614556.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176C:\Users\admin\AppData\Local\Temp\huabao_tmp\unzip\huabaosetup.exe /ltype:5 /coresrc:360pic /productname:duohuipingbao /displayname:duohuipingbao /productinstallpath:QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFxkaHBpbmdiYW8= /pid:sdk_duohuipingbao_2_sm3024227 /uninstallreg:1 /runreg:0 /hostpath:QzpcVXNlcnNcYWRtaW5cQXBwRGF0YVxMb2NhbFx3aW5Ub29sQm94XEFib3V0LmV4ZQ== --quicknetinfo=eyJuZXRfb3BlbiI6MSwibmV0X3NlIjoxLCJuZXRfc2VhcmNoIjoxfQ== --hcinfo=eyJoY19vcGVuIjowLCJoY19zZSI6MH0=C:\Users\admin\AppData\Local\Temp\huabao_tmp\unzip\huabaosetup.exe
About.exe
User:
admin
Integrity Level:
HIGH
Description:
多绘屏保 服务组件
Exit code:
0
Version:
1.0.234.0
Modules
Images
c:\users\admin\appdata\local\temp\huabao_tmp\unzip\huabaosetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
22 401
Read events
21 946
Write events
451
Delete events
4

Modification events

(PID) Process:(2832) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(2832) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
04000000030000000000000012000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(2832) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0
Operation:writeName:MRUListEx
Value:
0400000005000000010000000600000008000000020000000C0000000B0000000A00000009000000070000000000000003000000FFFFFFFF
(PID) Process:(2832) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(2832) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:MinimizedStateTabletModeOff
Value:
0
(PID) Process:(2832) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:QatItems
Value:
3C7369713A637573746F6D554920786D6C6E733A7369713D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F77696E646F77732F323030392F726962626F6E2F716174223E3C7369713A726962626F6E206D696E696D697A65643D2266616C7365223E3C7369713A71617420706F736974696F6E3D2230223E3C7369713A736861726564436F6E74726F6C733E3C7369713A636F6E74726F6C206964513D227369713A3136313238222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3136313239222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333532222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333834222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333336222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333537222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C2F7369713A736861726564436F6E74726F6C733E3C2F7369713A7161743E3C2F7369713A726962626F6E3E3C2F7369713A637573746F6D55493E
(PID) Process:(2832) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Operation:writeName:ITBar7Layout
Value:
13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2832) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0
Operation:writeName:3
Value:
7E00310000000000795C6C0D11004465736B746F7000680009000400EFBE274B1240795C6C0D2E00000056A100000000090000000000000000003E000000000084339E004400650073006B0074006F007000000040007300680065006C006C00330032002E0064006C006C002C002D0032003100370036003900000016000000
(PID) Process:(2832) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0\3
Operation:delete valueName:MRUList
Value:
(PID) Process:(2832) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0
Operation:writeName:MRUListEx
Value:
03000000000000000200000001000000FFFFFFFF
Executable files
475
Suspicious files
41
Text files
63
Unknown types
0

Dropped files

PID
Process
Filename
Type
2524BOOTICE_102_614556.exeC:\Users\admin\Desktop\bootice.zipcompressed
MD5:89A4496346D9EE27DB4390CB822F181C
SHA256:0B0D71F6E72098434E14C82649E7FC5FCA15925D9E4BA23143D165754550FD2E
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\winToolBox\computer-nonet\css\reset.csscsv
MD5:4593F56181D98BF62E58E64383B20DED
SHA256:8F16B478B5A247F70351BAD25CD1FAC49F979F38A447AE0384D2DA83944677E2
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\Temp\09DuCt3bEaFQAXbF\target.pngimage
MD5:B9387F0D6E60FD9293EAB2F83D0FED6B
SHA256:D046513BFB398CF40EF6BE558037B62AD603CB6C38EEB0584F70BAFF4182C9BD
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\winToolBox\computer-nonet\imgs\nonet.pngimage
MD5:478F594AE8B0C03F058A4E381C7974C6
SHA256:51DC7C17FE88421483C2B4CFBD38CA54D7C2DBC8F7577D41D4586E3EE78DED4E
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\winToolBox\Tools\LockScreen\video_full\.DS_Storebinary
MD5:77D32973345CAB911F8C09A0FE18F29D
SHA256:7E5E26BCBA35CCEBEDFBAA4328FF4A6E480AB1CF529EC7C7CF4A0656CFFC66BE
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\winToolBox\computer-nonet\css\index.scsstext
MD5:29E23EF86106B697CF16D5BD88DDB145
SHA256:21CCB46BDC07EE636D797C11DCB42BE828D72307A4B6551A94FBDCEB6714E5C5
2524BOOTICE_102_614556.exeC:\Users\admin\Desktop\123.901606.fl.tmpcompressed
MD5:89A4496346D9EE27DB4390CB822F181C
SHA256:0B0D71F6E72098434E14C82649E7FC5FCA15925D9E4BA23143D165754550FD2E
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\winToolBox\Tools\LockScreen\video_full\css\reset.csstext
MD5:39BDEC8469C77D40827FEC9DA267F16C
SHA256:A11B94A8D9983818B194AE3BBA9D0717F547C8F8FA4A3606AF473A518919DC25
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\winToolBox\computer-nonet\css\index.csstext
MD5:5EA974A5AFCC5EFCE319BF3B387D1E93
SHA256:E6516EF3C716B01BBC530E911FEF0AC469FA3D37F098FCFE6965F8A65D0C753A
2524BOOTICE_102_614556.exeC:\Users\admin\AppData\Local\winToolBox\runtime.zipcompressed
MD5:A2E205D8B9EBE0EA0B50EDFF91856CB8
SHA256:25E0BE76CB26E6FE99E6238CE58538D297835DE718325C762CC4FD84B05710D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
115
TCP/UDP connections
123
DNS requests
44
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2524
BOOTICE_102_614556.exe
HEAD
302
43.159.104.132:443
https://www.onlinedown.net/iopdfbhjl/614556?module=download&t=website&v=20260325094304
SG
unknown
2524
BOOTICE_102_614556.exe
HEAD
200
222.141.57.105:443
https://download.ihsdus.cn/down/2024down/2/05/bootice.zip?timestamp=69c33db0&auth_key=0c90b9a9f6b5a2600f99cc4ef65f9243
CN
unknown
2524
BOOTICE_102_614556.exe
HEAD
200
222.141.57.105:443
https://download.ihsdus.cn/down/2024down/2/05/bootice.zip?timestamp=69c33db0&auth_key=0c90b9a9f6b5a2600f99cc4ef65f9243
CN
unknown
2524
BOOTICE_102_614556.exe
HEAD
200
222.141.57.105:443
https://download.ihsdus.cn/down/2024down/2/05/bootice.zip?timestamp=69c33db0&auth_key=0c90b9a9f6b5a2600f99cc4ef65f9243
CN
unknown
5276
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
2524
BOOTICE_102_614556.exe
POST
200
112.126.77.202:80
http://apiinfo.lfuerts.cn/v1/client/logid
CN
text
550 b
unknown
2524
BOOTICE_102_614556.exe
GET
200
112.126.77.202:80
http://apiinfo.lfuerts.cn/log/client/sdbro?type=sdbro&user=a894b4bab5a285f7a5be371a63c4c397&channel=102&ver=1.0.1.25&sys=10.0&bit=1&sdsoft=0&brosoft=2051
CN
text
2 b
unknown
2524
BOOTICE_102_614556.exe
POST
200
60.205.148.178:80
http://api.nasyeo.com/api/info
CN
text
524 b
unknown
2524
BOOTICE_102_614556.exe
GET
200
43.159.104.132:443
https://www.onlinedown.net/api/ryapi?webid=2&softid=614556&token=1711ac5b52c5899e0d12b02aafda8279
SG
text
1.23 Kb
unknown
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
314 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
3448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
184.86.251.27:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2524
BOOTICE_102_614556.exe
112.126.77.202:80
apiinfo.lfuerts.cn
ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2524
BOOTICE_102_614556.exe
60.205.148.178:80
api.nasyeo.com
ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 184.86.251.27
  • 184.86.251.22
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
google.com
  • 142.251.141.78
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
apiinfo.lfuerts.cn
  • 112.126.77.202
unknown
api.nasyeo.com
  • 60.205.148.178
unknown
www.onlinedown.net
  • 43.159.104.132
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
whitelisted

Threats

PID
Process
Class
Message
3448
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2524
BOOTICE_102_614556.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2524
BOOTICE_102_614556.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2524
BOOTICE_102_614556.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2524
BOOTICE_102_614556.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
5764
duohuipingbao.exe
Misc activity
HUNTING [ANY.RUN] TCP binary protocol 16-LE pkt-len prefix on non-standard port inbound
5764
duohuipingbao.exe
Misc activity
HUNTING [ANY.RUN] TCP binary protocol 16-LE data-len prefix on non-standard port inbound
5764
duohuipingbao.exe
Misc activity
HUNTING [ANY.RUN] TCP binary protocol 16-LE pkt-len prefix on non-standard port inbound
Process
Message
BOOTICE_102_614556.exe
???:1.0.1.25_10125
BOOTICE_102_614556.exe
[downloadframe.cpp:798] LOGO FILE: C:\Users\admin\AppData\Local\Temp\09DuCt3bEaFQAXbF\target.png
BOOTICE_102_614556.exe
[downloadframe.cpp:797] LOGO URL: https://img.onlinedown.net/download/202105/164501-6093ac8d1c36d.jpg
BOOTICE_102_614556.exe
[downloadframe.cpp:799] LOGO REFFER: https://www.onlinedown.net/
BOOTICE_102_614556.exe
[downloadframe.cpp:71] ??
BOOTICE_102_614556.exe
[downloadframe.cpp:611] ===> C:\Users\admin\AppData\Local\winToolBox\Tools\clear
BOOTICE_102_614556.exe
[downloadframe.cpp:71] ??
BOOTICE_102_614556.exe
????!
About.exe
[worker.cpp:1114] Win???About,????.
About.exe
[websocketservermanager.cpp:55] Start all servers ...
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BOOTICE_102_614556.exe