Malware analysis 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe Malicious activity

Add for printing

File name:	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe
Full analysis:	https://app.any.run/tasks/7c3db214-a6c2-4175-bf86-619da9ea78ff
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	February 27, 2024, 06:22:28
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	adware loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	1455ECAD502896614E005C5173DF16EB
SHA1:	9F572DCDF2AB17296753C2F10AF2AD03DD4ADB4A
SHA256:	1F292F89857B79F9E7766F9978C4100ED0AED53349CECADFC0ADB54AE35AC7F4
SSDEEP:	98304:F0OhRnEeRLU6wmabsGioV58LBt6sPtRXLramoKuIIecTZ2lR6U/YAMOcqk9D8BiI:YKMOiLrB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe (PID: 5012)
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Creates a writable file in the system directory
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
SUSPICIOUS
- Process requests binary or script from the Internet
  - 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe (PID: 5012)
- Reads security settings of Internet Explorer
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
  - 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe (PID: 5012)
- Process drops legitimate windows executable
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Executable content was dropped or overwritten
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- The process creates files with name similar to system file names
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- The process drops C-runtime libraries
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Drops a system driver (possible attempt to evade defenses)
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Creates files in the driver directory
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- The process verifies whether the antivirus software is installed
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
INFO
- Checks supported languages
  - 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe (PID: 5012)
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Reads the computer name
  - 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe (PID: 5012)
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Create files in a temporary directory
  - 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe (PID: 5012)
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Reads the machine GUID from the registry
  - 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe (PID: 5012)
- Creates files in the program directory
  - duba_u23850015_sv1_83_23.exe (PID: 6824)
- Checks proxy server information
  - slui.exe (PID: 4028)
- Reads the software policy settings
  - slui.exe (PID: 4028)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (18)
.exe	\|	Win32 Executable (generic) (2.9)
.exe	\|	Generic Win/DOS Executable (1.3)
.exe	\|	DOS Executable Generic (1.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1970:02:17 08:12:48+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	2171904
InitializedDataSize:	1917440
UninitializedDataSize:	-
EntryPoint:	0x9a18a
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2024.2.18.1191
ProductVersionNumber:	9.3.0.2599
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Kingsoft Security
FileDescription:	Kingsoft Security
FileVersion:	2024,02,18,2599
InternalName:	KTool
LegalCopyright:	-
OriginalFileName:	-
ProductName:	Kingsoft Security
ProductVersion:	9,3,0,2599

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4028

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

4068

"C:\Users\admin\AppData\Local\Temp\1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe"

C:\Users\admin\AppData\Local\Temp\1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe

—

explorer.exe

User:

admin

Company:

Kingsoft Security

Integrity Level:

MEDIUM

Description:

Kingsoft Security

Exit code:

3221226540

Version:

2024,02,18,2599

Modules

Images
c:\users\admin\appdata\local\temp\1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

5012

"C:\Users\admin\AppData\Local\Temp\1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe"

C:\Users\admin\AppData\Local\Temp\1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe

explorer.exe

User:

admin

Company:

Kingsoft Security

Integrity Level:

HIGH

Description:

Kingsoft Security

Exit code:

Version:

2024,02,18,2599

Modules

Images
c:\users\admin\appdata\local\temp\1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6824

"C:\Users\admin\AppData\Local\Temp\duba_u23850015_sv1_83_23.exe" & -rs:60000850 -lrs:lSuSIZA= tod1=716 tod2=1

C:\Users\admin\AppData\Local\Temp\duba_u23850015_sv1_83_23.exe

1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe

User:

admin

Company:

Kingsoft Corporation

Integrity Level:

HIGH

Description:

Kingsoft Security - 安装程序

Exit code:

Version:

2023,08,01,2458

Modules

Images
c:\users\admin\appdata\local\temp\duba_u23850015_sv1_83_23.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

7 296

Read events

7 265

Write events

Delete events

Modification events


(PID) Process:	(5012) 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:	write	Name:	idex
Value: a41cd1ca1c0c82f3bc467fe50e420735
(PID) Process:	(5012) 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:	write	Name:	idno
Value: 1
(PID) Process:	(5012) 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\36\52C64B7E
Operation:	write	Name:	@%systemroot%\system32\FirewallControlPanel.dll,-12122
Value: Windows Defender Firewall
(PID) Process:	(5012) 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:	write	Name:	did
Value: 544CE2F7AD2086089700061031EBEE5C
(PID) Process:	(5012) 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:	write	Name:	PacketPath_233_716_1
Value: C:\Users\admin\AppData\Local\Temp\duba_u23850015_sv1_83_23.exe
(PID) Process:	(5012) 1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	PendingFileRenameOperations
Value: \??\C:\Users\admin\AppData\Local\Temp\duba_u23850015_sv1_83_23.exe
(PID) Process:	(6824) duba_u23850015_sv1_83_23.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:	write	Name:	idno
Value: 1
(PID) Process:	(6824) duba_u23850015_sv1_83_23.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:	write	Name:	idex
Value: a41cd1ca1c0c82f3bc467fe50e420735
(PID) Process:	(6824) duba_u23850015_sv1_83_23.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:	write	Name:	svrid
Value:
(PID) Process:	(6824) duba_u23850015_sv1_83_23.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

184

Suspicious files

Text files

367

Unknown types

231

Dropped files

PID	Process	Filename		Type
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\install_res\backup_0317\100.png		image
		MD5:A64D7F2A825F5547182E9E3EE25B4544	SHA256:E78B678846C177786E70E29D5111359D4AFF20D9AC5935FAD2BE87B17D7F9FC9
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\install_res\soft.ico		image
		MD5:F09986091A0DA5D72A57248E12A9AE4E	SHA256:20C293C66182884940954A5EE7A37937B3FBBC90BDB0FCEE714B66BEE2518671
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\duba_u23850015_sv1_83_23.exe		—
		MD5:—	SHA256:—
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\install_res\backup_0317\soft.ico		image
		MD5:F09986091A0DA5D72A57248E12A9AE4E	SHA256:20C293C66182884940954A5EE7A37937B3FBBC90BDB0FCEE714B66BEE2518671
6824	duba_u23850015_sv1_83_23.exe	C:\ProgramData\Kingsoft\KIS\hg.dat		—
		MD5:—	SHA256:—
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\install_res\100.png		image
		MD5:A64D7F2A825F5547182E9E3EE25B4544	SHA256:E78B678846C177786E70E29D5111359D4AFF20D9AC5935FAD2BE87B17D7F9FC9
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\install_res\backup_0317\110.png		image
		MD5:020AE4ED917D5F84277384CAB39E56B0	SHA256:DC35117220A1A6959FFC2125DBD3A40452F88FFCA94B2A69CCBD9CF58380FDD9
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\install_res\6000.xml		text
		MD5:9605F14AED72906A40155329EAE6F49B	SHA256:B6C22395227C36B8BBE240CB826B1277A65DC6AAB15A46A0E2D3F96485BFB098
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\jcqgx.ini		text
		MD5:478B13BDC92E7D49E1E4A9B9C496FE9A	SHA256:7B8DFFD78EB43C4FA4472104DFC03C787196E5E6D852189F0F5BC0DC816E4F79
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	C:\Users\admin\AppData\Local\Temp\kinst.log		text
		MD5:3EB6152A5006BF52E6F5066737A330C0	SHA256:B4B806B1269E1A0CB915B50759441463F42FC43A4C4E71E2050B0B99110F527D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	POST	200	139.9.36.178:80	http://infoc0.duba.net/c/	unknown	binary	43 b	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	GET	200	218.12.76.156:80	http://2398.35go.net/defend/o1/jcqgx.ini	unknown	text	10 b	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	POST	200	139.9.36.178:80	http://infoc0.duba.net/c/	unknown	binary	43 b	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	POST	200	139.9.36.178:80	http://infoc0.duba.net/c/	unknown	binary	43 b	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	POST	200	139.9.36.178:80	http://infoc0.duba.net/c/	unknown	binary	43 b	unknown
5928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
7156	svchost.exe	GET	200	2.16.164.43:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.01 Kb	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	GET	404	183.61.177.35:80	http://dubacdn.cmcmcdn.com/sem/installer/716.png	unknown	binary	64 b	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	POST	200	139.9.36.178:80	http://infoc0.duba.net/c/	unknown	binary	43 b	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	GET	200	120.52.95.248:80	http://config.i.duba.net/seminstall/233/716.xml?time=1709014987	unknown	text	2.34 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3848	svchost.exe	239.255.255.250:1900	—	—	—	unknown
7156	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5928	svchost.exe	20.190.160.14:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
6896	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	218.12.76.156:80	2398.35go.net	CHINA UNICOM China169 Backbone	CN	unknown
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	139.9.36.178:80	infoc0.duba.net	Huawei Cloud Service data center	CN	unknown
5928	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
7156	svchost.exe	2.16.164.43:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
2398.35go.net	218.12.76.156 120.52.95.248 120.52.95.245 218.12.76.158	whitelisted
infoc0.duba.net	139.9.36.178 139.9.44.129 139.9.36.107 121.37.247.153 139.9.45.227 139.9.35.91 139.9.43.42 139.9.43.12 139.9.37.26	whitelisted
dubacdn.cmcmcdn.com	183.61.177.35 220.169.152.35 125.74.1.35 175.4.51.35 182.84.110.35 150.138.110.35 150.138.188.35 125.74.110.35 220.180.243.35 182.106.158.35	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
crl.microsoft.com	2.16.164.43 2.16.164.72	whitelisted
config.i.duba.net	120.52.95.248 218.12.76.158 120.52.95.245 218.12.76.156	whitelisted
softmgr-softsem-srv.jinshanapi.com	114.132.191.224	unknown
www.bing.com	2.19.96.88 2.19.96.26 2.19.96.83 2.19.96.66 2.19.96.80 2.19.96.82 2.19.96.130 2.19.96.129 2.19.96.91	whitelisted
arc.msn.com	20.199.58.43	whitelisted

Threats

PID	Process	Class	Message
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] PUP.Win32/KingSoft.E
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5012	1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

Add for printing

No debug info

General Info

1f292f89857b79f9e7766f9978c4100ed0aed53349cecadfc0adb54ae35ac7f4.exe

1455ECAD502896614E005C5173DF16EB

9F572DCDF2AB17296753C2F10AF2AD03DD4ADB4A

1F292F89857B79F9E7766F9978C4100ED0AED53349CECADFC0ADB54AE35AC7F4

98304:F0OhRnEeRLU6wmabsGioV58LBt6sPtRXLramoKuIIecTZ2lR6U/YAMOcqk9D8BiI:YKMOiLrB

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

SUSPICIOUS

Process requests binary or script from the Internet

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process creates files with name similar to system file names

The process drops C-runtime libraries

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

The process verifies whether the antivirus software is installed

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings