File name:

installer.exe

Full analysis: https://app.any.run/tasks/5416f905-0b31-4af7-9249-45a6ba036b89
Verdict: Malicious activity
Analysis date: July 04, 2024, 01:22:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9FADC5C7C3282E203C68B0D45BFA0B10

SHA1:

5F0914179D66B63CAFE61DD55D8D418E64E36EA5

SHA256:

260DC2A2ADC2E1E29BB5F8BC243FB45FBD29BAAEC7A28FEED59260A9F2B12A29

SSDEEP:

12288:KCKeGGfG6udZpIcJPQLGCQaOHbOceDg6frUgVBy99:KCKeGG8dZ/QiuOCcQg6DUgVE99

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • installer.exe (PID: 2960)

  • SUSPICIOUS

    • Reads the Internet Settings

      • installer.exe (PID: 2960)

    • Reads security settings of Internet Explorer

      • installer.exe (PID: 2960)

    • Executable content was dropped or overwritten

      • installer.exe (PID: 2960)

    • The process verifies whether the antivirus software is installed

      • installer.exe (PID: 2960)

  • INFO

    • Checks supported languages

      • installer.exe (PID: 2960)

    • Checks proxy server information

      • installer.exe (PID: 2960)

    • Reads the computer name

      • installer.exe (PID: 2960)

    • Reads the machine GUID from the registry

      • installer.exe (PID: 2960)

    • Creates files or folders in the user directory

      • installer.exe (PID: 2960)

    • Create files in a temporary directory

      • installer.exe (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:09 08:58:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 313344
InitializedDataSize: 86528
UninitializedDataSize: -
EntryPoint: 0x286ef
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1820
ProductVersionNumber: 1.0.0.1820
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileDescription: Edit can
FileVersion: 1, 0, 0, 1820
OriginalFileName: InstDirect2DLayer.exe
ProductName: Installing the Direct2D Debug Layer
ProductVersion: 1, 0, 0, 1820
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start installer.exe installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Users\admin\AppData\Local\Temp\installer.exe" C:\Users\admin\AppData\Local\Temp\installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Edit can
Exit code:
1
Version:
1, 0, 0, 1820
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3252"C:\Users\admin\AppData\Local\Temp\installer.exe" C:\Users\admin\AppData\Local\Temp\installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Edit can
Exit code:
3221226540
Version:
1, 0, 0, 1820
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
Total events
651
Read events
623
Write events
22
Delete events
6

Modification events

(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
42
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2960installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\360ini[1].cabcompressed
MD5:95DD807CCD0FE428EAD525BB6DB04E9E
SHA256:70D8B7F85747412F6EE70DE86A1266F4FD90E204B6602F3EB01ABCC37EEA4CEB
2960installer.exeC:\Users\admin\AppData\Local\Temp\rGcQcXwKjVcDzAnM\360ini.dllexecutable
MD5:6ACD20075E2F6D441D4F1FE5E7522219
SHA256:60A4E3B37EBD18ADAFE25382EBF06033D02695BE7A0725FFABB67A41DF98EF31
2960installer.exeC:\Users\admin\AppData\Local\Temp\{0446F783-CB1E-401f-9858-288100442138}\aDcEaOnJyEbOkGdD.tmpbinary
MD5:DB79491AFC18EDA46CD1EF7051789B10
SHA256:CECA1CDE0FCFA202779FEAE43D2BB310155F5C741BC3013532E94F6767036668
2960installer.exeC:\Users\admin\AppData\Local\Temp\{DD8F3920-6A81-4b2f-A1BD-9038EB6BCAE3}\dXrVnKzFhOqTbWbQ.tmpbinary
MD5:22096D7176212A015E062405EE6E8765
SHA256:150EB0AAFA6D6AC95569D4D7BEDB7FADFF312F19BE45F5C17C496FF7FD35F543
2960installer.exeC:\Users\admin\AppData\Local\Temp\{C0D767E0-ECFD-46b2-8632-4D2CFA81245A}\xShDfTtNuVbYkYxQ.tmpbinary
MD5:9AAC0E5BC4863CAB5ECE3F5A55C15649
SHA256:E33BDCBDC9BB4ED4FEA8CF64BC1C48EE0C929FC07E06BC4565C3D4A269086248
2960installer.exeC:\Users\admin\AppData\Local\Temp\{049C14C5-3396-42a6-82E3-CFC4A242D3A4}.tmpbinary
MD5:29EA77997A76F2AE6A6D44CA1E5C3E79
SHA256:5BA7AD3CC68F8F054CFD95E9BB66B0E70597A8DF01D4E7B5C3E7D7D2D322A8EB
2960installer.exeC:\Users\admin\AppData\Local\Temp\{2EFE9A12-1ECB-44f1-AF1D-99937696AC8C}.tmpbinary
MD5:7B63306BEE3057609845848655CA6E36
SHA256:3D138DB4EE5797C60EB2945213EC86F56F02346240BAA4828D8F0FE8BDE4FB35
2960installer.exeC:\Users\admin\AppData\Local\Temp\{4C943C63-E8EC-485f-95C4-870BFF11B34F}.tmpbinary
MD5:E602E84C5A82B8B91947F0B0658229B3
SHA256:AEB587D08E0246BDD2B0197AEF9A575158DF1B8FECCEC1FABE698DAFBACD502C
2960installer.exeC:\Users\admin\AppData\Local\Temp\{019D2339-B6F7-4003-8C98-00DB52431EC4}.tmpbinary
MD5:C7C01C89B1E5023ED632961CAFD7639E
SHA256:BE724802FE0E52DF0C8FDF394F068C0FC9DE28DE0878D6F5E1C3B434A7C676DF
2960installer.exeC:\Users\admin\AppData\Local\Temp\{6DB2AF5B-8333-4760-B727-FFAF6C954532}.tmpbinary
MD5:D91B37B787F07334DA7E5567A9579676
SHA256:D911972323528CC4B8E68EF31E154BFADE1ADFA5C9A578B02A9FBC9760F482CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2960
installer.exe
GET
200
104.192.108.17:80
http://dl.360safe.com/gf/360ini.cab
unknown
unknown
2960
installer.exe
HEAD
200
104.192.108.17:80
http://dl.360safe.com/gf/360ini.cab
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=700&r=0&d=99990001
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=705&r=0&d=99990001
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=3000&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=3001&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=686&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.247.35:80
http://grow.safe.360.cn/conf/item/info?m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&mid=b8c075ec50c0ffb37ec9c97cc27794fb&position=360ini&q=%43%4f%59%70%47%74%34%5a%32%43%4b%64%70%62%59%57%78%36%65%33%67%46%47%4f%75%6a%2b%75%55%55%79%42%70%68%48%6a%2f%79%57%2b%6a%39%31%65%48%69%6a%4b%57%4f%55%49%69%4d%41%2f%37%52%68%76%65%7a%33%77%79%2b%75%76%41%77%74%7a%69%6c%43%30%48%64%6a%72%62%46%67%50%69%39%4e%78%50%58%53%64%2f%30%65%68%4f%45%34%7a%76%69%68%31%61%48%2f%52%4f%62%63%56%76%57%68%2b%48%4d%65%74%71%66%71%39%4b%67%6e%6e%36%36%48%2f%63%36%4d%42%4f%36%58%4b%36%48%71%66%52%79%39%2f%6c%6a%4d%48%54%46%44%42%6e%4b%61%6b%79%4a%36%34%34%6b%61%38%71%55%45%3d&rand=120203&timestamp=1720056158&ver=1.0.0.1820&sign=cd543f02d36c9cdee7e9753a87514c6b
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=1200&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=685&r=0&d=0
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2960
installer.exe
104.192.108.17:80
dl.360safe.com
Beijing Qihu Technology Company Limited
US
unknown
4
System
192.168.100.255:138
whitelisted
2960
installer.exe
180.163.251.231:80
s.360.cn
China Telecom Group
CN
unknown
2960
installer.exe
180.163.247.35:80
grow.safe.360.cn
China Telecom Group
CN
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
dl.360safe.com
  • 104.192.108.17
  • 104.192.108.20
  • 104.192.108.21
whitelisted
s.360.cn
  • 180.163.251.231
  • 171.13.14.66
  • 180.163.251.230
  • 171.8.167.90
whitelisted
grow.safe.360.cn
  • 180.163.247.35
  • 101.198.3.25
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
installer.exe