File name:

installer.exe

Full analysis: https://app.any.run/tasks/5416f905-0b31-4af7-9249-45a6ba036b89
Verdict: Malicious activity
Analysis date: July 04, 2024, 01:22:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9FADC5C7C3282E203C68B0D45BFA0B10

SHA1:

5F0914179D66B63CAFE61DD55D8D418E64E36EA5

SHA256:

260DC2A2ADC2E1E29BB5F8BC243FB45FBD29BAAEC7A28FEED59260A9F2B12A29

SSDEEP:

12288:KCKeGGfG6udZpIcJPQLGCQaOHbOceDg6frUgVBy99:KCKeGG8dZ/QiuOCcQg6DUgVE99

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • installer.exe (PID: 2960)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • installer.exe (PID: 2960)

    • Reads the Internet Settings

      • installer.exe (PID: 2960)

    • The process verifies whether the antivirus software is installed

      • installer.exe (PID: 2960)

    • Executable content was dropped or overwritten

      • installer.exe (PID: 2960)

  • INFO

    • Checks proxy server information

      • installer.exe (PID: 2960)

    • Reads the computer name

      • installer.exe (PID: 2960)

    • Checks supported languages

      • installer.exe (PID: 2960)

    • Reads the machine GUID from the registry

      • installer.exe (PID: 2960)

    • Creates files or folders in the user directory

      • installer.exe (PID: 2960)

    • Create files in a temporary directory

      • installer.exe (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:09 08:58:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 313344
InitializedDataSize: 86528
UninitializedDataSize: -
EntryPoint: 0x286ef
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1820
ProductVersionNumber: 1.0.0.1820
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileDescription: Edit can
FileVersion: 1, 0, 0, 1820
OriginalFileName: InstDirect2DLayer.exe
ProductName: Installing the Direct2D Debug Layer
ProductVersion: 1, 0, 0, 1820
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start installer.exe installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Users\admin\AppData\Local\Temp\installer.exe" C:\Users\admin\AppData\Local\Temp\installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Edit can
Exit code:
1
Version:
1, 0, 0, 1820
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3252"C:\Users\admin\AppData\Local\Temp\installer.exe" C:\Users\admin\AppData\Local\Temp\installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Edit can
Exit code:
3221226540
Version:
1, 0, 0, 1820
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
Total events
651
Read events
623
Write events
22
Delete events
6

Modification events

(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2960) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
42
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2960installer.exeC:\Users\admin\AppData\Local\Temp\rGcQcXwKjVcDzAnM\360ini.dllexecutable
MD5:6ACD20075E2F6D441D4F1FE5E7522219
SHA256:60A4E3B37EBD18ADAFE25382EBF06033D02695BE7A0725FFABB67A41DF98EF31
2960installer.exeC:\Users\admin\AppData\Local\Temp\360ini.cabcompressed
MD5:95DD807CCD0FE428EAD525BB6DB04E9E
SHA256:70D8B7F85747412F6EE70DE86A1266F4FD90E204B6602F3EB01ABCC37EEA4CEB
2960installer.exeC:\Users\admin\AppData\Local\Temp\{1F6C7AAB-0032-4565-AD98-A5AA67607C61}.tmpbinary
MD5:179BF4363FFE1DF3E3417E8390D2D8B7
SHA256:61768395628CC6031DD1D2B72E642BA32FC2A102EBFCA0D25C2E1C6C85ED748F
2960installer.exeC:\Users\admin\AppData\Local\Temp\{46400DB7-611F-4133-9321-60F0974F5252}.tmpbinary
MD5:4E852F4E8706CF053D31A4CC3F641AF8
SHA256:37813801B3F0DF369F98C3D4099633118F55E3B02EED327CAB3ACC79D1667B5C
2960installer.exeC:\Users\admin\AppData\Local\Temp\{019D2339-B6F7-4003-8C98-00DB52431EC4}.tmpbinary
MD5:C7C01C89B1E5023ED632961CAFD7639E
SHA256:BE724802FE0E52DF0C8FDF394F068C0FC9DE28DE0878D6F5E1C3B434A7C676DF
2960installer.exeC:\Users\admin\AppData\Local\Temp\{4C943C63-E8EC-485f-95C4-870BFF11B34F}.tmpbinary
MD5:E602E84C5A82B8B91947F0B0658229B3
SHA256:AEB587D08E0246BDD2B0197AEF9A575158DF1B8FECCEC1FABE698DAFBACD502C
2960installer.exeC:\Users\admin\AppData\Local\Temp\{6DB2AF5B-8333-4760-B727-FFAF6C954532}.tmpbinary
MD5:D91B37B787F07334DA7E5567A9579676
SHA256:D911972323528CC4B8E68EF31E154BFADE1ADFA5C9A578B02A9FBC9760F482CD
2960installer.exeC:\Users\admin\AppData\Local\Temp\{A83C3C4F-D184-4105-AB86-4F36D63E3974}.tmpbinary
MD5:3F5A0CCBFA3A4BFA5C85CFA8476C2D2C
SHA256:8C05226E58C948B472D31013B117F41B27B26CB1F1BC3D198EACAD58165CA5B1
2960installer.exeC:\Users\admin\AppData\Local\Temp\{4380A753-8E89-4585-A964-5ADD12935618}.tmpbinary
MD5:8D3E934744C55C2B6D17B0559E79977F
SHA256:CF1492D238FCB235F5D6C3AD6F5E0487CA7092E3288327A200418D02390E0D4B
2960installer.exeC:\Users\admin\AppData\Local\Temp\{AEACBE4C-53E9-4182-89E8-9F22D40AC305}.tmpbinary
MD5:460658CA0200EEC9D5B7AA52ED994DC9
SHA256:18ED33288BBAD86734562A686AEE0C67CA7818690304431B74CB1711A40469A7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2960
installer.exe
HEAD
200
104.192.108.17:80
http://dl.360safe.com/gf/360ini.cab
unknown
unknown
2960
installer.exe
GET
200
104.192.108.17:80
http://dl.360safe.com/gf/360ini.cab
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=700&r=0&d=99990001
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=705&r=0&d=99990001
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=3000&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=3001&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.247.35:80
http://grow.safe.360.cn/conf/item/info?m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&mid=b8c075ec50c0ffb37ec9c97cc27794fb&position=360ini&q=%43%4f%59%70%47%74%34%5a%32%43%4b%64%70%62%59%57%78%36%65%33%67%46%47%4f%75%6a%2b%75%55%55%79%42%70%68%48%6a%2f%79%57%2b%6a%39%31%65%48%69%6a%4b%57%4f%55%49%69%4d%41%2f%37%52%68%76%65%7a%33%77%79%2b%75%76%41%77%74%7a%69%6c%43%30%48%64%6a%72%62%46%67%50%69%39%4e%78%50%58%53%64%2f%30%65%68%4f%45%34%7a%76%69%68%31%61%48%2f%52%4f%62%63%56%76%57%68%2b%48%4d%65%74%71%66%71%39%4b%67%6e%6e%36%36%48%2f%63%36%4d%42%4f%36%58%4b%36%48%71%66%52%79%39%2f%6c%6a%4d%48%54%46%44%42%6e%4b%61%6b%79%4a%36%34%34%6b%61%38%71%55%45%3d&rand=120203&timestamp=1720056158&ver=1.0.0.1820&sign=cd543f02d36c9cdee7e9753a87514c6b
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=686&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=1200&r=0&d=0
unknown
unknown
2960
installer.exe
GET
200
180.163.251.231:80
http://s.360.cn/hips/update/inst.htm?m=b8c075ec50c0ffb37ec9c97cc27794fb&m2=011b00cdbd9e1c1f7684abbec64ea951322b71672b6b&v=2001308&s=685&r=0&d=0
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2960
installer.exe
104.192.108.17:80
dl.360safe.com
Beijing Qihu Technology Company Limited
US
unknown
4
System
192.168.100.255:138
whitelisted
2960
installer.exe
180.163.251.231:80
s.360.cn
China Telecom Group
CN
unknown
2960
installer.exe
180.163.247.35:80
grow.safe.360.cn
China Telecom Group
CN
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
dl.360safe.com
  • 104.192.108.17
  • 104.192.108.20
  • 104.192.108.21
whitelisted
s.360.cn
  • 180.163.251.231
  • 171.13.14.66
  • 180.163.251.230
  • 171.8.167.90
whitelisted
grow.safe.360.cn
  • 180.163.247.35
  • 101.198.3.25
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
installer.exe