download:

kinst_166_f16_k683.exe

Full analysis: https://app.any.run/tasks/7248f2b2-f5dd-4bac-86bf-5937adf0e850
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 25, 2019, 03:27:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
trojan
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

0CC2459CB36194CD2801B13E1F474158

SHA1:

7E3A73385C842218674598D26F8E207C3126BAFF

SHA256:

33DB2F50890C3B2EB826DA6103F8E45DC524BC9EB24C610347467F341AEDB21B

SSDEEP:

24576:+duk6/VyDBsOYIKs4EEX/Ynst0eQ7UMnicl:+QkyVyDBF4s4EEXway7UMnt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • firefox.exe (PID: 3676)
      • kinst_166_f16_k683.exe (PID: 3084)
      • kxetray.exe (PID: 1680)

    • Application was dropped or rewritten from another process

      • KDbCIHelper.exe (PID: 3876)
      • kavlog2.exe (PID: 1848)
      • ksoftmgr.exe (PID: 2452)
      • kxetray.exe (PID: 1680)
      • kxescore.exe (PID: 2588)
      • kislive.exe (PID: 3948)
      • kxescore.exe (PID: 2448)
      • ksoftmgr.exe (PID: 3792)
      • khealtheye.exe (PID: 3908)
      • rcmdhelper.exe (PID: 1684)
      • rcmdhelper.exe (PID: 4056)
      • rcmdhelper.exe (PID: 3348)
      • keyemain.exe (PID: 1692)
      • keyemain.exe (PID: 3120)
      • keyemain.exe (PID: 3808)
      • rcmdhelper.exe (PID: 5516)
      • rcmdhelper.exe (PID: 5968)
      • rcmdhelper.exe (PID: 5032)
      • rcmdhelper.exe (PID: 4408)
      • rcmdhelper.exe (PID: 5076)
      • rcmdhelper.exe (PID: 5492)
      • kxetray.exe (PID: 5656)
      • kupdata.exe (PID: 5864)

    • Connects to CnC server

      • kinst_166_f16_k683.exe (PID: 3084)
      • kxescore.exe (PID: 2448)

    • Changes the autorun value in the registry

      • kinst_166_f16_k683.exe (PID: 3084)

    • Loads dropped or rewritten executable

      • kinst_166_f16_k683.exe (PID: 3084)
      • kxetray.exe (PID: 1680)
      • kxescore.exe (PID: 2588)
      • kxescore.exe (PID: 2448)
      • kislive.exe (PID: 3948)
      • ksoftmgr.exe (PID: 3792)
      • keyemain.exe (PID: 3808)
      • keyemain.exe (PID: 1692)
      • keyemain.exe (PID: 3120)
      • kavlog2.exe (PID: 1848)
      • rcmdhelper.exe (PID: 1684)
      • ksoftmgr.exe (PID: 2452)
      • rcmdhelper.exe (PID: 4056)
      • rcmdhelper.exe (PID: 3348)
      • rcmdhelper.exe (PID: 5032)
      • rcmdhelper.exe (PID: 5076)
      • rcmdhelper.exe (PID: 5516)
      • rcmdhelper.exe (PID: 5492)
      • rcmdhelper.exe (PID: 5968)
      • rcmdhelper.exe (PID: 4408)
      • kxetray.exe (PID: 5656)
      • explorer.exe (PID: 2044)
      • kupdata.exe (PID: 5864)

    • Changes settings of System certificates

      • kxescore.exe (PID: 2448)
      • kxetray.exe (PID: 1680)

  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 3676)
      • kxescore.exe (PID: 2588)
      • kinst_166_f16_k683.exe (PID: 3084)
      • kislive.exe (PID: 3948)
      • rcmdhelper.exe (PID: 3348)
      • khealtheye.exe (PID: 3908)
      • kxetray.exe (PID: 1680)
      • kxescore.exe (PID: 2448)
      • ksoftmgr.exe (PID: 3792)
      • keyemain.exe (PID: 3808)
      • kupdata.exe (PID: 5864)
      • kxetray.exe (PID: 5656)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3676)
      • kinst_166_f16_k683.exe (PID: 3084)
      • khealtheye.exe (PID: 3908)
      • kxescore.exe (PID: 2448)
      • kxetray.exe (PID: 1680)

    • Low-level read access rights to disk partition

      • kinst_166_f16_k683.exe (PID: 3084)

    • Reads Internet Cache Settings

      • kinst_166_f16_k683.exe (PID: 3084)

    • Creates files in the driver directory

      • kinst_166_f16_k683.exe (PID: 3084)
      • kxescore.exe (PID: 2448)

    • Creates files in the Windows directory

      • kinst_166_f16_k683.exe (PID: 3084)
      • kavlog2.exe (PID: 1848)
      • kxescore.exe (PID: 2448)

    • Removes files from Windows directory

      • kinst_166_f16_k683.exe (PID: 3084)
      • kxescore.exe (PID: 2448)

    • Creates a software uninstall entry

      • kinst_166_f16_k683.exe (PID: 3084)
      • kxetray.exe (PID: 1680)

    • Creates COM task schedule object

      • kinst_166_f16_k683.exe (PID: 3084)
      • kxescore.exe (PID: 2448)

    • Executed as Windows Service

      • kxescore.exe (PID: 2448)

    • Creates files in the user directory

      • kxetray.exe (PID: 1680)
      • ksoftmgr.exe (PID: 3792)
      • keyemain.exe (PID: 3808)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • kinst_166_f16_k683.exe (PID: 3084)
      • kxescore.exe (PID: 2448)

    • Creates or modifies windows services

      • kxescore.exe (PID: 2448)

    • Adds / modifies Windows certificates

      • kxescore.exe (PID: 2448)
      • kxetray.exe (PID: 1680)

    • Uses NETSH.EXE for network configuration

      • ksoftmgr.exe (PID: 3792)

    • Reads internet explorer settings

      • ksoftmgr.exe (PID: 3792)

    • Searches for installed software

      • ksoftmgr.exe (PID: 3792)
      • kxetray.exe (PID: 1680)

    • Connects to server without host name

      • kxetray.exe (PID: 1680)
      • ksoftmgr.exe (PID: 3792)
      • kxescore.exe (PID: 2448)

  • INFO

    • Manual execution by user

      • firefox.exe (PID: 3676)
      • kinst_166_f16_k683.exe (PID: 2824)
      • kinst_166_f16_k683.exe (PID: 2584)
      • kinst_166_f16_k683.exe (PID: 3460)

    • Reads CPU info

      • firefox.exe (PID: 3676)

    • Application launched itself

      • firefox.exe (PID: 3676)

    • Reads settings of System Certificates

      • firefox.exe (PID: 3676)
      • kxetray.exe (PID: 1680)

    • Creates files in the user directory

      • firefox.exe (PID: 3676)

    • Dropped object may contain Bitcoin addresses

      • kinst_166_f16_k683.exe (PID: 3084)
      • khealtheye.exe (PID: 3908)
      • kxetray.exe (PID: 1680)
      • firefox.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:10 03:35:44+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 724992
InitializedDataSize: 61440
UninitializedDataSize: 667648
EntryPoint: 0x154ad0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2019.4.30.415
ProductVersionNumber: 9.3.25904.22046
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Kingsoft Corporation
FileDescription: Kingsoft Install Tool
FileVersion: 2019,04,29,22046
InternalName: KInstallTool
LegalCopyright: Copyright (C) 1998-2019 Kingsoft Corporation
OriginalFileName: KInstallTool.exe
ProductName: Kingsoft Internet Security
ProductVersion: 9,3,353584,22046

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Jan-1970 02:35:44
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: Kingsoft Corporation
FileDescription: Kingsoft Install Tool
FileVersion: 2019,04,29,22046
InternalName: KInstallTool
LegalCopyright: Copyright (C) 1998-2019 Kingsoft Corporation
OriginalFilename: KInstallTool.exe
ProductName: Kingsoft Internet Security
ProductVersion: 9,3,353584,22046

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 10-Jan-1970 02:35:44
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x000A3000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x000A4000
0x000B1000
0x000B0E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.90041
.rsrc
0x00155000
0x0000F000
0x0000F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.41487

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.253
1054
Latin 1 / Western European
English - United States
RT_MANIFEST
2
6.56924
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
6.61484
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
4.67813
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
7.74419
38056
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
7.87618
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
7.67484
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
8
7.5714
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
9
7.51378
1074
Latin 1 / Western European
Chinese - PRC
PNG
10
7.6359
1101
Latin 1 / Western European
Chinese - PRC
PNG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.DLL
MSIMG32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
39
Malicious processes
17
Suspicious processes
7

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start start drop and start drop and start drop and start drop and start kinst_166_f16_k683.exe firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe kinst_166_f16_k683.exe no specs kinst_166_f16_k683.exe kinst_166_f16_k683.exe no specs kinst_166_f16_k683.exe kinst_166_f16_k683.exe no specs kinst_166_f16_k683.exe kdbcihelper.exe no specs kinst_166_f16_k683.exe kavlog2.exe ksoftmgr.exe kxetray.exe kxescore.exe no specs kislive.exe no specs kxescore.exe ksoftmgr.exe rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs khealtheye.exe keyemain.exe no specs netsh.exe no specs keyemain.exe no specs keyemain.exe rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs kxetray.exe no specs kupdata.exe explorer.exe kinst_166_f16_k683.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1104"C:\Users\admin\Downloads\kinst_166_f16_k683.exe" C:\Users\admin\Downloads\kinst_166_f16_k683.exefirefox.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Kingsoft Install Tool
Exit code:
3221226540
Version:
2019,04,29,22046
Modules
Images
c:\users\admin\downloads\kinst_166_f16_k683.exe
c:\systemroot\system32\ntdll.dll
1360"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3676.0.1304386150\331755443" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 3676 "\\.\pipe\gecko-crash-server-pipe.3676" 1112 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1680"c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /hidefloatwin /silentinstrcmdc:\program files\kingsoft\kingsoft antivirus\kxetray.exe
kinst_166_f16_k683.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
金山毒霸
Exit code:
0
Version:
2019,04,22,22003
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxetray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1684"C:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe" -updateliebaowifiC:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exeksoftmgr.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Rcmd Helper
Exit code:
0
Version:
2018,03,13,20224
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1692"C:\Program Files\khealtheye\keyemain.exe" /backgroud /updateindex:1C:\Program Files\khealtheye\keyemain.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
护眼大师
Exit code:
0
Version:
2019,01,25,76
Modules
Images
c:\program files\khealtheye\keyemain.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1848"c:\program files\kingsoft\kingsoft antivirus\kavlog2.exe" -installc:\program files\kingsoft\kingsoft antivirus\kavlog2.exe
kinst_166_f16_k683.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
KXEngine KeventLog3
Exit code:
0
Version:
2018,06,14,20609
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kavlog2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2036"C:\Users\admin\Downloads\kinst_166_f16_k683.exe" C:\Users\admin\Downloads\kinst_166_f16_k683.exe
firefox.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Install Tool
Exit code:
0
Version:
2019,04,29,22046
Modules
Images
c:\users\admin\downloads\kinst_166_f16_k683.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
2044C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2448"c:\program files\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescorec:\program files\kingsoft\kingsoft antivirus\kxescore.exe
services.exe
User:
SYSTEM
Company:
Kingsoft Corporation
Integrity Level:
SYSTEM
Description:
金山毒霸系统防御模块
Exit code:
0
Version:
2019,04,29,22039
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxescore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2452"c:\program files\kingsoft\kingsoft antivirus\ksoftmgr.exe" -preloadc:\program files\kingsoft\kingsoft antivirus\ksoftmgr.exe
kinst_166_f16_k683.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
软件管家
Exit code:
0
Version:
2018,10,16,21050
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\ksoftmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
6 191
Read events
5 414
Write events
697
Delete events
80

Modification events

(PID) Process:(3084) kinst_166_f16_k683.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idex
Value:
06f1379ad4ff50e489b7ace9954a746a
(PID) Process:(3084) kinst_166_f16_k683.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idno
Value:
1
(PID) Process:(3084) kinst_166_f16_k683.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:writeName:did
Value:
F1D3DCAFB3A799CBB703C72CA49CDFA3
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:308046O0NS4N39PO
Value:
000000000200000001000000771B0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF90689C0D062BD50100000000
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
0000000006000000050000003EE000000300000003000000BD6800004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000360200000000BCE8360201000000000000000000577690E836027CE636025E7CFB76BCE83602787CFB76030000008A018C01AC413400ACE63602F77CFB760100000090E83602847CFB76FCE63602F0E6360208E73602000000000000000000000000F8E6360290E8360200000000000000000000000030E8360230E836020000000001000000BCE8360230E83602B2FEFB76F270FB7685FCFB7695B635759A7CFA76AC413400A27EFA7674E83602180000004CFA3602006FFA7600000000000000005CE836023C003E00BCE83602C34E5200FCE6360200000000D8462B000000360258E7360244EA360200000088C8000000C8000000C8000000C8000000E20201000000000000008168B8F35703010600400000000030EA3602105381687FEB51762000000011000000B8452C00B0452C000000000044EA360200000000E4E70000630E855B94E7360282918075E4E7360298E736022795807500000000B45DE702C0E73602CD948075B45DE7026CE836022859E702E1948075000000002859E7026CE83602C8E736020300000003000000BD6800004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000360200000000BCE8360201000000000000000000577690E836027CE636025E7CFB76BCE83602787CFB76030000008A018C01AC413400ACE63602F77CFB760100000090E83602847CFB76FCE63602F0E6360208E73602000000000000000000000000F8E6360290E8360200000000000000000000000030E8360230E836020000000001000000BCE8360230E83602B2FEFB76F270FB7685FCFB7695B635759A7CFA76AC413400A27EFA7674E83602180000004CFA3602006FFA7600000000000000005CE836023C003E00BCE83602C34E5200FCE6360200000000D8462B000000360258E7360244EA360200000088C8000000C8000000C8000000C8000000E20201000000000000008168B8F35703010600400000000030EA3602105381687FEB51762000000011000000B8452C00B0452C000000000044EA360200000000E4E70000630E855B94E7360282918075E4E7360298E736022795807500000000B45DE702C0E73602CD948075B45DE7026CE836022859E702E1948075000000002859E7026CE83602C8E736020300000003000000BD6800004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000360200000000BCE8360201000000000000000000577690E836027CE636025E7CFB76BCE83602787CFB76030000008A018C01AC413400ACE63602F77CFB760100000090E83602847CFB76FCE63602F0E6360208E73602000000000000000000000000F8E6360290E8360200000000000000000000000030E8360230E836020000000001000000BCE8360230E83602B2FEFB76F270FB7685FCFB7695B635759A7CFA76AC413400A27EFA7674E83602180000004CFA3602006FFA7600000000000000005CE836023C003E00BCE83602C34E5200FCE6360200000000D8462B000000360258E7360244EA360200000088C8000000C8000000C8000000C8000000E20201000000000000008168B8F35703010600400000000030EA3602105381687FEB51762000000011000000B8452C00B0452C000000000044EA360200000000E4E70000630E855B94E7360282918075E4E7360298E736022795807500000000B45DE702C0E73602CD948075B45DE7026CE836022859E702E1948075000000002859E7026CE83602C8E73602
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Operation:writeName:P:\Hfref\Choyvp\Qrfxgbc\Sversbk.yax
Value:
00000000020000000000000001000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF90689C0D062BD50100000000
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000500000000000000040000000300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B0000008305EDE0F7760541F801FEFFFFFFE72FFB76822EFB76B8F97F753302000086000000098C807200000000F87EDB0220662900F8672900C8A7DE02987D290043000000DCD1830598D9830528FA8305EDE0F7760541F8010000000080D28305399C467690264E0380020000800000003100000010294E0390264E03A4D28305DE9C467690264E0300000000B102000008000000B9020000ACD283053302000088264E03D4D2830543198075BB284E03689692078600000088264E0380A5DE0233020000B8F97F75AD210000B22D2404F0D2830533ABFB76B26DB3DC000C00001027000016000000B054020024D38305F8AAFB76B0540200B22D240444D383051064E702C4D3830500000000A301000084D30000033A305C34D383058291807584D3830538D3830527958075000000009C68E70260D38305CD9480759C68E7020CD483051064E702E1948075000000001064E7020CD4830568D383050300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B0000008305EDE0F7760541F801FEFFFFFFE72FFB76822EFB76B8F97F753302000086000000098C807200000000F87EDB0220662900F8672900C8A7DE02987D290043000000DCD1830598D9830528FA8305EDE0F7760541F8010000000080D28305399C467690264E0380020000800000003100000010294E0390264E03A4D28305DE9C467690264E0300000000B102000008000000B9020000ACD283053302000088264E03D4D2830543198075BB284E03689692078600000088264E0380A5DE0233020000B8F97F75AD210000B22D2404F0D2830533ABFB76B26DB3DC000C00001027000016000000B054020024D38305F8AAFB76B0540200B22D240444D383051064E702C4D3830500000000A301000084D30000033A305C34D383058291807584D3830538D3830527958075000000009C68E70260D38305CD9480759C68E7020CD483051064E702E1948075000000001064E7020CD4830568D383050300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B0000008305EDE0F7760541F801FEFFFFFFE72FFB76822EFB76B8F97F753302000086000000098C807200000000F87EDB0220662900F8672900C8A7DE02987D290043000000DCD1830598D9830528FA8305EDE0F7760541F8010000000080D28305399C467690264E0380020000800000003100000010294E0390264E03A4D28305DE9C467690264E0300000000B102000008000000B9020000ACD283053302000088264E03D4D2830543198075BB284E03689692078600000088264E0380A5DE0233020000B8F97F75AD210000B22D2404F0D2830533ABFB76B26DB3DC000C00001027000016000000B054020024D38305F8AAFB76B0540200B22D240444D383051064E702C4D3830500000000A301000084D30000033A305C34D383058291807584D3830538D3830527958075000000009C68E70260D38305CD9480759C68E7020CD483051064E702E1948075000000001064E7020CD4830568D38305
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Operation:writeName:P:\Hfref\Choyvp\Qrfxgbc\Sversbk.yax
Value:
00000000020000000000000002000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF90689C0D062BD50100000000
(PID) Process:(2044) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000500000000000000050000000300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B0000008305EDE0F7760541F801FEFFFFFFE72FFB76822EFB76B8F97F753302000086000000098C807200000000F87EDB0220662900F8672900C8A7DE02987D290043000000DCD1830598D9830528FA8305EDE0F7760541F8010000000080D28305399C467690264E0380020000800000003100000010294E0390264E03A4D28305DE9C467690264E0300000000B102000008000000B9020000ACD283053302000088264E03D4D2830543198075BB284E03689692078600000088264E0380A5DE0233020000B8F97F75AD210000B22D2404F0D2830533ABFB76B26DB3DC000C00001027000016000000B054020024D38305F8AAFB76B0540200B22D240444D383051064E702C4D3830500000000A301000084D30000033A305C34D383058291807584D3830538D3830527958075000000009C68E70260D38305CD9480759C68E7020CD483051064E702E1948075000000001064E7020CD4830568D383050300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B0000008305EDE0F7760541F801FEFFFFFFE72FFB76822EFB76B8F97F753302000086000000098C807200000000F87EDB0220662900F8672900C8A7DE02987D290043000000DCD1830598D9830528FA8305EDE0F7760541F8010000000080D28305399C467690264E0380020000800000003100000010294E0390264E03A4D28305DE9C467690264E0300000000B102000008000000B9020000ACD283053302000088264E03D4D2830543198075BB284E03689692078600000088264E0380A5DE0233020000B8F97F75AD210000B22D2404F0D2830533ABFB76B26DB3DC000C00001027000016000000B054020024D38305F8AAFB76B0540200B22D240444D383051064E702C4D3830500000000A301000084D30000033A305C34D383058291807584D3830538D3830527958075000000009C68E70260D38305CD9480759C68E7020CD483051064E702E1948075000000001064E7020CD4830568D383050300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B0000008305EDE0F7760541F801FEFFFFFFE72FFB76822EFB76B8F97F753302000086000000098C807200000000F87EDB0220662900F8672900C8A7DE02987D290043000000DCD1830598D9830528FA8305EDE0F7760541F8010000000080D28305399C467690264E0380020000800000003100000010294E0390264E03A4D28305DE9C467690264E0300000000B102000008000000B9020000ACD283053302000088264E03D4D2830543198075BB284E03689692078600000088264E0380A5DE0233020000B8F97F75AD210000B22D2404F0D2830533ABFB76B26DB3DC000C00001027000016000000B054020024D38305F8AAFB76B0540200B22D240444D383051064E702C4D3830500000000A301000084D30000033A305C34D383058291807584D3830538D3830527958075000000009C68E70260D38305CD9480759C68E7020CD483051064E702E1948075000000001064E7020CD4830568D38305
(PID) Process:(3676) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
265
Suspicious files
447
Text files
654
Unknown types
94

Dropped files

PID
Process
Filename
Type
3084kinst_166_f16_k683.exeC:\Users\admin\AppData\Local\Temp\jcqgx.ini
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash24148
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.binbinary
MD5:
SHA256:
3084kinst_166_f16_k683.exeC:\Users\admin\AppData\Local\Temp\install_res\installconfig.initext
MD5:
SHA256:
3676firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\722EA60ACDC7E8F861CE47A5609690345EC75C6Dder
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
362
TCP/UDP connections
373
DNS requests
207
Threats
472

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3084
kinst_166_f16_k683.exe
HEAD
200
116.207.145.12:80
http://dubacdn.cmcmcdn.com/sem/installer/16.png
CN
malicious
3084
kinst_166_f16_k683.exe
HEAD
200
116.207.145.12:80
http://cd002.www.duba.net/duba/install/2011/ever/kavsetup_sem_20190514.dat
CN
malicious
3084
kinst_166_f16_k683.exe
POST
200
203.195.145.190:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
3084
kinst_166_f16_k683.exe
POST
200
203.195.145.190:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
3084
kinst_166_f16_k683.exe
POST
200
203.195.145.190:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
3084
kinst_166_f16_k683.exe
GET
200
116.207.145.12:80
http://config.i.duba.net/seminstall/166/16.xml?time=1561433301
CN
text
1.84 Kb
whitelisted
3084
kinst_166_f16_k683.exe
GET
200
116.207.145.12:80
http://dubacdn.cmcmcdn.com/sem/installer/16.png
CN
image
19.7 Kb
malicious
3084
kinst_166_f16_k683.exe
POST
200
203.195.145.190:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
3084
kinst_166_f16_k683.exe
POST
200
203.195.145.190:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
3084
kinst_166_f16_k683.exe
POST
200
203.195.145.190:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3676
firefox.exe
216.58.205.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3676
firefox.exe
172.217.18.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3676
firefox.exe
65.153.158.203:80
dubapkg.cmcmcdn.com
Qwest Communications Company, LLC
US
suspicious
3676
firefox.exe
54.201.35.95:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown
3676
firefox.exe
143.204.214.80:443
tracking-protection.cdn.mozilla.net
US
suspicious
3676
firefox.exe
143.204.214.45:443
firefox.settings.services.mozilla.com
US
unknown
3676
firefox.exe
172.217.22.110:443
sb-ssl.google.com
Google Inc.
US
whitelisted
3676
firefox.exe
143.204.214.4:443
content-signature.cdn.mozilla.net
US
suspicious
3084
kinst_166_f16_k683.exe
139.199.218.80:80
did.ijinshan.com
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
3084
kinst_166_f16_k683.exe
218.24.18.58:80
2398.35go.net
CHINA UNICOM China169 Backbone
CN
suspicious

DNS requests

Domain
IP
Reputation
2398.35go.net
  • 218.24.18.54
  • 218.24.18.63
  • 218.24.18.57
  • 218.24.18.56
  • 218.24.18.59
  • 218.24.18.62
  • 218.24.18.52
  • 218.24.18.55
  • 218.24.18.58
whitelisted
infoc0.duba.net
  • 203.195.145.190
  • 211.159.130.116
whitelisted
dubacdn.cmcmcdn.com
  • 116.207.145.12
malicious
www.baidu.com
  • 103.235.46.39
whitelisted
config.i.duba.net
  • 116.207.145.12
whitelisted
cd002.www.duba.net
  • 116.207.145.12
malicious
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
aus5.mozilla.org
  • 35.244.181.201
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
prod.balrog.prod.cloudops.mozgcp.net
  • 35.244.181.201
whitelisted

Threats

PID
Process
Class
Message
3084
kinst_166_f16_k683.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3084
kinst_166_f16_k683.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3084
kinst_166_f16_k683.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
3084
kinst_166_f16_k683.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
3084
kinst_166_f16_k683.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3084
kinst_166_f16_k683.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3084
kinst_166_f16_k683.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3084
kinst_166_f16_k683.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
3084
kinst_166_f16_k683.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
3084
kinst_166_f16_k683.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1 ETPRO signatures available at the full report
Process
Message
kinst_166_f16_k683.exe
04:29:55|~01456| [KAVMENU] reg_duba_32bit
kavlog2.exe
_tWinMain End.
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
g_recent_newskin:false -- print
kxetray.exe
RestoreNormalSmallFloatWin -- print
kxetray.exe
SqRestoreCore -- print
kxetray.exe
SqBallShowOptionChange:3 -- print
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kinst_166_f16_k683.exe