download:

DGSetup_w.exe

Full analysis: https://app.any.run/tasks/30d19bc5-a6f0-409b-bbac-717ccc721d57
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: March 11, 2020, 04:47:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

4F77C18D19944F470089ACC31B447550

SHA1:

9479E43735EE1ABE5C728C75A320697897B389AB

SHA256:

489300B7237FED98FD241678D1DE4A4CAFDEEC4A5AAB82CF223934E066D29A1C

SSDEEP:

786432:yP8yc/UQVsd0rzzd56YoFutSo16FxaGYm0+/jaZ:uc/UQWCjvboFutSbFxtz/jM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • dgservice.exe (PID: 3292)
      • drivergenius.exe (PID: 2124)
      • Khelper.exe (PID: 3540)
      • khelper.exe (PID: 3008)
      • dgvuldect.exe (PID: 3900)
      • dgvuldect.exe (PID: 2456)

    • Application was dropped or rewritten from another process

      • dgservice.exe (PID: 3072)
      • dgservice.exe (PID: 3324)
      • dgservice.exe (PID: 1696)
      • dgservice.exe (PID: 3292)

    • Runs injected code in another process

      • drvinst32.exe (PID: 2640)

    • Application was injected by another process

      • explorer.exe (PID: 372)

    • Loads the Task Scheduler DLL interface

      • Khelper.exe (PID: 3540)

    • Connects to CnC server

      • dgservice.exe (PID: 3292)
      • drivergenius.exe (PID: 2124)

    • Changes settings of System certificates

      • dgservice.exe (PID: 3292)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DGSetup_w.exe (PID: 2928)
      • dgservice.exe (PID: 3292)

    • Creates files in the Windows directory

      • DGSetup_w.exe (PID: 2928)
      • dgservice.exe (PID: 3292)

    • Creates files in the driver directory

      • DGSetup_w.exe (PID: 2928)
      • dgservice.exe (PID: 3292)

    • Executed as Windows Service

      • dgservice.exe (PID: 3292)
      • locator.exe (PID: 2484)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • DGSetup_w.exe (PID: 2928)

    • Creates a software uninstall entry

      • DGSetup_w.exe (PID: 2928)

    • Application launched itself

      • dgservice.exe (PID: 3292)

    • Creates files in the program directory

      • dgservice.exe (PID: 3292)
      • Khelper.exe (PID: 3540)
      • khelper.exe (PID: 3008)
      • dgvuldect.exe (PID: 3900)
      • DGSetup_w.exe (PID: 2928)
      • drivergenius.exe (PID: 2124)

    • Creates or modifies windows services

      • dgservice.exe (PID: 3292)

    • Creates files in the user directory

      • drivergenius.exe (PID: 2124)

    • Searches for installed software

      • dgvuldect.exe (PID: 3900)
      • drivergenius.exe (PID: 2124)

    • Removes files from Windows directory

      • dgservice.exe (PID: 3292)
      • drivergenius.exe (PID: 2124)

    • Adds / modifies Windows certificates

      • dgservice.exe (PID: 3292)

  • INFO

    • Reads settings of System Certificates

      • dgservice.exe (PID: 3292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:05 18:29:36+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 327680
InitializedDataSize: 86016
UninitializedDataSize: 536576
EntryPoint: 0xd2f40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.61.3708.3054
ProductVersionNumber: 7.0.112.2000
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: 驱动之家
FileDescription: 驱动精灵
FileVersion: 2014,1,12,25
InternalName: kpacket
LegalCopyright: 版权所有 (C) 驱动之家
OriginalFileName: kpacket.exe
ProductName: 驱动精灵
ProductVersion: 2015

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Jan-1970 17:29:36
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: 驱动之家
FileDescription: 驱动精灵
FileVersion: 2014,1,12,25
InternalName: kpacket
LegalCopyright: 版权所有 (C) 驱动之家
OriginalFilename: kpacket.exe
ProductName: 驱动精灵
ProductVersion: 2015

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 05-Jan-1970 17:29:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00083000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00084000
0x00050000
0x0004F200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9321
.rsrc
0x000D4000
0x00015000
0x00014600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.62944

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10735
1222
Latin 1 / Western European
English - United States
RT_MANIFEST
2
6.29261
2216
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
4.43004
1384
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
7.98162
54901
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
6.62476
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
6.44896
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
6.32739
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
40
7.5859
701
Latin 1 / Western European
Chinese - PRC
PNG
41
7.74908
1022
Latin 1 / Western European
Chinese - PRC
PNG
42
7.10088
294
Latin 1 / Western European
Chinese - PRC
RT_BITMAP

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.DLL
MSIMG32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
14
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start inject dgsetup_w.exe dgservice.exe dgservice.exe dgservice.exe drivergenius.exe dgservice.exe no specs drvinst32.exe khelper.exe explorer.exe locator.exe no specs khelper.exe no specs dgvuldect.exe dgvuldect.exe dgsetup_w.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
332"C:\Users\admin\AppData\Local\Temp\DGSetup_w.exe" C:\Users\admin\AppData\Local\Temp\DGSetup_w.exeexplorer.exe
User:
admin
Company:
驱动之家
Integrity Level:
MEDIUM
Description:
驱动精灵
Exit code:
3221226540
Version:
2014,1,12,25
Modules
Images
c:\users\admin\appdata\local\temp\dgsetup_w.exe
c:\systemroot\system32\ntdll.dll
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1696"C:\Program Files\MyDrivers\DriverGenius\dgservice.exe" -RegServerC:\Program Files\MyDrivers\DriverGenius\dgservice.exe
DGSetup_w.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Device Driver Repair and Update Service
Exit code:
2
Version:
9.61.3750.3069
Modules
Images
c:\program files\mydrivers\drivergenius\dgservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2124"C:\Program Files\MyDrivers\DriverGenius\drivergenius.exe" C:\Program Files\MyDrivers\DriverGenius\drivergenius.exe
DGSetup_w.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
DriverGenius
Exit code:
0
Version:
9.61.4722.239
Modules
Images
c:\program files\mydrivers\drivergenius\drivergenius.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mydrivers\drivergenius\liblua.dll
c:\program files\mydrivers\drivergenius\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\program files\mydrivers\drivergenius\cactus.dll
c:\program files\mydrivers\drivergenius\libcurl.dll
c:\windows\system32\ws2_32.dll
2456"C:\Program Files\MyDrivers\DriverGenius\dgvuldect.exe" TskPinC:\Program Files\MyDrivers\DriverGenius\dgvuldect.exe
dgservice.exe
User:
admin
Company:
MyDrivers.com
Integrity Level:
HIGH
Description:
DriverGenius Dgvuldect
Exit code:
0
Version:
9.61.416.1421
Modules
Images
c:\program files\mydrivers\drivergenius\dgvuldect.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mydrivers\drivergenius\liblua.dll
c:\program files\mydrivers\drivergenius\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2484C:\Windows\system32\locator.exeC:\Windows\system32\locator.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Rpc Locator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\locator.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2640"C:\Program Files\MyDrivers\DriverGenius\drvinst32.exe" -r abcdeC:\Program Files\MyDrivers\DriverGenius\drvinst32.exe
dgservice.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
DriverGenius DrvAgent
Exit code:
2147549183
Version:
9.61.4241.80
Modules
Images
c:\program files\mydrivers\drivergenius\drvinst32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2928"C:\Users\admin\AppData\Local\Temp\DGSetup_w.exe" C:\Users\admin\AppData\Local\Temp\DGSetup_w.exe
explorer.exe
User:
admin
Company:
驱动之家
Integrity Level:
HIGH
Description:
驱动精灵
Exit code:
1
Version:
2014,1,12,25
Modules
Images
c:\users\admin\appdata\local\temp\dgsetup_w.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
3008"C:\Program Files\MyDrivers\DriverGenius\ksoft\khelper.exe" /DGCleanerC:\Program Files\MyDrivers\DriverGenius\ksoft\khelper.exedrivergenius.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
DriverGenius KHelper
Exit code:
0
Version:
9.61.3667.3035
Modules
Images
c:\program files\mydrivers\drivergenius\ksoft\khelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3072"C:\Program Files\MyDrivers\DriverGenius\dgservice.exe" -/indghmpgC:\Program Files\MyDrivers\DriverGenius\dgservice.exedgservice.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Device Driver Repair and Update Service
Exit code:
3221226540
Version:
9.61.3750.3069
Modules
Images
c:\program files\mydrivers\drivergenius\dgservice.exe
c:\systemroot\system32\ntdll.dll
Total events
3 942
Read events
2 675
Write events
1 263
Delete events
4

Modification events

(PID) Process:(372) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:P:\Hfref\nqzva\NccQngn\Ybpny\Grzc\QTFrghc_j.rkr
Value:
00000000000000000100000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(372) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000003F0000005000000028B425000A00000018000000868F0F007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000005CE9ED0100000000000000000000000000000000480B20020000000005000000D80B200200000000340C200270E9ED01C0E9ED010000000000000000C0DB2002050000002000000000000000000000000100000064666C7464666C7400000000400000000459A377AD0501A70000000000000000010000000000000000000000B02D0C08A82C0C08A4E9ED013DA9D27600000000FBFFFF7FC8E9ED01987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000371054065310540637105406000000000000000000000000080000002E006C006E006B0000006E006400200011000000483D3200403D32002E006C006E006B0000002F0080EA0000C85704AB34EAED018291D27680EAED01EC430000E45704AB48EAED01B69CD276F04311024C06000060EAED01603F11026CEAED0111000000483D3200403D320060EAED01803F1102D0EA0000BC5704AB80EAED018291D276D0EAED0184EAED012795D27600000000EC431102ACEAED01CD94D276EC43110258EBED01603F1102E194D27600000000603F110258EBED01B4EAED010A00000018000000868F0F007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000005CE9ED0100000000000000000000000000000000480B20020000000005000000D80B200200000000340C200270E9ED01C0E9ED010000000000000000C0DB2002050000002000000000000000000000000100000064666C7464666C7400000000400000000459A377AD0501A70000000000000000010000000000000000000000B02D0C08A82C0C08A4E9ED013DA9D27600000000FBFFFF7FC8E9ED01987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000371054065310540637105406000000000000000000000000080000002E006C006E006B0000006E006400200011000000483D3200403D32002E006C006E006B0000002F0080EA0000C85704AB34EAED018291D27680EAED01EC430000E45704AB48EAED01B69CD276F04311024C06000060EAED01603F11026CEAED0111000000483D3200403D320060EAED01803F1102D0EA0000BC5704AB80EAED018291D276D0EAED0184EAED012795D27600000000EC431102ACEAED01CD94D276EC43110258EBED01603F1102E194D27600000000603F110258EBED01B4EAED010A00000018000000868F0F007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000005CE9ED0100000000000000000000000000000000480B20020000000005000000D80B200200000000340C200270E9ED01C0E9ED010000000000000000C0DB2002050000002000000000000000000000000100000064666C7464666C7400000000400000000459A377AD0501A70000000000000000010000000000000000000000B02D0C08A82C0C08A4E9ED013DA9D27600000000FBFFFF7FC8E9ED01987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000371054065310540637105406000000000000000000000000080000002E006C006E006B0000006E006400200011000000483D3200403D32002E006C006E006B0000002F0080EA0000C85704AB34EAED018291D27680EAED01EC430000E45704AB48EAED01B69CD276F04311024C06000060EAED01603F11026CEAED0111000000483D3200403D320060EAED01803F1102D0EA0000BC5704AB80EAED018291D276D0EAED0184EAED012795D27600000000EC431102ACEAED01CD94D276EC43110258EBED01603F1102E194D27600000000603F110258EBED01B4EAED01
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius\flag
Operation:writeName:name
Value:
dgsetup.exe
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius\flag
Operation:writeName:installtype
Value:
0
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius
Operation:writeName:UUID
Value:
AD805DA4-778F-42CC-ACCD-6C050A36B2E1
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius
Operation:writeName:AppPath
Value:
C:\Program Files\MyDrivers\DriverGenius
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius
Operation:writeName:Publisher
Value:
驱动之家
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius
Operation:writeName:URLInfoAbout
Value:
http://www.mydrivers.com/
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius
Operation:writeName:WorkPath
Value:
C:\Program Files\MyDrivers\DriverGenius\
(PID) Process:(2928) DGSetup_w.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius
Operation:writeName:Udb
Value:
0
Executable files
13
Suspicious files
53
Text files
325
Unknown types
10

Dropped files

PID
Process
Filename
Type
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\kdgsetup.logtext
MD5:
SHA256:
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\184.pngimage
MD5:D2BF02FBBFC71ED4124D03EE3F527B61
SHA256:CBD483E7BFCC6FDF10C948AE02E90F7589FB1B3D02C304FC7B674A0B184AEC91
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\110.jpgimage
MD5:4FDDB6909555DE036579BCBF74A2EBA9
SHA256:A3D9794D8BFEC8D00C49AEE3FD242C4BC5EF37D7CBBC8BA45F3A10683EC26B00
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\183.pngimage
MD5:255AF5FDA132F8D36B91195327514711
SHA256:42E3FB75C569159741D8DC642E359A2E1DB9CB1916AD7E77EE20DFE08344CA19
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\181.pngimage
MD5:AE7035C804F7F381244A18BD1EEBE4C0
SHA256:C9C22C521FFEC4CD05465249EAB98C4D89E6218AFCEA2C359A8B12805C074497
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\185.pngimage
MD5:DFE168D7A9B668A8283DEDB549D91E33
SHA256:856C47736787673AB127BE4EA5DBA1A1B42A043860902907B713ED2D7CC54B08
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\186.pngimage
MD5:34692D3A52ADB2635B1FD0C2A3ACA7FA
SHA256:30AF72C4B626A4827C34D887F2B4CEE19E6AE5DECB301DF7D3835C6338FCC036
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\407.pngimage
MD5:5A15BCCF89B196BB43EB5C6AC3FBD7C4
SHA256:4E048B01F827BEAD3B4DA02C9BE1CA7B8A551C35E67402999C9BEFE1E6A3F8A3
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\404.pngimage
MD5:51DA4C7D02AE760E6E02AC99D2E98B4D
SHA256:38BF57E9927767E1DAC4E5BA6812E3D683B2CA5D76906699B500BF4AFD617990
2928DGSetup_w.exeC:\Users\admin\AppData\Local\Temp\kdrivergenius\~a698ae\install_res\402.pngimage
MD5:C21B77AAF306BE9E4DD66CB1ED57A08F
SHA256:CE32DD4F7E53A91D4B7C0D21160279A348D30C701FBD0E74135C38E182EE3507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
52
DNS requests
20
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2124
drivergenius.exe
GET
200
101.226.28.226:80
http://liveupdate2.drivergenius.com/do_not_delete/index.htm
CN
malicious
2124
drivergenius.exe
GET
200
101.226.28.226:80
http://liveupdate2.drivergenius.com/do_not_delete/index.htm
CN
malicious
2928
DGSetup_w.exe
GET
200
111.230.127.157:80
http://weather2db.cmcm.com/ip/cityid
CN
text
60 b
suspicious
3540
Khelper.exe
POST
114.112.93.166:8080
http://114.112.93.166:8080/kurl_query?10955734
CN
suspicious
2124
drivergenius.exe
GET
200
58.87.85.142:80
http://liveini.drivergenius.com/switch/switchcloud.ini
CN
text
58 b
unknown
2124
drivergenius.exe
GET
200
58.87.85.142:80
http://liveini.drivergenius.com/cards/softmconfig.ini
CN
text
45 b
unknown
2124
drivergenius.exe
POST
200
211.159.130.103:80
http://helpdubaclient.ksmobile.com/nep/v1/
CN
binary
93 b
malicious
3292
dgservice.exe
POST
200
211.159.130.103:80
http://helpdubaclient.ksmobile.com/nep/v1/
CN
binary
93 b
malicious
3292
dgservice.exe
POST
120.92.32.133:80
http://cr.file.cloud.duba.net/wsign_upload
CN
suspicious
3292
dgservice.exe
POST
200
120.92.32.253:80
http://cf.duba.net/query3
CN
binary
76 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3292
dgservice.exe
222.186.172.117:80
fsigns.duba.net
No.31,Jin-rong Street
CN
unknown
3292
dgservice.exe
120.92.32.253:80
cf.duba.net
Beijing Kingsoft Cloud Internet Technology Co., Ltd
CN
suspicious
2928
DGSetup_w.exe
111.230.127.157:80
weather2db.cmcm.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
2928
DGSetup_w.exe
49.51.10.138:80
liveupdate5.drivergenius.com
Tencent Building, Kejizhongyi Avenue
CN
malicious
2928
DGSetup_w.exe
101.89.100.223:80
www.drivergenius.com
China Telecom (Group)
CN
suspicious
2928
DGSetup_w.exe
119.29.49.207:80
infoc0.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
3292
dgservice.exe
211.159.130.103:80
helpdubaclient.ksmobile.com
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
3540
Khelper.exe
123.207.105.156:8080
knsv2.cloud.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
suspicious
3540
Khelper.exe
110.43.81.34:80
rq.optimize.cloud.duba.net
CN
suspicious
3292
dgservice.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
weather2db.cmcm.com
  • 111.230.127.157
suspicious
www.drivergenius.com
  • 101.89.100.223
  • 101.89.100.224
  • 101.89.100.225
  • 101.89.100.240
  • 101.89.100.241
  • 101.89.100.242
  • 101.89.100.243
  • 101.89.100.244
  • 101.89.100.248
  • 101.89.100.249
  • 101.89.100.250
  • 101.89.100.218
  • 101.89.100.219
  • 101.89.100.220
  • 101.89.100.221
  • 101.89.100.222
malicious
liveupdate5.drivergenius.com
  • 49.51.10.138
malicious
infoc0.duba.net
  • 119.29.49.207
whitelisted
rq.drcct.cloud.duba.net
  • 110.43.89.7
unknown
cu004.www.duba.net
  • 59.83.229.36
  • 183.134.21.34
  • 183.134.21.45
malicious
fsigns.duba.net
  • 218.92.152.24
  • 222.186.172.117
  • 218.92.152.27
  • 222.186.172.112
  • 218.92.152.25
  • 222.186.172.119
  • 218.92.152.31
  • 218.92.152.26
  • 222.186.172.116
  • 218.92.152.23
malicious
cf.duba.net
  • 120.92.32.253
suspicious
helpdubaclient.ksmobile.com
  • 211.159.130.103
malicious
rq.optimize.cloud.duba.net
  • 110.43.81.34
suspicious

Threats

PID
Process
Class
Message
3292
dgservice.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Checkin
3292
dgservice.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
2124
drivergenius.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Checkin
2124
drivergenius.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
3292
dgservice.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
3292
dgservice.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
2124
drivergenius.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
2124
drivergenius.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
2124
drivergenius.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
2124
drivergenius.exe
Misc activity
ADWARE [PTsecurity] W32/Kingsoft Response
4 ETPRO signatures available at the full report
Process
Message
dgservice.exe
1_1
dgservice.exe
1_1
dgservice.exe
KSD_01
dgservice.exe
KSD_02
dgservice.exe
1_1
dgservice.exe
KSD_03
dgservice.exe
No IsSilent!!!!!!!!!!
dgservice.exe
C:\Program Files\MyDrivers\DriverGenius\cfg\netctrl.dat
dgservice.exe
DMT_0001
dgservice.exe
init_watch successful
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DGSetup_w.exe