File name:

UnFoxAll Windows v3.exe

Full analysis: https://app.any.run/tasks/2566feb8-1b79-4d7f-a2a7-87c28af42778
Verdict: Malicious activity
Analysis date: February 14, 2024, 11:24:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F437897D1F9A2064C7FC060ADAF97349

SHA1:

B2B23FE2A670D22AB69E8957C5F6559A550B14BB

SHA256:

4B400672226339154368416B233F2AE19E985729A9B38C5C74E44BA7D33A29C9

SSDEEP:

49152:EJSBY216PgEBz4pbao90HCMblLw4IcboyOO9587ZJJDaDp3jW2RPcEJSX2A4wrEL:Eq1Q3N4YcDMbi4JOOz8DJD6K0TSXr4jL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • UnFoxAll Windows v3.exe (PID: 3784)

    • Drops the executable file immediately after the start

      • UnFoxAll Windows v3.exe (PID: 3784)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • UnFoxAll Windows v3.exe (PID: 3784)

    • Searches for installed software

      • UnFoxAll Windows v3.exe (PID: 3784)

    • Creates a software uninstall entry

      • UnFoxAll Windows v3.exe (PID: 3784)

    • Reads the Internet Settings

      • Unfoxall.exe (PID: 864)
      • hh.exe (PID: 3500)

    • Reads security settings of Internet Explorer

      • Unfoxall.exe (PID: 864)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 3500)

    • Reads Internet Explorer settings

      • hh.exe (PID: 3500)

  • INFO

    • Checks supported languages

      • UnFoxAll Windows v3.exe (PID: 3784)
      • Unfoxall.exe (PID: 864)

    • Create files in a temporary directory

      • UnFoxAll Windows v3.exe (PID: 3784)
      • hh.exe (PID: 3500)

    • Reads the computer name

      • UnFoxAll Windows v3.exe (PID: 3784)
      • Unfoxall.exe (PID: 864)

    • Creates files in the program directory

      • UnFoxAll Windows v3.exe (PID: 3784)

    • Manual execution by a user

      • Unfoxall.exe (PID: 864)

    • Reads the machine GUID from the registry

      • hh.exe (PID: 3500)

    • Reads security settings of Internet Explorer

      • hh.exe (PID: 3500)

    • Checks proxy server information

      • hh.exe (PID: 3500)

    • Creates files or folders in the user directory

      • hh.exe (PID: 3500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Wise Installer executable (91.7)
.exe | Win64 Executable (generic) (5.3)
.dll | Win32 Dynamic Link Library (generic) (1.2)
.exe | Win32 Executable (generic) (0.8)
.exe | Generic Win/DOS Executable (0.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:13 17:13:38+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap
PEType: PE32
LinkerVersion: 6
CodeSize: 8704
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0x21af
OSVersion: 4
ImageVersion: 4
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: 河南豫能信息技术有限公司
FileDescription: Unfoxall Advance Professional Installation
FileVersion: -
LegalCopyright: 河南豫能信息技术有限公司版权所有
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start unfoxall windows v3.exe unfoxall.exe no specs hh.exe no specs unfoxall windows v3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864"C:\Program Files\Unfoxall adv\Unfoxall.exe" C:\Program Files\Unfoxall adv\Unfoxall.exeexplorer.exe
User:
admin
Company:
河南豫能信息技术有限公司
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\unfoxall adv\unfoxall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3240"C:\Users\admin\AppData\Local\Temp\UnFoxAll Windows v3.exe" C:\Users\admin\AppData\Local\Temp\UnFoxAll Windows v3.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\unfoxall windows v3.exe
c:\windows\system32\ntdll.dll
3500"C:\Windows\hh.exe" C:\Program Files\Unfoxall adv\unfoxen.chmC:\Windows\hh.exeUnfoxall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
3784"C:\Users\admin\AppData\Local\Temp\UnFoxAll Windows v3.exe" C:\Users\admin\AppData\Local\Temp\UnFoxAll Windows v3.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\unfoxall windows v3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 563
Read events
2 534
Write events
27
Delete events
2

Modification events

(PID) Process:(3784) UnFoxAll Windows v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Unfoxall Advance Professional
Operation:writeName:DisplayName
Value:
Unfoxall Advance Professional
(PID) Process:(3784) UnFoxAll Windows v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Unfoxall Advance Professional
Operation:writeName:UninstallString
Value:
C:\PROGRA~1\UNFOXA~1\UNWISE.EXE C:\PROGRA~1\UNFOXA~1\INSTALL.LOG
(PID) Process:(864) Unfoxall.exeKey:HKEY_CURRENT_USER\Software\Unfoxall
Operation:writeName:CurPath
Value:
C:\Program Files\Unfoxall adv\
(PID) Process:(864) Unfoxall.exeKey:HKEY_CURRENT_USER\Software\Unfoxall
Operation:writeName:LagVersion
Value:
2
(PID) Process:(864) Unfoxall.exeKey:HKEY_CURRENT_USER\Software\Unfoxall
Operation:writeName:CurVersion
Value:
V3.0
(PID) Process:(864) Unfoxall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(864) Unfoxall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(864) Unfoxall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(864) Unfoxall.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3500) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
15
Suspicious files
21
Text files
15
Unknown types
4

Dropped files

PID
Process
Filename
Type
3784UnFoxAll Windows v3.exeC:\Program Files\Unfoxall adv\unfoxen.chmbinary
MD5:181DC929F9339A7221A145AE3B029B03
SHA256:62A416949BE2C427944D4C3F2189E916C5B33C926FA49934E3E6FDF8300E44E0
3784UnFoxAll Windows v3.exeC:\Program Files\Unfoxall adv\Spr2scx.prgtext
MD5:0A7BC2832F7AC3851CDE340C94B6C968
SHA256:BB2D309F6A63A5EA16E48FB4BDBCB8AF6D2B78DF72E6CB9AFB5692856C37A7A6
3784UnFoxAll Windows v3.exeC:\Program Files\Unfoxall adv\UNWISE.EXEexecutable
MD5:2B85FE26CA828485BFF6A454B881A295
SHA256:7128574752F0A7DA1284D589C195AAFE25C29F825D7028CEBDB21A7ECC44DC00
3784UnFoxAll Windows v3.exeC:\Users\admin\AppData\Local\Temp\GLCEFAF.tmpexecutable
MD5:09E59D00DF5D2EFFD8DD9B30385CB9D2
SHA256:1C574EAB5E83CCFE5A0BB7B59E028CC5FA2F4E77868051E305D83C709711FF77
3784UnFoxAll Windows v3.exeC:\Users\admin\AppData\Local\Temp\GLFF1C6.tmptext
MD5:494B410D4E4C2434333A6B4729A10EAB
SHA256:F334800D84134E9E84DF9D40837D0B47970A430E5037923E4E2A563D5F2839DC
3784UnFoxAll Windows v3.exeC:\Users\admin\AppData\Local\Temp\~GLH0000.TMPexecutable
MD5:9DA8F742593D4BBCA708B90725282AE2
SHA256:E362A9815527869E0F71FDF766A1C3648E307145DEFDA7A5279914E522BCB57C
3784UnFoxAll Windows v3.exeC:\Program Files\Unfoxall adv\~GLH0003.TMPtext
MD5:0A7BC2832F7AC3851CDE340C94B6C968
SHA256:BB2D309F6A63A5EA16E48FB4BDBCB8AF6D2B78DF72E6CB9AFB5692856C37A7A6
3784UnFoxAll Windows v3.exeC:\Program Files\Unfoxall adv\~GLH0002.TMPexecutable
MD5:2B85FE26CA828485BFF6A454B881A295
SHA256:7128574752F0A7DA1284D589C195AAFE25C29F825D7028CEBDB21A7ECC44DC00
3784UnFoxAll Windows v3.exeC:\Program Files\Unfoxall adv\~GLH0004.TMPbinary
MD5:C81E728D9D4C2F636F067F89CC14862C
SHA256:
3784UnFoxAll Windows v3.exeC:\Program Files\Unfoxall adv\language\~GLH0005.TMPini
MD5:7D6708D064757B4E461360BAB9F44DC5
SHA256:43AB298AEC778CB3420B600649AE05FBEBD5B761A166B972DCFE6140FE789DE5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UnFoxAll Windows v3.exe