File name:

droidkit-en-setup.exe

Full analysis: https://app.any.run/tasks/acfba9e7-ca52-49fd-97df-5a8fdb3833fe
Verdict: Malicious activity
Analysis date: October 20, 2024, 16:40:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

8635F94C18C6372A4DF1001CAC67E366

SHA1:

C6B35959A3AFE487581509BA1853FF93C8E4E5DF

SHA256:

4E7982C1A982141773E2A47F43D0212C6E966457A4F96F7D05F5476D3E18A9AF

SSDEEP:

196608:YecQrTnOvHB/x85gZ55mXaCf5l5H7oMr/ev:nlaRwIGa8lx7LrGv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • droidkit-en-setup.exe (PID: 6216)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • droidkit-en-setup.exe (PID: 6216)

    • The process creates files with name similar to system file names

      • droidkit-en-setup.exe (PID: 6216)

    • Executable content was dropped or overwritten

      • droidkit-en-setup.exe (PID: 6216)

    • Reads security settings of Internet Explorer

      • droidkit-en-setup.exe (PID: 6216)

    • Starts CMD.EXE for commands execution

      • droidkit-en-setup.exe (PID: 6216)

    • Checks Windows Trust Settings

      • droidkit-en-setup.exe (PID: 6216)

    • The process drops C-runtime libraries

      • droidkit-en-setup.exe (PID: 6216)

  • INFO

    • Checks supported languages

      • droidkit-en-setup.exe (PID: 6216)
      • curl.exe (PID: 7088)
      • curl.exe (PID: 5084)

    • Reads CPU info

      • droidkit-en-setup.exe (PID: 6216)

    • Create files in a temporary directory

      • droidkit-en-setup.exe (PID: 6216)

    • Process checks computer location settings

      • droidkit-en-setup.exe (PID: 6216)

    • Reads the computer name

      • droidkit-en-setup.exe (PID: 6216)
      • curl.exe (PID: 5084)
      • curl.exe (PID: 7088)

    • Creates files in the program directory

      • droidkit-en-setup.exe (PID: 6216)

    • Checks proxy server information

      • droidkit-en-setup.exe (PID: 6216)

    • Reads the machine GUID from the registry

      • droidkit-en-setup.exe (PID: 6216)

    • The process uses the downloaded file

      • droidkit-en-setup.exe (PID: 6216)

    • Reads the software policy settings

      • droidkit-en-setup.exe (PID: 6216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 26624
InitializedDataSize: 475136
UninitializedDataSize: 16896
EntryPoint: 0x3415
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.3
ProductVersionNumber: 1.0.1.3
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: iMobie Inc.
FileDescription: DroidKit
FileVersion: 1.0.1.3
InternalName: ${Name}
LegalCopyright: Copyright (C) iMobie Inc. All rights reserved
LegalTrademarks: iMobie Inc. All rights reserved
ProductName: DroidKit
ProductVersion: 1.0.1.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start droidkit-en-setup.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe droidkit-en-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5084curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"26B799FA\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"C:\Windows\SysWOW64\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
35
Version:
8.4.0
Modules
Images
c:\windows\syswow64\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5828"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"26B799FA\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""C:\Windows\SysWOW64\cmd.exedroidkit-en-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
35
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6216"C:\Users\admin\Desktop\droidkit-en-setup.exe" C:\Users\admin\Desktop\droidkit-en-setup.exe
explorer.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
HIGH
Description:
DroidKit
Version:
1.0.1.3
Modules
Images
c:\users\admin\desktop\droidkit-en-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6432"C:\Users\admin\Desktop\droidkit-en-setup.exe" C:\Users\admin\Desktop\droidkit-en-setup.exeexplorer.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
MEDIUM
Description:
DroidKit
Exit code:
3221226540
Version:
1.0.1.3
Modules
Images
c:\users\admin\desktop\droidkit-en-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7084"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"26B799FA\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw""C:\Windows\SysWOW64\cmd.exedroidkit-en-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
35
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7088curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"dk-Windows\",\"user_id\":\"26B799FA\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"pv\":\"dk-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.1.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-VR4P911QVY&api_secret=RrQJtReGS520apjVhJz5xw"C:\Windows\SysWOW64\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
35
Version:
8.4.0
Modules
Images
c:\windows\syswow64\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
4 393
Read events
4 390
Write events
3
Delete events
0

Modification events

(PID) Process:(6216) droidkit-en-setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6216) droidkit-en-setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6216) droidkit-en-setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
10
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\uninstall.initext
MD5:E978A46D7E23C139E4DF7B526F86745F
SHA256:435288E587018AA375E8A4BF3F35CD8DFFFD559053F5CA6A0E487A61FF23E5DB
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\Setup.icoimage
MD5:9CA6D8DCDC3A93521270FCB52C33E491
SHA256:7056EDA1128F8A3A0C7217885972359CEE99B6A62A62D4BD7BAD79B04D7DB227
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\dotNetFx45_Full_setup.exeexecutable
MD5:9E8253F0A993E53B4809DBD74B335227
SHA256:E434828818F81E6E1F5955E84CAEC08662BD154A80B24A71A2EDA530D8B2F66A
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\uninstall.exeexecutable
MD5:DC81C01374E9543469920D763402B10A
SHA256:87801F6C52B6660A9F1CB8A832A5BBAD75F7D086E3C141F547EAFD633BD7CB76
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\modern-install.icoimage
MD5:9F49CD02B213AEC852ACE2F045CFAB18
SHA256:CED6BD38E3B6731DDF63ED4E5E41D11D9935E220ADDD0A2D798CE2B7ADA8D394
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\Help.icoimage
MD5:9CA6D8DCDC3A93521270FCB52C33E491
SHA256:7056EDA1128F8A3A0C7217885972359CEE99B6A62A62D4BD7BAD79B04D7DB227
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\msvcp100.dllexecutable
MD5:D029339C0F59CF662094EDDF8C42B2B5
SHA256:934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\msvcr100.dllexecutable
MD5:366FD6F3A451351B5DF2D7C4ECF4C73A
SHA256:AE3CB6C6AFBA9A4AA5C85F66023C35338CA579B30326DD02918F9D55259503D5
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\GoogleTracingLib.dllexecutable
MD5:3A914FC853188765010B73FF99834383
SHA256:5B8CADF540DD47D19B1020BF5C0ACA1B6D14D9D875B0A5794B432401C60EE5C7
6216droidkit-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsfC7CE.tmp\System.dllexecutable
MD5:86A488BF743DFAB80FF142713ADB5D48
SHA256:3924B57F8993A880D53E1E4E18EB6BA9B5DC610CBB00345C954C7E8A9078C309
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
24
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1764
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1764
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
67.225.249.166:443
https://dl.imobie.com/droidkit64.7z
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1764
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1764
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.74.206
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.google-analytics.com
  • 142.250.185.238
whitelisted
dl.imobie.com
  • 67.225.249.166
whitelisted
self.events.data.microsoft.com
  • 40.79.189.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
droidkit-en-setup.exe