File name:

18937871705.zip

Full analysis: https://app.any.run/tasks/8c9941d7-cdde-4525-ba64-2a5e0d5d875b
Verdict: Malicious activity
Analysis date: September 10, 2024, 01:10:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
antivm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

402D0CEBBC41DE17BB3C6B4B3F894FB2

SHA1:

472FD8802DAB2EE0CA9140F2A987F5BFE4D60456

SHA256:

6687DA602A42F25443AB867B9DE0F515094E42C028EE0138DDB64C368EC83FFA

SSDEEP:

98304:PjDseJGPcqKsTOWXJVQ0zxg0RD3ks7259IAA6MLC46DWg3LhNNlzHWO5+oyS910S:+V0k5pbLb6RZhfgK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates or modifies Windows services

      • ComputerZTray.exe (PID: 6184)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • Ldshelper.exe (PID: 6948)
      • ComputerZTray.exe (PID: 6184)
      • computercenter.exe (PID: 1640)
      • ComputerZService.exe (PID: 7044)
      • dll_service.exe (PID: 4976)
      • dll_service.exe (PID: 6056)
      • dll_service.exe (PID: 1780)
      • dll_service.exe (PID: 5700)
      • ComputerzService_x64.exe (PID: 6268)
      • ComputerZ_CN.exe (PID: 3028)
      • web_host.exe (PID: 6612)

    • Searches for installed software

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • computercenter.exe (PID: 1640)
      • ComputerZTray.exe (PID: 6184)

    • Process requests binary or script from the Internet

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • web_host.exe (PID: 6612)

    • Identifying current user with WHOAMI command

      • cmd.exe (PID: 3700)

    • Drops 7-zip archiver for unpacking

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZ_CN.exe (PID: 3028)

    • Adds/modifies Windows certificates

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)

    • Checks Windows Trust Settings

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • Ldshelper.exe (PID: 6948)
      • ComputerZTray.exe (PID: 6184)
      • ComputerZService.exe (PID: 7044)
      • computercenter.exe (PID: 1640)
      • dll_service.exe (PID: 4976)
      • dll_service.exe (PID: 5700)
      • dll_service.exe (PID: 6056)
      • dll_service.exe (PID: 1780)
      • ComputerzService_x64.exe (PID: 6268)
      • ComputerZ_CN.exe (PID: 3028)
      • web_host.exe (PID: 6612)

    • Drops a system driver (possible attempt to evade defenses)

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)

    • Process drops legitimate windows executable

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZ_CN.exe (PID: 3028)

    • Creates a software uninstall entry

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)

    • Executable content was dropped or overwritten

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZ_CN.exe (PID: 3028)

    • The process creates files with name similar to system file names

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZ_CN.exe (PID: 3028)

    • The process checks if it is being run in the virtual environment

      • ComputerZService.exe (PID: 7044)

    • Reads the date of Windows installation

      • ComputerZService.exe (PID: 7044)

    • Application launched itself

      • CefView.exe (PID: 2700)

    • There is functionality for VM detection (VMWare)

      • CefView.exe (PID: 2700)
      • CefView.exe (PID: 4876)

    • Potential Corporate Privacy Violation

      • web_host.exe (PID: 6612)

  • INFO

    • Reads the computer name

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • Ldshelper.exe (PID: 6948)
      • ComputerZTray.exe (PID: 6184)
      • computercenter.exe (PID: 1640)
      • ComputerZService.exe (PID: 7044)
      • dll_service.exe (PID: 4976)
      • dll_service.exe (PID: 5700)
      • dll_service.exe (PID: 6056)
      • ComputerzService_x64.exe (PID: 6268)
      • dll_service.exe (PID: 1780)
      • ComputerZ_CN.exe (PID: 3028)
      • CefView.exe (PID: 2700)
      • web_host.exe (PID: 6612)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 1116)
      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZTray.exe (PID: 6184)

    • Creates files or folders in the user directory

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • Ldshelper.exe (PID: 6948)
      • ComputerZTray.exe (PID: 6184)
      • computercenter.exe (PID: 1640)
      • ComputerZService.exe (PID: 7044)
      • ComputerZ_CN.exe (PID: 3028)

    • Checks supported languages

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • Ldshelper.exe (PID: 6948)
      • ComputerZTray.exe (PID: 6184)
      • computercenter.exe (PID: 1640)
      • ComputerZService.exe (PID: 7044)
      • dll_service.exe (PID: 4976)
      • dll_service.exe (PID: 6056)
      • dll_service.exe (PID: 5700)
      • dll_service.exe (PID: 1780)
      • ComputerzService_x64.exe (PID: 6268)
      • hdw_disk_scan.exe (PID: 5116)
      • ComputerZ_CN.exe (PID: 3028)
      • web_host.exe (PID: 6612)
      • CefView.exe (PID: 2700)
      • CefView.exe (PID: 4876)
      • CefView.exe (PID: 5172)

    • Checks proxy server information

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • Ldshelper.exe (PID: 6948)
      • ComputerZTray.exe (PID: 6184)
      • computercenter.exe (PID: 1640)
      • ComputerZService.exe (PID: 7044)
      • ComputerZ_CN.exe (PID: 3028)
      • CefView.exe (PID: 2700)
      • web_host.exe (PID: 6612)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1116)

    • Manual execution by a user

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 608)
      • cmd.exe (PID: 3700)
      • ComputerZ_CN.exe (PID: 2640)
      • ComputerZ_CN.exe (PID: 3028)

    • Creates files in the program directory

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZService.exe (PID: 7044)
      • ComputerZTray.exe (PID: 6184)

    • Reads the machine GUID from the registry

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • Ldshelper.exe (PID: 6948)
      • computercenter.exe (PID: 1640)
      • ComputerZTray.exe (PID: 6184)
      • ComputerZService.exe (PID: 7044)
      • dll_service.exe (PID: 4976)
      • dll_service.exe (PID: 1780)
      • dll_service.exe (PID: 5700)
      • dll_service.exe (PID: 6056)
      • ComputerzService_x64.exe (PID: 6268)
      • ComputerZ_CN.exe (PID: 3028)
      • web_host.exe (PID: 6612)

    • Create files in a temporary directory

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZ_CN.exe (PID: 3028)
      • CefView.exe (PID: 2700)
      • CefView.exe (PID: 5172)
      • web_host.exe (PID: 6612)

    • Process checks computer location settings

      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZTray.exe (PID: 6184)

    • Reads the software policy settings

      • Ldshelper.exe (PID: 6948)
      • f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe (PID: 2624)
      • ComputerZService.exe (PID: 7044)
      • computercenter.exe (PID: 1640)
      • ComputerZTray.exe (PID: 6184)
      • dll_service.exe (PID: 4976)
      • dll_service.exe (PID: 5700)
      • dll_service.exe (PID: 6056)
      • dll_service.exe (PID: 1780)
      • ComputerzService_x64.exe (PID: 6268)
      • ComputerZ_CN.exe (PID: 3028)
      • web_host.exe (PID: 6612)

    • Disables trace logs

      • computercenter.exe (PID: 1640)

    • Sends debugging messages

      • CefView.exe (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0xe4c6eb96
ZipCompressedSize: 5534021
ZipUncompressedSize: 5702624
ZipFileName: f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
24
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe no specs f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs whoami.exe no specs ldshelper.exe computerztray.exe unsecapp.exe no specs computercenter.exe computerzservice.exe dll_service.exe no specs dll_service.exe no specs dll_service.exe no specs dll_service.exe no specs computerzservice_x64.exe no specs hdw_disk_scan.exe no specs computerz_cn.exe no specs computerz_cn.exe web_host.exe THREAT cefview.exe THREAT cefview.exe no specs cefview.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
608"C:\Users\admin\Desktop\f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe" C:\Users\admin\Desktop\f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
应用程序
Exit code:
3221226540
Version:
6.1024.1225.801
Modules
Images
c:\users\admin\desktop\f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1116"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\18937871705.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1172C:\WINDOWS\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\System32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1640"C:\Program Files (x86)\Ludashi\computercenter.exe" "C:\Program Files (x86)\Ludashi\ComputerZTray.exe" /NoFloat /disable_panel /disable_temp_alarm /HideBandC:\Program Files (x86)\Ludashi\computercenter.exe
ComputerZTray.exe
User:
admin
Integrity Level:
HIGH
Description:
常规模块
Version:
1.5022.1020.926
Modules
Images
c:\program files (x86)\ludashi\computercenter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1688\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1780"C:\Program Files (x86)\Ludashi\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="NvidiaMonitorSizeOfProcess" --wnd=394068C:\Program Files (x86)\Ludashi\Utils\dll_service.exeComputerZService.exe
User:
admin
Integrity Level:
HIGH
Description:
鲁大师
Exit code:
0
Version:
2.1022.1025.920
Modules
Images
c:\program files (x86)\ludashi\utils\dll_service.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2132whoamiC:\Windows\System32\whoami.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2624"C:\Users\admin\Desktop\f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe" C:\Users\admin\Desktop\f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
应用程序
Exit code:
0
Version:
6.1024.1225.801
Modules
Images
c:\users\admin\desktop\f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2640"C:\Program Files (x86)\Ludashi\ComputerZ_CN.exe" --from=deskshortcutC:\Program Files (x86)\Ludashi\ComputerZ_CN.exeexplorer.exe
User:
admin
Company:
鲁大师
Integrity Level:
MEDIUM
Description:
鲁大师
Exit code:
3221226540
Version:
6.1022.3440.1020
Modules
Images
c:\program files (x86)\ludashi\computerz_cn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2700"C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Utils\cef\CefView.exe" --parent_wnd=6022a --tab_rect="0,0,0,0" --tab_ids="96E97364-CC39-4f35-ACA5-20293B106F08" --cmd="" --disable-gpu --disable-gpu-compositing --enable_high_dpi --class_name="common_pop" --url="about:blank" --tab_group_ids="B8562B65-8F83-4043-A018-473CFEAB1F22" --web_view_id=256 --disable-pinch --disable-web-security --disable-alt-f4C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Utils\cef\CefView.exe
web_host.exe
User:
admin
Integrity Level:
HIGH
Description:
CefView Application
Version:
2.5022.3155.822
Modules
Images
c:\users\admin\appdata\local\temp\{55ca764d-1876-4964-b25c-1add2b6026ad}\utils\cef\cefview.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
73 027
Read events
72 941
Write events
80
Delete events
6

Modification events

(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\18937871705.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2624) f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CommonDown
Operation:writeName:guid
Value:
{00B162BB-6172-430c-A6D3-1FF6CF5EDDC4}
(PID) Process:(2624) f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
258
Suspicious files
184
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\ludashi_home_20221101[1].dll
MD5:
SHA256:
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Users\admin\AppData\Roaming\ludashi\setup.dll
MD5:
SHA256:
1116WinRAR.exeC:\Users\admin\Desktop\f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aaexecutable
MD5:5D04DA31238FF20998723B09AFFD65D3
SHA256:F1EA3DD89B90FD6F29EA9ADDB9E30A4A527F8F83BB9E9D26C2FAF05F21C209AA
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Users\admin\AppData\Local\Temp\{7F948420-BF06-467b-B27E-B645347DE6E8}.tfbinary
MD5:8520E56BA3327A290F18A0D4E75512E3
SHA256:86ECF7F3E821893F0DF5D2EC781B251455649C9DB13A971DA05CACEC73766064
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Program Files (x86)\Ludashi\{D0367ABF-3FFC-4c1a-95D1-9CAD775C18F5}.tfbinary
MD5:A0D16CC34CD10464C60F9E6B4C0EAC02
SHA256:34EA0F330AB8814A63EFD5BF5D760BD19D340F1F6FEDD72BA7ECB6048A41DB6D
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57der
MD5:6248FC589905D953DCC616DF54B4C895
SHA256:A09E362F2518892793A5D207819E4BA37D37971876B216C4DD918FCB39159BC8
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\pc[1].htmbinary
MD5:ADA78A022EA49F281EC66C46D0E079C2
SHA256:B96FFF2E4EDB3BD0C1ED901021B69A2DFFE7040B022A409B47A66EC4A00D9E91
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Users\admin\AppData\Local\Temp\{D9635D14-9507-4197-906F-C6D23D4C67F3}.tmpcompressed
MD5:D25E7AB22F72F37E7B3CC832CEB7F014
SHA256:247BCDDC0D2A43F91C148051E7952B7BE15B73755791E04C6D57C42819FDB8F2
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Program Files (x86)\Ludashi\{F5C3FE7D-3D22-4c6f-9987-3EC29E53438B}.tfbinary
MD5:FEAAC8EFE00973FD7AA746BD949EC239
SHA256:8EAE42DBD6126493745328DC878956783BB6A6921FEFC3AC6034FB3C029B768D
2624f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\get3[1].htmtext
MD5:D9F56D9FB74A463A1DBF11D95C662FAC
SHA256:2F367E3C9295DAEE1D2A177F2CCE0DCDF24EC137091EA3B788F197524D5557B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
97
TCP/UDP connections
113
DNS requests
33
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6364
svchost.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQlOydjtpho0%2Bholo77zGjGxETUEQQU8JyF%2FaKffY%2FJaLvV1IlNHb7TkP8CEA7t2z9YiVEKqNV8oV82zTU%3D
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
106.15.139.192:80
http://s.ludashi.com/url2?pid=buysite_00&type=xzq&action=ldsinsrun&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[siteid]=&ex_ary[softid]=&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
106.15.139.192:80
http://s.ludashi.com/url2?pid=buysite_00&type=xzq&action=ldsdownload&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[v]=13&ex_ary[siteid]=&ex_ary[softid]=&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
106.15.139.192:80
http://s.ludashi.com/url2?pid=buysite_00&mid=80342cb959da2233832ae840f019ccba&mid2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec&appver=6.1022.3440.1020&modver=6.1022.3440.1020&type=instnew&action=setup_pid&ex_ary[ex7]=4&ex_ary[os]=10_0_19045_64&ex_ary[sr]=0&ex_ary[tagid]=
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
114.116.48.235:80
http://www.ludashi.com/stat/pc.php?pid=buysite_00&type=instnew&action=run&appver=6.1022.3440.1020&modver=6.1022.3440.1020&mid=80342cb959da2233832ae840f019ccba&sign_name=pc&sign=73911ae0c11684feec7203f4ab2881fe&ex_ary[os]=10_0_19045_64&ex_ary[sr]=0&ex_ary[tagid]=
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
106.15.139.192:80
http://s.ludashi.com/url2?pid=buysite_00&mid=80342cb959da2233832ae840f019ccba&mid2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec&appver=6.1022.3440.1020&modver=6.1022.3440.1020&type=instnew&action=run&ex_ary[ex7]=4&ex_ary[os]=10_0_19045_64&ex_ary[sr]=0&ex_ary[tagid]=
unknown
whitelisted
6108
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
106.15.139.192:80
http://s.ludashi.com/url2?pid=buysite_00&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[siteid]=&ex_ary[softid]=&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=
unknown
whitelisted
2624
f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa.exe
GET
200
49.4.55.6:80
http://softmgr-cfg.ludashi.com/inst/get3
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6208
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6364
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
6364
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6364
svchost.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6108
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6108
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 4.231.128.59
whitelisted
www.microsoft.com
  • 2.19.217.218
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
softmgr-cfg.ludashi.com
  • 49.4.55.6
whitelisted
softmgr-stat.ludashi.com
  • 114.115.204.103
whitelisted
s.ludashi.com
  • 106.15.139.192
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted

Threats

PID
Process
Class
Message
6612
web_host.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
CefView.exe
Message: 下载路径==== C:\Users\admin\AppData\Local\Temp\ludashisetup_download.exe Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: statParam Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: beforeCefDownloadFile: Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: CefDownloadFile: Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: progres_data Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: progres_data Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: progres_data Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: progres_data Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: progres_data Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
CefView.exe
Message: progres_data Source: zip://0CA42E8A-E041-492E-B7C2-703494DED02F|C:\Users\admin\AppData\Local\Temp\{55CA764D-1876-4964-B25C-1ADD2B6026AD}\Themes\UI\lite_download.dat|/build/static/js/main.af70f3cc.js Line: 2 -----------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
18937871705.zip