URL:

http://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe

Full analysis: https://app.any.run/tasks/4f6dc08a-da6b-4edb-bcb2-2e446e6d6b2a
Verdict: Malicious activity
Analysis date: April 28, 2024, 04:24:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

6B168ACEE0686F3EC85104B875455CDA

SHA1:

5EB2542B47C82DC58414DDA9B306E4474E58E2BD

SHA256:

6FFA0121E8CDC80DCBDB3A20B88D338E52BC34C02094FED09F333F681F62B3AB

SSDEEP:

3:N1KdNXK9HLRqBLrJZfhYKA:CvK9HQBPJ3q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • google_setup_S2105150849_.exe (PID: 1236)

    • Drops the executable file immediately after the start

      • poda32.exe (PID: 1788)
      • google_setup_S2105150849_.exe (PID: 1236)
      • pobus32.exe (PID: 1132)

    • Creates a writable file in the system directory

      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Actions looks like stealing of personal data

      • poda32.exe (PID: 1788)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • iexplore.exe (PID: 4032)

    • Executable content was dropped or overwritten

      • google_setup_S2105150849_.exe (PID: 1236)
      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Drops a system driver (possible attempt to evade defenses)

      • google_setup_S2105150849_.exe (PID: 1236)
      • poda32.exe (PID: 1788)

    • The process creates files with name similar to system file names

      • google_setup_S2105150849_.exe (PID: 1236)
      • pobus32.exe (PID: 1132)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • google_setup_S2105150849_.exe (PID: 1236)

    • Executes as Windows Service

      • pobus32.exe (PID: 1132)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2052)

    • Creates files in the driver directory

      • poda32.exe (PID: 1788)

    • Searches for installed software

      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Creates or modifies Windows services

      • poda32.exe (PID: 1788)

    • Connects to unusual port

      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)

    • Adds/modifies Windows certificates

      • poda32.exe (PID: 1788)

  • INFO

    • The process uses the downloaded file

      • iexplore.exe (PID: 3976)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2040)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 4032)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 4032)

    • Application launched itself

      • iexplore.exe (PID: 3976)

    • Reads the computer name

      • google_setup_S2105150849_.exe (PID: 1236)
      • wmpnscfg.exe (PID: 2040)
      • pobus32.exe (PID: 2008)
      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
      • assisths.exe (PID: 2404)
      • assists.exe (PID: 1644)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3976)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2040)
      • google_setup_S2105150849_.exe (PID: 1236)
      • pobus32.exe (PID: 2008)
      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
      • assisths.exe (PID: 2404)
      • assisthost.exe (PID: 2812)
      • assistda.exe (PID: 2732)
      • assists.exe (PID: 1644)

    • Create files in a temporary directory

      • google_setup_S2105150849_.exe (PID: 1236)

    • Creates files in the program directory

      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
      • assisths.exe (PID: 2404)

    • Creates files or folders in the user directory

      • poda32.exe (PID: 1788)

    • Reads the machine GUID from the registry

      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
70
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs google_setup_s2105150849_.exe no specs google_setup_s2105150849_.exe pobus32.exe regsvr32.exe no specs pobus32.exe poda32.exe assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisthost.exe no specs assistda.exe no specs assists.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
368C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
600C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
748C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1032C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1056C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1064C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1132C:\Windows\projone\potcm\pobus32.exeC:\Windows\projone\potcm\pobus32.exe
services.exe
User:
SYSTEM
Company:
gooxion
Integrity Level:
SYSTEM
Description:
pobus 应用程序
Version:
5,1,15,2403
Modules
Images
c:\windows\projone\potcm\pobus32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1184C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1236"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\google_setup_S2105150849_.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\google_setup_S2105150849_.exe
iexplore.exe
User:
admin
Company:
终端安全软件
Integrity Level:
HIGH
Description:
安全终端 安装程序
Exit code:
0
Version:
5.1.15.2403
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\google_setup_s2105150849_.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1240C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
Total events
39 846
Read events
35 178
Write events
3 472
Delete events
1 196

Modification events

(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
97556672
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31103268
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
397712922
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31103268
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
159
Suspicious files
36
Text files
323
Unknown types
11

Dropped files

PID
Process
Filename
Type
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:69712A07778FEF53E4D3C14DA65EA7A8
SHA256:B11A24A82917F7A8F5D2488264BC256F7298EC1429BCD5F929A351F013D6755E
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB509.tmpxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
4032iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\google_setup_S2105150849_[1].exeexecutable
MD5:B97C0BCC8274BEC9AA677F93F76CC6E0
SHA256:36E26EF723DC76BE9DB5260721A49166475602BD75032BF123212C905A5E61E7
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
1236google_setup_S2105150849_.exeC:\Users\admin\AppData\Local\Temp\pomqc3.dllexecutable
MD5:F55B80B90410CD41451BD7FFA8F588CC
SHA256:4FCE6D4B12971E3109092915F12A254EE1666B378DE0636B799CC77443734430
1236google_setup_S2105150849_.exeC:\Users\admin\AppData\Local\Temp\nsvD257.tmp\System.dllexecutable
MD5:FBE295E5A1ACFBD0A6271898F885FE6A
SHA256:A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
1236google_setup_S2105150849_.exeC:\Users\admin\AppData\Local\Temp\setuphlpr.dllexecutable
MD5:5B8659339FB6F998F25F3D7055B90A8C
SHA256:C9BFCEA372292FBD29F5A5F6CB51F97143D80E036133830FCB74F0994DE51050
1236google_setup_S2105150849_.exeC:\Users\admin\AppData\Local\Temp\preinst.exetext
MD5:D816786CDC29119D43D2B5AC16675921
SHA256:14FAB0A64716584E787B293AF4D00A11CEE14F302CDF8E4A6F5C0D02691E324F
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{43739B33-0517-11EF-9E36-12A9866C77DE}.datbinary
MD5:1DDBB78D9FDFA91325D8880ED820B42B
SHA256:A2B31F5BEC6F5BD16FBE583D88B3BCED99147673050603032FF31E63BC3576A4
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\google_setup_S2105150849_.exe.a5lsbxu.partial:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
76
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
iexplore.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ae977de40ce3b21
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
4032
iexplore.exe
GET
103.192.209.30:80
http://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe
unknown
unknown
3976
iexplore.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?71672cd0900ed23e
unknown
unknown
3976
iexplore.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?05ddb862cf824777
unknown
unknown
3976
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4032
iexplore.exe
103.192.209.30:80
chrome.ruyu1.top
CN
unknown
3976
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
3976
iexplore.exe
23.32.238.219:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3976
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1132
pobus32.exe
125.122.13.129:13003
Chinanet
CN
unknown
1132
pobus32.exe
125.122.13.129:13001
Chinanet
CN
unknown
1132
pobus32.exe
125.122.13.129:13027
Chinanet
CN
unknown

DNS requests

Domain
IP
Reputation
chrome.ruyu1.top
  • 103.192.209.30
unknown
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.219
  • 23.32.238.178
  • 23.32.238.201
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
4032
iexplore.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
4032
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
4032
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4032
iexplore.exe
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
Process
Message
pobus32.exe
2024-04-28 05:25:37,thread#1988,err,pobus32.exe:(.\pohost.cpp.152)Install succeeded, start now: pobus
pobus32.exe
2024-04-28 05:25:37,thread#1844,warn,pobus32.exe:_BackupCid failed: get backup file failed
pobus32.exe
2024-04-28 05:25:37,thread#1844,err,pobus32.exe:invalid json file : C:\Windows\projone\potcm\cache\upgrade\client_upgrade.json
pobus32.exe
create agent in session 1
pobus32.exe
2024-04-28 05:25:37,thread#1844,err,pobus32.exe:parse addons desc failed
poda32.exe
2024-04-28 05:25:38,thread#2124,warn,scrnrcd32.dll:scrn history max use space: 8.00 GB
pobus32.exe
2024-04-28 05:25:38,thread#1844,err,powol32.dll:get client ip failed on LoadWolRules
pobus32.exe
2024-04-28 05:25:38,thread#2524,err,langrp32.dll:tmInit failed: 18
poda32.exe
2024-04-28 05:25:38,thread#580,warn,clientbase32.dll:StartSystemLockLog
pobus32.exe
2024-04-28 05:25:38,thread#1380,warn,pomqc3.dll:???
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe