URL:

http://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe

Full analysis: https://app.any.run/tasks/4f6dc08a-da6b-4edb-bcb2-2e446e6d6b2a
Verdict: Malicious activity
Analysis date: April 28, 2024, 04:24:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

6B168ACEE0686F3EC85104B875455CDA

SHA1:

5EB2542B47C82DC58414DDA9B306E4474E58E2BD

SHA256:

6FFA0121E8CDC80DCBDB3A20B88D338E52BC34C02094FED09F333F681F62B3AB

SSDEEP:

3:N1KdNXK9HLRqBLrJZfhYKA:CvK9HQBPJ3q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • google_setup_S2105150849_.exe (PID: 1236)
      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Registers / Runs the DLL via REGSVR32.EXE

      • google_setup_S2105150849_.exe (PID: 1236)

    • Creates a writable file in the system directory

      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Actions looks like stealing of personal data

      • poda32.exe (PID: 1788)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • iexplore.exe (PID: 4032)

    • The process creates files with name similar to system file names

      • google_setup_S2105150849_.exe (PID: 1236)
      • pobus32.exe (PID: 1132)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • google_setup_S2105150849_.exe (PID: 1236)

    • Drops a system driver (possible attempt to evade defenses)

      • google_setup_S2105150849_.exe (PID: 1236)
      • poda32.exe (PID: 1788)

    • Executable content was dropped or overwritten

      • google_setup_S2105150849_.exe (PID: 1236)
      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Executes as Windows Service

      • pobus32.exe (PID: 1132)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2052)

    • Creates files in the driver directory

      • poda32.exe (PID: 1788)

    • Searches for installed software

      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Creates or modifies Windows services

      • poda32.exe (PID: 1788)

    • Connects to unusual port

      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 1132)

    • Adds/modifies Windows certificates

      • poda32.exe (PID: 1788)

  • INFO

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 4032)
      • iexplore.exe (PID: 3976)

    • Application launched itself

      • iexplore.exe (PID: 3976)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 4032)
      • iexplore.exe (PID: 3976)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3976)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2040)
      • google_setup_S2105150849_.exe (PID: 1236)
      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 2008)
      • assisths.exe (PID: 2404)
      • assists.exe (PID: 1644)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2040)
      • google_setup_S2105150849_.exe (PID: 1236)
      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
      • pobus32.exe (PID: 2008)
      • assisths.exe (PID: 2404)
      • assisthost.exe (PID: 2812)
      • assistda.exe (PID: 2732)
      • assists.exe (PID: 1644)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3976)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2040)

    • Create files in a temporary directory

      • google_setup_S2105150849_.exe (PID: 1236)

    • Creates files in the program directory

      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
      • assisths.exe (PID: 2404)

    • Creates files or folders in the user directory

      • poda32.exe (PID: 1788)

    • Reads the machine GUID from the registry

      • pobus32.exe (PID: 1132)
      • poda32.exe (PID: 1788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
70
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs google_setup_s2105150849_.exe no specs google_setup_s2105150849_.exe pobus32.exe regsvr32.exe no specs pobus32.exe poda32.exe assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisths.exe no specs assisthost.exe no specs assistda.exe no specs assists.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
368C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
600C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
748C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1032C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1056C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1064C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1132C:\Windows\projone\potcm\pobus32.exeC:\Windows\projone\potcm\pobus32.exe
services.exe
User:
SYSTEM
Company:
gooxion
Integrity Level:
SYSTEM
Description:
pobus 应用程序
Version:
5,1,15,2403
Modules
Images
c:\windows\projone\potcm\pobus32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1184C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1236"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\google_setup_S2105150849_.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\google_setup_S2105150849_.exe
iexplore.exe
User:
admin
Company:
终端安全软件
Integrity Level:
HIGH
Description:
安全终端 安装程序
Exit code:
0
Version:
5.1.15.2403
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\google_setup_s2105150849_.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1240C:\Windows\projone\potcm\assisths.exeC:\Windows\projone\potcm\assisths.exepobus32.exe
User:
SYSTEM
Company:
Gooxion software
Integrity Level:
SYSTEM
Description:
asphs
Exit code:
3221225781
Version:
5.1.15.2010
Modules
Images
c:\windows\projone\potcm\assisths.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
Total events
39 846
Read events
35 178
Write events
3 472
Delete events
1 196

Modification events

(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
97556672
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31103268
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
397712922
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31103268
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
159
Suspicious files
36
Text files
323
Unknown types
11

Dropped files

PID
Process
Filename
Type
4032iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\google_setup_S2105150849_[1].exeexecutable
MD5:B97C0BCC8274BEC9AA677F93F76CC6E0
SHA256:36E26EF723DC76BE9DB5260721A49166475602BD75032BF123212C905A5E61E7
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:50F774B821B20BE2C53993F1C3F952ED
SHA256:98D27CAD748D372DB2068F1667C161D0A1B545B685E7DE6C1DE72F3FFC946D2E
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{43739B35-0517-11EF-9E36-12A9866C77DE}.datbinary
MD5:8FC08F16F762BEE5636D0EE345E77F27
SHA256:75926AEE57206207ABE01F14EFBE653BC148E6528E83364AF80AE80F814B66F1
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB509.tmpxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3976iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF53A865EFA32FB601.TMPgmc
MD5:A1EA79A70FD4B250F030589ADFA06481
SHA256:ABFA01E3013B477E01422E317B6D1B81B5D0869A8D5565BEA8D450EF5894E3B8
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\google_setup_S2105150849_.exeexecutable
MD5:655C33920FD920DC86FE9C572F1BBABA
SHA256:EC4A958AB73FA233B4BB5CBAF68EA3486384997D53740BFA9C3307CE150A59DD
4032iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\google_setup_S2105150849_.exe.a5lsbxu.partialexecutable
MD5:655C33920FD920DC86FE9C572F1BBABA
SHA256:EC4A958AB73FA233B4BB5CBAF68EA3486384997D53740BFA9C3307CE150A59DD
1236google_setup_S2105150849_.exeC:\Users\admin\AppData\Local\Temp\nsvD257.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
76
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4032
iexplore.exe
GET
103.192.209.30:80
http://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe
unknown
unknown
3976
iexplore.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?71672cd0900ed23e
unknown
unknown
3976
iexplore.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ae977de40ce3b21
unknown
unknown
3976
iexplore.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?05ddb862cf824777
unknown
unknown
3976
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
1132
pobus32.exe
POST
404
125.122.13.129:13023
http://125.122.13.129:13023/api/user/login2
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4032
iexplore.exe
103.192.209.30:80
chrome.ruyu1.top
CN
unknown
3976
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
3976
iexplore.exe
23.32.238.219:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3976
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1132
pobus32.exe
125.122.13.129:13003
Chinanet
CN
unknown
1132
pobus32.exe
125.122.13.129:13001
Chinanet
CN
unknown
1132
pobus32.exe
125.122.13.129:13027
Chinanet
CN
unknown

DNS requests

Domain
IP
Reputation
chrome.ruyu1.top
  • 103.192.209.30
unknown
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.219
  • 23.32.238.178
  • 23.32.238.201
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
4032
iexplore.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
4032
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
4032
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4032
iexplore.exe
Misc activity
ET HUNTING Possible EXE Download From Suspicious TLD
Process
Message
pobus32.exe
2024-04-28 05:25:37,thread#1988,err,pobus32.exe:(.\pohost.cpp.152)Install succeeded, start now: pobus
pobus32.exe
2024-04-28 05:25:37,thread#1844,warn,pobus32.exe:_BackupCid failed: get backup file failed
pobus32.exe
2024-04-28 05:25:37,thread#1844,err,pobus32.exe:invalid json file : C:\Windows\projone\potcm\cache\upgrade\client_upgrade.json
pobus32.exe
create agent in session 1
pobus32.exe
2024-04-28 05:25:37,thread#1844,err,pobus32.exe:parse addons desc failed
poda32.exe
2024-04-28 05:25:38,thread#2124,warn,scrnrcd32.dll:scrn history max use space: 8.00 GB
pobus32.exe
2024-04-28 05:25:38,thread#1844,err,powol32.dll:get client ip failed on LoadWolRules
pobus32.exe
2024-04-28 05:25:38,thread#2524,err,langrp32.dll:tmInit failed: 18
poda32.exe
2024-04-28 05:25:38,thread#580,warn,clientbase32.dll:StartSystemLockLog
pobus32.exe
2024-04-28 05:25:38,thread#1380,warn,pomqc3.dll:???
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe