File name:

upd-ps-x64-5.9.0.1832682_437685.exe

Full analysis: https://app.any.run/tasks/2353aede-4547-4bd6-8f26-dc9a23df652f
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: September 29, 2024, 18:36:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
adware
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

5DFC3EEFE1C51312D0020910020C4025

SHA1:

8E6AB92A5D138B3F997EE0A12BB2438E82236760

SHA256:

7CFF549B9B283C2124A963526762625AC3A476CED39BAB1AFB2CF1ACCD3249D0

SSDEEP:

24576:Zxahw90UWGmv/wF7MZUEzP16RWO+OVeutDoH0e85yztIblQ/+BsozW0vSgn:Zxahw94Gmv/K7MZUEzP16RWhOVeutDoG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Actions looks like stealing of personal data

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Connects to the CnC server

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Reads Microsoft Outlook installation path

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Reads Internet Explorer settings

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Access to an unwanted program domain was detected

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

  • INFO

    • Checks supported languages

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Reads the computer name

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Creates files or folders in the user directory

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Create files in a temporary directory

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Disables trace logs

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • Checks proxy server information

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • The process uses the downloaded file

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)

    • UPX packer has been detected

      • upd-ps-x64-5.9.0.1832682_437685.exe (PID: 1184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (43.7)
.exe | UPX compressed Win32 Executable (42.8)
.exe | Win32 Executable (generic) (7.1)
.exe | Generic Win/DOS Executable (3.1)
.exe | DOS Executable Generic (3.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:11:11 11:21:42+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 622592
InitializedDataSize: 28672
UninitializedDataSize: 1097728
EntryPoint: 0x1a4c40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 6.0.0.1111
ProductVersionNumber: 6.0.0.1111
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileDescription: _
FileVersion: 6.0.0.1111
InternalName: SEM智能下载器.exe
LegalCopyright: Copyright (C) 2021
OriginalFileName: SEM智能下载器.exe
ProductName: SEM智能下载器.exe
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT upd-ps-x64-5.9.0.1832682_437685.exe upd-ps-x64-5.9.0.1832682_437685.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1184"C:\Users\admin\Desktop\upd-ps-x64-5.9.0.1832682_437685.exe" C:\Users\admin\Desktop\upd-ps-x64-5.9.0.1832682_437685.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
_
Version:
6.0.0.1111
Modules
Images
c:\users\admin\desktop\upd-ps-x64-5.9.0.1832682_437685.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1984"C:\Users\admin\Desktop\upd-ps-x64-5.9.0.1832682_437685.exe" C:\Users\admin\Desktop\upd-ps-x64-5.9.0.1832682_437685.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
_
Exit code:
3221226540
Version:
6.0.0.1111
Modules
Images
c:\users\admin\desktop\upd-ps-x64-5.9.0.1832682_437685.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
944
Read events
927
Write events
17
Delete events
0

Modification events

(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1184) upd-ps-x64-5.9.0.1832682_437685.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\upd-ps-x64-5_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1184upd-ps-x64-5.9.0.1832682_437685.exeC:\Users\admin\AppData\Roaming\GlobalMgr.dbtext
MD5:EA40F1A108015B43A00A537FE7B29E05
SHA256:68E8C70F2385FB913783651297644DC9E1A50824EE6D0F763E0C02F2D48264C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
34
DNS requests
5
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/gl
unknown
malicious
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2352
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/png
unknown
malicious
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/png
unknown
malicious
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/gl
unknown
malicious
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/gl
unknown
malicious
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/png
unknown
malicious
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/png
unknown
malicious
1184
upd-ps-x64-5.9.0.1832682_437685.exe
POST
47.103.45.17:80
http://w.nanweng.cn/qy/gl
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6564
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2352
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2352
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1184
upd-ps-x64-5.9.0.1832682_437685.exe
47.103.45.17:80
w.nanweng.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
w.nanweng.cn
  • 47.103.45.17
unknown
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
1184
upd-ps-x64-5.9.0.1832682_437685.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity
1184
upd-ps-x64-5.9.0.1832682_437685.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity
1184
upd-ps-x64-5.9.0.1832682_437685.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity
1184
upd-ps-x64-5.9.0.1832682_437685.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity
1184
upd-ps-x64-5.9.0.1832682_437685.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
upd-ps-x64-5.9.0.1832682_437685.exe