| File name: | 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d |
| Full analysis: | https://app.any.run/tasks/9f014c01-253a-48b2-b770-c1b9d09d641c |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | March 15, 2025, 04:34:13 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | 692B5019259BBD3AA6DF3C2C9C3CB1A4 |
| SHA1: | D3D3ABB7719C0603D19A6FF2A55FCC4393374744 |
| SHA256: | 816F49DDB12AB505306BBAFB0CB3895F5B5EDC944BE99B357FD9BA9EC8AFA59D |
| SSDEEP: | 3072:0ojm+jPG7xkW6WKv1UMsKB7FfvghH/DX:0ojm+jP3WC1UMz7dvgh7 |
MALICIOUS
UAC/LUA settings modification
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
Changes the autorun value in the registry
- ld11.exe (PID: 7540)
SUSPICIOUS
Starts itself from another location
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
Starts CMD.EXE for commands execution
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
Executing commands from a ".bat" file
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
Executable content was dropped or overwritten
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
Likely accesses (executes) a file from the Public directory
- ld11.exe (PID: 8008)
- ld11.exe (PID: 8056)
- ld11.exe (PID: 7540)
Reads security settings of Internet Explorer
- ld11.exe (PID: 7540)
- ShellExperienceHost.exe (PID: 7696)
Access to an unwanted program domain was detected
- ld11.exe (PID: 7540)
INFO
The sample compiled with english language support
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
Checks supported languages
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
- ld11.exe (PID: 7540)
- ld11.exe (PID: 8056)
- ShellExperienceHost.exe (PID: 7696)
Process checks whether UAC notifications are on
- 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe (PID: 7516)
- ld11.exe (PID: 8056)
- ld11.exe (PID: 7540)
Manual execution by a user
- ld11.exe (PID: 8008)
- ld11.exe (PID: 8056)
Autorun file from Registry key
- ld11.exe (PID: 7540)
Reads the computer name
- ld11.exe (PID: 7540)
- ShellExperienceHost.exe (PID: 7696)
Checks proxy server information
- ld11.exe (PID: 7540)
- slui.exe (PID: 5556)
Reads the software policy settings
- slui.exe (PID: 5556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (41) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.6) |
| .exe | | | Win32 Executable (generic) (5.9) |
| .exe | | | Clipper DOS Executable (2.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2004:04:05 09:18:57+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 7.1 |
| CodeSize: | 69632 |
| InitializedDataSize: | 32768 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3f5d |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.35.42.37 |
| ProductVersionNumber: | 7.35.42.37 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | COMODO Security Solutions Inc. |
| FileDescription: | NDIS writing Launcher Micro Audio Internet IntelliPoint Office |
| FileVersion: | 7, 35, 42, 37 |
| InternalName: | okotray.exe |
| LegalCopyright: | Copyright COMODO Security Solutions Inc. 1991 |
| OriginalFileName: | okotray.exe |
| ProductName: | Update SmartLink Catalyst ATI |
| ProductVersion: | 7.35 |
Total processes
131
Monitored processes
9
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5556 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7428 | "C:\Users\admin\Desktop\816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe" | C:\Users\admin\Desktop\816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 7516 | "C:\Users\admin\Desktop\816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe" | C:\Users\admin\Desktop\816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 7540 | C:\Users\Public\Music\ld11.exe | C:\Users\Public\Music\ld11.exe | 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | ||||||||||||
User: admin Company: COMODO Security Solutions Inc. Integrity Level: HIGH Description: NDIS writing Launcher Micro Audio Internet IntelliPoint Office Exit code: 0 Version: 7, 35, 42, 37 Modules
| |||||||||||||||
| 7548 | C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\dxxdv34567.bat | C:\Windows\SysWOW64\cmd.exe | — | 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7560 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7696 | "C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shell Experience Host Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8008 | "C:\Users\Public\Music\ld11.exe" | C:\Users\Public\Music\ld11.exe | — | explorer.exe | |||||||||||
User: admin Company: COMODO Security Solutions Inc. Integrity Level: MEDIUM Description: NDIS writing Launcher Micro Audio Internet IntelliPoint Office Exit code: 3221226540 Version: 7, 35, 42, 37 Modules
| |||||||||||||||
| 8056 | "C:\Users\Public\Music\ld11.exe" | C:\Users\Public\Music\ld11.exe | explorer.exe | ||||||||||||
User: admin Company: COMODO Security Solutions Inc. Integrity Level: HIGH Description: NDIS writing Launcher Micro Audio Internet IntelliPoint Office Exit code: 0 Version: 7, 35, 42, 37 Modules
| |||||||||||||||
Total events
5 046
Read events
5 038
Write events
5
Delete events
3
Modification events
| (PID) Process: | (7516) 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | EnableLUA |
Value: 0 | |||
| (PID) Process: | (7540) ld11.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | OKOTray |
Value: C:\Users\Public\Music\ld11.exe | |||
| (PID) Process: | (7540) ld11.exe | Key: | HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7540) ld11.exe | Key: | HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7540) ld11.exe | Key: | HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7540) ld11.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | TP |
Value: 1 | |||
| (PID) Process: | (7696) ShellExperienceHost.exe | Key: | \REGISTRY\A\{09f49d73-cb11-1e61-e829-7298d6bbcddd}\LocalState |
| Operation: | write | Name: | PeekBadges |
Value: 5B005D00000089F649866395DB01 | |||
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7516 | 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | C:\Users\admin\Desktop\sd.dat | text | |
MD5:64E1E1CBE1CA8E88EF3A838A3E7B57D6 | SHA256:0510EDDD781102030EB8860671503A28E6A37F5346DE429BDD47C0A37C77CC7D | |||
| 7516 | 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | C:\Users\Public\Music\ld11.exe | executable | |
MD5:692B5019259BBD3AA6DF3C2C9C3CB1A4 | SHA256:816F49DDB12AB505306BBAFB0CB3895F5B5EDC944BE99B357FD9BA9EC8AFA59D | |||
| 7516 | 816f49ddb12ab505306bbafb0cb3895f5b5edc944be99b357fd9ba9ec8afa59d.exe | C:\Windows\dxxdv34567.bat | text | |
MD5:BFCEB528F1A80CE65C8B96DF2C33F638 | SHA256:1E5E1D15DD37C21869B2139B738F4586463CC1F69DE82BF594E1F9F23D93F8F5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
25
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7540 | ld11.exe | GET | 302 | 216.58.206.68:80 | http://www.google.com/ | unknown | — | — | whitelisted |
7540 | ld11.exe | POST | 301 | 188.114.97.3:80 | http://mahjongmuseum.com/.sys/Proxy.php?controller=ping | unknown | — | — | unknown |
7540 | ld11.exe | POST | 200 | 64.187.231.217:80 | http://www.powertreecorp.com/.sys/Proxy.php?controller=ping | unknown | — | — | unknown |
— | — | POST | — | 138.201.235.233:80 | http://reishus.de/.sys/Proxy.php?controller=ping | unknown | — | — | unknown |
7540 | ld11.exe | POST | 301 | 188.114.96.3:80 | http://mdcoc.net/.sys/Proxy.php?controller=ping | unknown | — | — | unknown |
7540 | ld11.exe | POST | 404 | 145.239.37.162:80 | http://www.partenaires-particuliers.fr/.sys/Proxy.php?controller=ping | unknown | — | — | unknown |
7540 | ld11.exe | POST | 405 | 13.248.169.48:80 | http://sphusa.com/.sys/Proxy.php?controller=ping | unknown | — | — | unknown |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7540 | ld11.exe | 216.58.206.68:80 | www.google.com | GOOGLE | US | whitelisted |
7540 | ld11.exe | 188.114.97.3:80 | mahjongmuseum.com | CLOUDFLARENET | NL | unknown |
7540 | ld11.exe | 64.187.231.217:80 | www.powertreecorp.com | QUICKPACKET | US | unknown |
7540 | ld11.exe | 138.201.235.233:80 | reishus.de | Hetzner Online GmbH | DE | unknown |
7540 | ld11.exe | 145.239.37.162:80 | www.partenaires-particuliers.fr | OVH SAS | FR | unknown |
7540 | ld11.exe | 188.114.96.3:80 | mahjongmuseum.com | CLOUDFLARENET | NL | unknown |
7540 | ld11.exe | 13.248.169.48:80 | sphusa.com | AMAZON-02 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.google.com |
| whitelisted |
www.gdservices91.com |
| unknown |
www.9-mois-tout-rond.com |
| unknown |
mahjongmuseum.com |
| unknown |
www.powertreecorp.com |
| unknown |
norrbotten.adventkyrka.se |
| unknown |
reishus.de |
| unknown |
www.partenaires-particuliers.fr |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7540 | ld11.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (MSIE7 na) |
7540 | ld11.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (MSIE7 na) |
7540 | ld11.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (MSIE7 na) |
7540 | ld11.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (MSIE7 na) |
7540 | ld11.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (MSIE7 na) |
7540 | ld11.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (MSIE7 na) |
7540 | ld11.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (MSIE7 na) |