File name:

150a2af5-c041-11e6-bedf-80e65024849a.exe

Full analysis: https://app.any.run/tasks/966c5740-bdcf-496f-9c39-245455104b29
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 07, 2018, 19:37:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AB582FF6A74E9F976111CE730D640AD5

SHA1:

BE287E5018DED2F913E9C9060A18EEFE0FA200D1

SHA256:

8CBD16EB6AD744F0463991AFF04BBBB8CE7E51635DD68025788E9E63CA79D62B

SSDEEP:

98304:yUoSKgN0kcE5pK8jf6IVLBKSIZSXh99YeT:yTAN0Oz7SHZWT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • leyou.exe (PID: 3196)
      • leyou.exe (PID: 3148)
      • leyou.exe (PID: 3488)

    • Downloads executable files from the Internet

      • 150a2af5-c041-11e6-bedf-80e65024849a.exe (PID: 3796)

  • SUSPICIOUS

    • Creates files in the user directory

      • 150a2af5-c041-11e6-bedf-80e65024849a.exe (PID: 3796)

    • Creates files in the program directory

      • leyou.exe (PID: 3196)
      • 150a2af5-c041-11e6-bedf-80e65024849a.exe (PID: 3796)

    • Uses ATTRIB.EXE to modify file attributes

      • 150a2af5-c041-11e6-bedf-80e65024849a.exe (PID: 3796)

    • Changes IE settings (feature browser emulation)

      • leyou.exe (PID: 3196)

    • Creates a software uninstall entry

      • 150a2af5-c041-11e6-bedf-80e65024849a.exe (PID: 3796)

    • Executable content was dropped or overwritten

      • 150a2af5-c041-11e6-bedf-80e65024849a.exe (PID: 3796)

    • Reads internet explorer settings

      • leyou.exe (PID: 3196)

  • INFO

    • Dropped object may contain URL's

      • 150a2af5-c041-11e6-bedf-80e65024849a.exe (PID: 3796)
      • leyou.exe (PID: 3196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

ProductVersion: 9, 0, 0, 5
FileVersion: 9, 0, 0, 5
ProductName: 安装向导
OriginalFileName: gamebox.exe
LegalCopyright: Copyright (C) 2016
InternalName: gamebox
FileDescription: 安装向导
Comments: 安装向导
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Unknown
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 9.0.0.5
FileVersionNumber: 9.0.0.5
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x76982
UninitializedDataSize: -
InitializedDataSize: 3342848
CodeSize: 711680
LinkerVersion: 9
PEType: PE32
TimeStamp: 2016:10:24 12:20:14+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Oct-2016 10:20:14
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • e:\svn\PacketSVN\trunk\bin\Win32\Release\build\leyoubox\leyou_10241819.pdb
Comments: 安装向导
FileDescription: 安装向导
InternalName: gamebox
LegalCopyright: Copyright (C) 2016
OriginalFilename: gamebox.exe
ProductName: 安装向导
FileVersion: 9, 0, 0, 5
ProductVersion: 9, 0, 0, 5

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 24-Oct-2016 10:20:14
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000ADA31
0x000ADC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.53059
.rdata
0x000AF000
0x0002731C
0x00027400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.95118
.data
0x000D7000
0x0000A4E0
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.56399
.rsrc
0x000E2000
0x002F45F4
0x002F4600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.97252
.reloc
0x003D7000
0x000106DA
0x00010800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.09055

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01229
633
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.23213
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
5.5437
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
5.81331
2440
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
5.97305
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
1.85835
64
Latin 1 / Western European
Chinese - PRC
RT_STRING
101
7.99992
2829899
Latin 1 / Western European
Chinese - PRC
EXE
102
5.83937
141
Latin 1 / Western European
Chinese - PRC
PNG
103
7.88325
15715
Latin 1 / Western European
Chinese - PRC
PNG
104
7.71786
1034
Latin 1 / Western European
Chinese - PRC
PNG

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
NETAPI32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
PSAPI.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 150a2af5-c041-11e6-bedf-80e65024849a.exe leyou.exe leyou.exe no specs leyou.exe attrib.exe no specs attrib.exe no specs 150a2af5-c041-11e6-bedf-80e65024849a.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820attrib +r "C:\Program Files\cache\¿ì½Ýµ¼º½.lnk"C:\Windows\system32\attrib.exe150a2af5-c041-11e6-bedf-80e65024849a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1972"C:\Users\admin\AppData\Local\Temp\150a2af5-c041-11e6-bedf-80e65024849a.exe" C:\Users\admin\AppData\Local\Temp\150a2af5-c041-11e6-bedf-80e65024849a.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
安装向导
Exit code:
3221226540
Version:
9, 0, 0, 5
Modules
Images
c:\users\admin\appdata\local\temp\150a2af5-c041-11e6-bedf-80e65024849a.exe
c:\systemroot\system32\ntdll.dll
2760attrib +r "C:\Users\admin\Desktop\¿ì½Ýµ¼º½.lnk"C:\Windows\system32\attrib.exe150a2af5-c041-11e6-bedf-80e65024849a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3148"C:\Program Files\leyoubox\leyou.exe" C:\Program Files\leyoubox\leyou.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
游戏盒
Exit code:
3221226540
Version:
9.0.0.5
Modules
Images
c:\program files\leyoubox\leyou.exe
c:\systemroot\system32\ntdll.dll
3196"C:\Program Files\leyoubox\leyou.exe" C:\Program Files\leyoubox\leyou.exe
150a2af5-c041-11e6-bedf-80e65024849a.exe
User:
admin
Integrity Level:
HIGH
Description:
游戏盒
Exit code:
0
Version:
9.0.0.5
Modules
Images
c:\program files\leyoubox\leyou.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3488"C:\Program Files\leyoubox\leyou.exe" C:\Program Files\leyoubox\leyou.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
游戏盒
Exit code:
0
Version:
9.0.0.5
Modules
Images
c:\program files\leyoubox\leyou.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3796"C:\Users\admin\AppData\Local\Temp\150a2af5-c041-11e6-bedf-80e65024849a.exe" C:\Users\admin\AppData\Local\Temp\150a2af5-c041-11e6-bedf-80e65024849a.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
安装向导
Exit code:
0
Version:
9, 0, 0, 5
Modules
Images
c:\users\admin\appdata\local\temp\150a2af5-c041-11e6-bedf-80e65024849a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
891
Read events
305
Write events
586
Delete events
0

Modification events

(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3796) 150a2af5-c041-11e6-bedf-80e65024849a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\150a2af5-c041-11e6-bedf-80e65024849a_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
8
Suspicious files
1
Text files
450
Unknown types
6

Dropped files

PID
Process
Filename
Type
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LM4BD81N\count[1].dotext
MD5:
SHA256:
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LKO8ICX\pinforesults[1].dotext
MD5:
SHA256:
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\css\box_gl.csstext
MD5:DE3116C0544A129D2C9C6279B9FCE99C
SHA256:9B79524C70B0063A6E283B717BBC139D0E46C8957E842A93CC7853245A0FF310
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\css\search_con.csstext
MD5:67CA0D58A8EFC8896FECE8B5BAE298C6
SHA256:857C140705AB106B3728849B8D168D8C53D2C1F004F3CE68F9FA53FDE006E0C8
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\css\item_dj.csstext
MD5:EE61C97AD6856F91FE27582F2B3BD6CE
SHA256:5F58BDEFCEBCAD30751A5727FA0DC32A1B4DE5EBADC5377B283517C5D7B0AE5D
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\css\jscrollpane.csstext
MD5:81B0ED10A5D9CD03DF6DB61051742FFD
SHA256:EB8556903F66E639A8880EF1EEAAADC2174550306D33984E8774B13A75CF6B81
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\config.initext
MD5:205FEAA8FFC29BA696B672314C1D25DC
SHA256:FB170FA34A226CE0D90220F62535132382D1A480A2BBF93133DD6C87699EC7FA
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\gl_item.htmlhtml
MD5:715E5386C1CC8AAEB8DB5AB9B86D1B0A
SHA256:C2DA0FB41137CD132FD45F2EBABAA1E6368863EAB96CBAC5B710D69932458AD7
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\images\80x80.gifimage
MD5:D1D39F93345B599A4F0777E3503C140C
SHA256:331082FFAB408EBBE7FFD7126F4E3661137C3D2C66293850D78AFE43A93419A4
3796150a2af5-c041-11e6-bedf-80e65024849a.exeC:\Program Files\leyoubox\Cache\box_new\css\item.csstext
MD5:A8CB240B61E3D7F505F4EFD297B85CA5
SHA256:9EB32EADD8118C24E5A0FC66B929D2E61AC39C7C11B0BA63BC7535AC40FCB305
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
14
DNS requests
13
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
GET
200
118.89.223.27:80
http://tongji2.box.uuuo.com/count.do?sc=%3DVEPzJUP6B0N2FUQm2Xb1aTN4h0Z0dkNxNEP6VXaiaXO5R3NkSkOnSHNiCkZ6FkOx1UalA3Zn1USr2FeSeWX1W1SPSYRF2FeSSmU1mFWP2kc0aTOvBkMx5TPA53cqOodmaoKzWHb1A3Yve4cliYfA13czanK0OYakOXe0AGctGHe06XbgeYav2UaxmIe
CN
text
81 b
unknown
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
GET
200
118.89.223.27:80
http://tongji2.box.uuuo.com/count.do?sc=%3D%3DhO5JkN6lEN0VUNAVXcqSoK3hUO5JXOnWnOyBUOiGnZ5BkNnWXP0lkazlUZ2h0O0BUQmS3ckaTQGqXU1G2WaSYSI6FeCSVU1GGWPSYTV6VQvOoK25DNvBkM61kcwm3dzWnenJYapS4cg63ewSHf62UcwKoanN4dmO3Z2O4YtyXZ1Oocq2UaxmIe
CN
text
81 b
unknown
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
GET
200
118.89.223.27:80
http://tongji2.box.uuuo.com/count.do?sc=%3DBEPzJUP6B0N2FUQm2Xb1aDP2NUazNENjWHOkWUOxBUP1dUZnWXNlmkOlWkZ1Z0Nj2UalA3Zn1USr2FeSeWX1W1SPSYRF2FeSSmU1mFWP2kc0aTOvBkMx5TPA53cqOodmaoKzWHb1A3Yve4cliYfA13czanKtyXZ1Oocq2UaxmIe
CN
text
81 b
unknown
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
GET
200
123.207.141.44:80
http://ggstats.box.uuuo.com/pinforesults.do?sc=zWHb1A3Yve4cliYfA13cza3Znh4cj63ewSHf62UcwKoanhUQ16XewOnKyJUMlGXMiSUMxBUM1VUMzVUQkGXcnZUQlm3d
CN
text
10.6 Kb
malicious
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
GET
200
119.36.192.8:80
http://box64.uuuo.com/Install/openlnksetting_2000.json
CN
text
1.54 Kb
malicious
3196
leyou.exe
GET
200
180.97.77.96:80
http://box64.yxdown.com/yxh/game_buy.json
CN
text
31.1 Kb
suspicious
3196
leyou.exe
GET
200
121.29.54.117:80
http://api.box.uuuo.com/open/pcng/soft/catalogs/list.json
CN
text
1.05 Kb
suspicious
3196
leyou.exe
GET
200
58.87.103.64:80
http://boxconfig.uuuo.com/open/yx.pcbox.shouyou.config.json
CN
text
1.02 Kb
unknown
3196
leyou.exe
GET
200
118.89.226.236:80
http://ustats.box.uuuo.com/count.do?sc=%3DRUPzJUP6B0N2FUQm2Xb1azOieEO1ZXZ1JEOyJUZke0N3J3Z0dEa5VXZiKHP1hEP51UalA3Zn1USr2FeSeWX1W1SPSYRF2FeSSmU1mFWP2kc0aDPmm3YwancqA2ZxAmdmOYeANYfmunK25DNvBkM61kcwm3dzWnenJYapS4cg63ewSHf62UcwKoan1UaxmIe
CN
text
303 b
malicious
3196
leyou.exe
GET
200
157.185.159.177:80
http://boxconfig.yxdown.com/open/new_tiepian.js
US
html
2.34 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
119.36.192.8:80
box64.uuuo.com
CHINA UNICOM China169 Backbone
CN
suspicious
3196
leyou.exe
180.97.77.96:80
box64.uuuo.com
AS Number for CHINANET jiangsu province backbone
CN
unknown
3196
leyou.exe
119.36.192.8:80
box64.uuuo.com
CHINA UNICOM China169 Backbone
CN
suspicious
3196
leyou.exe
121.29.54.117:80
api.box.uuuo.com
CHINA UNICOM China169 Backbone
CN
unknown
3196
leyou.exe
118.89.226.236:80
ustats.box.uuuo.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
3196
leyou.exe
58.87.103.64:80
boxconfig.uuuo.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
3196
leyou.exe
59.110.92.40:80
app.yeshen.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
180.97.77.94:80
box64.uuuo.com
AS Number for CHINANET jiangsu province backbone
CN
suspicious
3196
leyou.exe
157.185.159.177:80
boxconfig.yxdown.com
US
suspicious
3196
leyou.exe
183.131.87.16:80
i-4-yxdown.715083.com
No.288,Fu-chun Road
CN
unknown

DNS requests

Domain
IP
Reputation
ggstats.box.uuuo.com
  • 123.207.141.44
malicious
tongji2.box.uuuo.com
  • 118.89.223.27
unknown
box64.uuuo.com
  • 119.36.192.8
  • 119.36.192.24
  • 180.97.77.97
  • 180.97.77.94
  • 180.97.77.86
  • 180.97.77.96
  • 119.36.192.23
  • 180.97.77.88
malicious
box64.yxdown.com
  • 180.97.77.96
  • 119.36.192.23
  • 180.97.77.88
  • 119.36.192.8
  • 119.36.192.24
  • 180.97.77.97
  • 180.97.77.94
  • 180.97.77.86
suspicious
api.box.uuuo.com
  • 121.29.54.117
  • 119.6.229.83
  • 139.170.156.195
  • 42.56.76.93
  • 27.221.54.139
suspicious
ustats.box.uuuo.com
  • 118.89.226.236
malicious
boxconfig.uuuo.com
  • 58.87.103.64
unknown
boxconfig.yxdown.com
  • 157.185.159.177
malicious
i-4.yxdown.com
  • 157.185.159.177
malicious
app.yeshen.com
  • 59.110.92.40
  • 60.205.234.63
  • 60.205.85.238
  • 59.110.93.16
  • 59.110.93.17
  • 60.205.12.229
unknown

Threats

PID
Process
Class
Message
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3796
150a2af5-c041-11e6-bedf-80e65024849a.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
150a2af5-c041-11e6-bedf-80e65024849a.exe