URL:

http://duba.net

Full analysis: https://app.any.run/tasks/ee164fed-34a2-4910-80d0-6bce06968f34
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: January 07, 2019, 14:00:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MD5:

06DE424727D09AD5896EF6FF6DE6D07D

SHA1:

90E8F1966DC01F959D680D43353E9710D9B741D5

SHA256:

942168D40B897762309BCD7BD1A33EC4F710FF1F574AD056CF749F048185C38B

SSDEEP:

3:N1KaQHEIR:Ca4R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • kinst_150_1_20170912[1].exe (PID: 3496)
      • kinst_150_1_20170912[1].exe (PID: 2884)
      • ksoftmgr.exe (PID: 4088)
      • kavlog2.exe (PID: 3628)
      • kxescore.exe (PID: 1224)
      • kxescore.exe (PID: 3252)
      • kxetray.exe (PID: 1704)
      • khealtheye.exe (PID: 2812)
      • keyemain.exe (PID: 3036)
      • rcmdhelper.exe (PID: 3188)
      • rcmdhelper.exe (PID: 3788)
      • rcmdhelper.exe (PID: 2608)
      • rcmdhelper.exe (PID: 3948)
      • rcmdhelper.exe (PID: 2176)
      • rcmdhelper.exe (PID: 3992)
      • rcmdhelper.exe (PID: 2588)
      • rcmdhelper.exe (PID: 1884)
      • rcmdhelper.exe (PID: 3180)
      • keyemain.exe (PID: 3876)
      • kscan.exe (PID: 3368)
      • kxetray.exe (PID: 2892)
      • rcmdhelper.exe (PID: 4356)
      • rcmdhelper.exe (PID: 2856)
      • kslaunch.exe (PID: 5384)
      • rcmdhelper.exe (PID: 4576)
      • kdrvmgr.exe (PID: 4460)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3064)
      • kxetray.exe (PID: 1704)

    • Connects to CnC server

      • duba_100_50.exe (PID: 2924)
      • kxescore.exe (PID: 3252)

    • Changes the autorun value in the registry

      • duba_100_50.exe (PID: 2924)

    • Loads dropped or rewritten executable

      • kavlog2.exe (PID: 3628)
      • kxetray.exe (PID: 1704)
      • ksoftmgr.exe (PID: 4088)
      • kxescore.exe (PID: 1224)
      • kxescore.exe (PID: 3252)
      • duba_100_50.exe (PID: 2924)
      • keyemain.exe (PID: 3036)
      • rcmdhelper.exe (PID: 3188)
      • rcmdhelper.exe (PID: 2176)
      • rcmdhelper.exe (PID: 2608)
      • rcmdhelper.exe (PID: 3948)
      • rcmdhelper.exe (PID: 3992)
      • rcmdhelper.exe (PID: 3788)
      • rcmdhelper.exe (PID: 3180)
      • rcmdhelper.exe (PID: 2588)
      • rcmdhelper.exe (PID: 1884)
      • keyemain.exe (PID: 3876)
      • kscan.exe (PID: 3368)
      • iexplore.exe (PID: 3064)
      • kxetray.exe (PID: 2892)
      • iexplore.exe (PID: 2676)
      • rcmdhelper.exe (PID: 4356)
      • rcmdhelper.exe (PID: 4576)
      • kdrvmgr.exe (PID: 4460)
      • rcmdhelper.exe (PID: 2856)
      • conhost.exe (PID: 4840)
      • explorer.exe (PID: 116)
      • DllHost.exe (PID: 4372)

    • Changes settings of System certificates

      • kxescore.exe (PID: 3252)
      • kxetray.exe (PID: 1704)

    • Loads the Task Scheduler DLL interface

      • kxetray.exe (PID: 1704)

    • Loads the Task Scheduler COM API

      • kxescore.exe (PID: 3252)
      • kscan.exe (PID: 3368)

    • Actions looks like stealing of personal data

      • kxetray.exe (PID: 1704)

  • SUSPICIOUS

    • Starts Internet Explorer

      • explorer.exe (PID: 116)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2676)
      • iexplore.exe (PID: 3064)
      • duba_100_50.exe (PID: 2924)
      • khealtheye.exe (PID: 2812)
      • kxetray.exe (PID: 1704)
      • kxescore.exe (PID: 3252)
      • kdrvmgr.exe (PID: 4460)

    • Low-level read access rights to disk partition

      • kinst_150_1_20170912[1].exe (PID: 2884)
      • duba_100_50.exe (PID: 2924)

    • Reads Internet Cache Settings

      • duba_100_50.exe (PID: 2924)
      • ksoftmgr.exe (PID: 4088)

    • Creates files in the Windows directory

      • duba_100_50.exe (PID: 2924)
      • kavlog2.exe (PID: 3628)
      • kxescore.exe (PID: 3252)
      • kscan.exe (PID: 3368)

    • Creates files in the driver directory

      • duba_100_50.exe (PID: 2924)
      • kxescore.exe (PID: 3252)
      • kscan.exe (PID: 3368)

    • Creates COM task schedule object

      • duba_100_50.exe (PID: 2924)
      • kxescore.exe (PID: 3252)

    • Creates a software uninstall entry

      • duba_100_50.exe (PID: 2924)
      • kxetray.exe (PID: 1704)

    • Removes files from Windows directory

      • duba_100_50.exe (PID: 2924)
      • kxescore.exe (PID: 3252)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • duba_100_50.exe (PID: 2924)
      • kxescore.exe (PID: 3252)

    • Creates files in the program directory

      • duba_100_50.exe (PID: 2924)
      • kxescore.exe (PID: 1224)
      • kxetray.exe (PID: 1704)
      • khealtheye.exe (PID: 2812)
      • kxescore.exe (PID: 3252)
      • rcmdhelper.exe (PID: 3992)
      • kxetray.exe (PID: 2892)
      • kscan.exe (PID: 3368)

    • Reads internet explorer settings

      • ksoftmgr.exe (PID: 4088)

    • Creates files in the user directory

      • ksoftmgr.exe (PID: 4088)
      • kxetray.exe (PID: 1704)

    • Creates or modifies windows services

      • kxetray.exe (PID: 1704)
      • kxescore.exe (PID: 3252)

    • Searches for installed software

      • kxetray.exe (PID: 1704)

    • Adds / modifies Windows certificates

      • kxescore.exe (PID: 3252)
      • kxetray.exe (PID: 1704)

    • Connects to server without host name

      • kscan.exe (PID: 3368)
      • kxescore.exe (PID: 3252)
      • kxetray.exe (PID: 1704)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3064)

    • Application launched itself

      • iexplore.exe (PID: 2676)

    • Changes internet zones settings

      • iexplore.exe (PID: 2676)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3064)
      • iexplore.exe (PID: 2676)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3908)
      • iexplore.exe (PID: 3064)

    • Dropped object may contain Bitcoin addresses

      • duba_100_50.exe (PID: 2924)
      • khealtheye.exe (PID: 2812)
      • kxetray.exe (PID: 1704)

    • Reads settings of System Certificates

      • kxetray.exe (PID: 1704)
      • iexplore.exe (PID: 3064)
      • iexplore.exe (PID: 2676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
33
Malicious processes
23
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs kinst_150_1_20170912[1].exe no specs kinst_150_1_20170912[1].exe duba_100_50.exe kxetray.exe kavlog2.exe ksoftmgr.exe kxescore.exe no specs kxescore.exe khealtheye.exe keyemain.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs keyemain.exe no specs kscan.exe kxetray.exe no specs kslaunch.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs kdrvmgr.exe conhost.exe no specs explorer.exe no specs Thumbnail Cache Out of Proc Server no specs

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1224"c:\program files\kingsoft\kingsoft antivirus\kxescore.exe" /start kxescorec:\program files\kingsoft\kingsoft antivirus\kxescore.exeduba_100_50.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
金山毒霸系统防御模块
Exit code:
0
Version:
2018,03,26,20271
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxescore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1704"c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /kislive /devmgr /installc:\program files\kingsoft\kingsoft antivirus\kxetray.exe
duba_100_50.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
金山毒霸
Exit code:
0
Version:
2018,12,07,21527
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxetray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1884"C:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe" -kdeskcanrcmdC:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Rcmd Helper
Exit code:
1
Version:
2018,03,13,20224
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2176"C:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe" -kdeskcanrcmdC:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Rcmd Helper
Exit code:
0
Version:
2018,03,13,20224
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2588"C:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe" -updatetaguserC:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Rcmd Helper
Exit code:
0
Version:
2018,03,13,20224
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2608"C:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe" -updateliebaowifiC:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Rcmd Helper
Exit code:
0
Version:
2018,03,13,20224
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2676"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2812"c:\program files\kingsoft\kingsoft antivirus\khealtheye.exe" /at=591 /independent=0 /from=1c:\program files\kingsoft\kingsoft antivirus\khealtheye.exe
kxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
护眼大师安装程序
Exit code:
0
Version:
2018,11,26,73
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\khealtheye.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
2856"C:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe" -updatetaguserC:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Rcmd Helper
Exit code:
0
Version:
2018,03,13,20224
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\rcmdhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
4 283
Read events
3 455
Write events
745
Delete events
83

Modification events

(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{AF7D7A93-1284-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070100010007000E0001000B006B02
Executable files
232
Suspicious files
424
Text files
548
Unknown types
65

Dropped files

PID
Process
Filename
Type
2676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\indexS[1].csstext
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\hm[1].jstext
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@hm.baidu[1].txttext
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\newdb-zbtn[1].pngimage
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\934fa0104b23eade3cba28e169672f6f[1].pngimage
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.datdat
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\all[1].pngimage
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\jquery[1].jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
306
TCP/UDP connections
368
DNS requests
110
Threats
140

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3064
iexplore.exe
GET
42.54.2.16:80
http://www.duba.net/css/indexS.css
CN
malicious
3064
iexplore.exe
GET
200
202.173.15.148:80
http://kxlogo.knet.cn/seallogo.dll?sn=e12042311010018602307708&size=0
CN
unknown
3064
iexplore.exe
GET
200
42.54.2.16:80
http://www.duba.net/
CN
html
3.75 Kb
malicious
3064
iexplore.exe
GET
200
42.54.2.16:80
http://www.duba.net/css/indexS.css
CN
text
4.63 Kb
malicious
3064
iexplore.exe
GET
200
103.235.46.191:80
http://hm.baidu.com/hm.js?7b344617dc861558bc02241018ca7977
HK
text
9.01 Kb
whitelisted
3064
iexplore.exe
GET
200
42.54.2.20:80
http://dh1.cmcmcdn.com/duba/1/8/9/f/0/189f0b333610ddcf6b07f48037f63f33.png
CN
image
182 Kb
malicious
3064
iexplore.exe
GET
200
42.54.2.16:80
http://www.duba.net/images/20161227/all.png
CN
image
11.3 Kb
malicious
3064
iexplore.exe
GET
200
42.54.2.16:80
http://www.duba.net/images/20161227/newdb-zbtn.png
CN
image
12.3 Kb
malicious
3064
iexplore.exe
GET
200
42.54.2.20:80
http://dh1.cmcmcdn.com/duba/9/3/4/f/a/934fa0104b23eade3cba28e169672f6f.png
CN
image
44.6 Kb
malicious
3064
iexplore.exe
GET
200
42.54.2.20:80
http://dh1.cmcmcdn.com/duba/4/4/9/8/1/449814cfbb0c83f689fa182da6a4568f.png
CN
image
6.97 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2676
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3064
iexplore.exe
120.92.32.226:80
duba.net
Beijing Kingsoft Cloud Internet Technology Co., Ltd
CN
unknown
3064
iexplore.exe
42.54.2.16:80
www.duba.net
CHINA UNICOM China169 Backbone
CN
suspicious
3064
iexplore.exe
202.173.15.148:80
kxlogo.knet.cn
KNET Techonlogy (BeiJing) Co.,Ltd.
CN
unknown
3064
iexplore.exe
180.97.173.1:80
www.ijinshan.com
No.31,Jin-rong Street
CN
unknown
3064
iexplore.exe
103.235.46.191:80
hm.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
suspicious
3064
iexplore.exe
42.54.2.20:80
www.duba.net
CHINA UNICOM China169 Backbone
CN
suspicious
3064
iexplore.exe
42.54.2.15:80
www.duba.net
CHINA UNICOM China169 Backbone
CN
suspicious
2676
iexplore.exe
42.54.2.16:80
www.duba.net
CHINA UNICOM China169 Backbone
CN
suspicious
3064
iexplore.exe
119.29.49.207:80
infoc2.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
malicious

DNS requests

Domain
IP
Reputation
duba.net
  • 120.92.32.226
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.duba.net
  • 42.54.2.16
  • 42.54.2.25
  • 42.54.2.23
  • 42.54.2.20
  • 42.54.2.26
  • 42.54.2.17
  • 42.54.2.21
  • 42.54.2.24
  • 42.54.2.15
  • 42.54.2.18
malicious
kxlogo.knet.cn
  • 202.173.15.148
unknown
hm.baidu.com
  • 103.235.46.191
whitelisted
www.ijinshan.com
  • 180.97.173.1
malicious
dh1.cmcmcdn.com
  • 42.54.2.20
  • 42.54.2.26
  • 42.54.2.17
  • 42.54.2.21
  • 42.54.2.24
  • 42.54.2.15
  • 42.54.2.18
  • 42.54.2.19
  • 42.54.2.22
  • 42.54.2.16
malicious
act.cmcmcdn.com
  • 42.54.2.15
  • 42.54.2.18
  • 42.54.2.19
  • 42.54.2.22
  • 42.54.2.16
  • 42.54.2.25
  • 42.54.2.23
  • 42.54.2.20
  • 42.54.2.26
  • 42.54.2.17
suspicious
infoc2.duba.net
  • 119.29.49.207
  • 119.29.44.54
malicious
cd002.www.duba.net
  • 116.207.163.79
malicious

Threats

PID
Process
Class
Message
3064
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2884
kinst_150_1_20170912[1].exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2884
kinst_150_1_20170912[1].exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2884
kinst_150_1_20170912[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
2884
kinst_150_1_20170912[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
2884
kinst_150_1_20170912[1].exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2884
kinst_150_1_20170912[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
2884
kinst_150_1_20170912[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
2884
kinst_150_1_20170912[1].exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2884
kinst_150_1_20170912[1].exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1 ETPRO signatures available at the full report
Process
Message
duba_100_50.exe
14:02:17|~02436| [KAVMENU] reg_duba_32bit
kavlog2.exe
_tWinMain End.
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
<ERROR>cannot find DeFeatureLib
kxescore.exe
<ERROR>Inst
kxescore.exe
<FATAL>load Install Interface c:\program files\kingsoft\kingsoft antivirus\security\ksde\knetctrl.dll Fatal = 1
kxescore.exe
<FATAL>Install KNetFlt Driver = 1
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://duba.net