File name:

liuliangbao_pup.zip

Full analysis: https://app.any.run/tasks/40274ff9-40bd-403e-9aa0-08e6e21c14d4
Verdict: Malicious activity
Analysis date: June 01, 2025, 09:58:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D83000E53D426EDE1805FBC4CFDEEF1F

SHA1:

3DC30635547E7AF451E3A6F5F5FEC219AA786745

SHA256:

998BB31CC41357CBEFCEFF824203C042D77A3CA765A0AD8EA5AFC242F016219E

SSDEEP:

49152:fuK6M8L0vy9EEmXIQ3CLAFolX9L/BMCIPitJesjh5rmXgLphtyZ9KNUsp9E48BIq:GK6M8w69bmL8go3XiitJeYh5rmXgsMU7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • liuliangbao.exe (PID: 7372)
      • liuliangbao.exe (PID: 6668)
      • Á÷Á¿°æ.exe (PID: 7684)
      • liuliangbao.exe (PID: 5280)
      • Á÷Á¿°æ.exe (PID: 1312)

    • Changes the autorun value in the registry

      • liuliangbao.tmp (PID: 7856)
      • Á÷Á¿°æ.exe (PID: 7684)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • liuliangbao.exe (PID: 7372)
      • liuliangbao.exe (PID: 6668)
      • liuliangbao.tmp (PID: 7856)

    • Reads security settings of Internet Explorer

      • liuliangbao.tmp (PID: 672)
      • liuliangbao.tmp (PID: 7856)
      • Á÷Á¿°æ.exe (PID: 7684)

    • Reads the Windows owner or organization settings

      • liuliangbao.tmp (PID: 7856)

    • Process drops legitimate windows executable

      • liuliangbao.tmp (PID: 7856)

    • Uses TASKKILL.EXE to kill process

      • liuliangbao.tmp (PID: 7856)

    • Reads Microsoft Outlook installation path

      • Á÷Á¿°æ.exe (PID: 7684)

    • Reads Internet Explorer settings

      • Á÷Á¿°æ.exe (PID: 7684)

    • There is functionality for taking screenshot (YARA)

      • Á÷Á¿°æ.exe (PID: 7684)
      • Á÷Á¿°æ.exe (PID: 1312)

    • Executes application which crashes

      • Á÷Á¿°æ.exe (PID: 7684)
      • Á÷Á¿°æ.exe (PID: 1312)

  • INFO

    • Manual execution by a user

      • liuliangbao.exe (PID: 7372)
      • liuliangbao.exe (PID: 5280)
      • notepad.exe (PID: 8188)
      • notepad++.exe (PID: 5404)
      • OUTLOOK.EXE (PID: 4728)
      • notepad++.exe (PID: 5556)
      • Á÷Á¿°æ.exe (PID: 1312)

    • Checks supported languages

      • liuliangbao.exe (PID: 7372)
      • liuliangbao.tmp (PID: 672)
      • liuliangbao.exe (PID: 6668)
      • liuliangbao.tmp (PID: 7856)
      • Á÷Á¿°æ.exe (PID: 7684)
      • identity_helper.exe (PID: 4028)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7284)
      • msedge.exe (PID: 7848)

    • Create files in a temporary directory

      • liuliangbao.exe (PID: 7372)
      • liuliangbao.exe (PID: 6668)
      • liuliangbao.tmp (PID: 7856)

    • Reads the computer name

      • liuliangbao.tmp (PID: 672)
      • liuliangbao.tmp (PID: 7856)
      • Á÷Á¿°æ.exe (PID: 7684)
      • identity_helper.exe (PID: 4028)

    • Process checks computer location settings

      • liuliangbao.tmp (PID: 672)
      • liuliangbao.tmp (PID: 7856)

    • The sample compiled with english language support

      • liuliangbao.tmp (PID: 7856)
      • msedge.exe (PID: 7848)

    • Creates files or folders in the user directory

      • liuliangbao.tmp (PID: 7856)
      • Á÷Á¿°æ.exe (PID: 7684)

    • Launch of the file from Registry key

      • liuliangbao.tmp (PID: 7856)
      • Á÷Á¿°æ.exe (PID: 7684)

    • The sample compiled with chinese language support

      • liuliangbao.tmp (PID: 7856)

    • Creates files in the program directory

      • liuliangbao.tmp (PID: 7856)

    • Creates a software uninstall entry

      • liuliangbao.tmp (PID: 7856)

    • Checks proxy server information

      • Á÷Á¿°æ.exe (PID: 7684)

    • Reads CPU info

      • Á÷Á¿°æ.exe (PID: 7684)

    • Reads the machine GUID from the registry

      • Á÷Á¿°æ.exe (PID: 7684)

    • Reads the software policy settings

      • Á÷Á¿°æ.exe (PID: 7684)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1804)
      • explorer.exe (PID: 7828)

    • Application launched itself

      • msedge.exe (PID: 5216)
      • msedge.exe (PID: 7456)

    • Reads Environment values

      • identity_helper.exe (PID: 4028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:05:31 22:14:12
ZipCRC: 0x29f133eb
ZipCompressedSize: 1204769
ZipUncompressedSize: 1237424
ZipFileName: liuliangbao.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
71
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe liuliangbao.exe liuliangbao.tmp no specs liuliangbao.exe liuliangbao.tmp taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs á÷á¿°æ.exe explorer.exe no specs explorer.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs slui.exe liuliangbao.exe no specs notepad.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs outlook.exe notepad++.exe no specs msedge.exe no specs notepad++.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe no specs msedge.exe no specs á÷á¿°æ.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs werfault.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
472"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5824 --field-trial-handle=2272,i,11420188687687927732,5079194736491471698,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=5760 --field-trial-handle=2272,i,11420188687687927732,5079194736491471698,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5428 --field-trial-handle=2272,i,11420188687687927732,5079194736491471698,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672"C:\Users\admin\AppData\Local\Temp\is-AKLF5.tmp\liuliangbao.tmp" /SL5="$B02CC,979376,68608,C:\Users\admin\Desktop\liuliangbao.exe" C:\Users\admin\AppData\Local\Temp\is-AKLF5.tmp\liuliangbao.tmpliuliangbao.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-aklf5.tmp\liuliangbao.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3496 --field-trial-handle=2428,i,11260420132471540694,16630265297849898038,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3548 --field-trial-handle=2272,i,11420188687687927732,5079194736491471698,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7684 -s 904C:\Windows\SysWOW64\WerFault.exeÁ÷Á¿°æ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1312"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5484 --field-trial-handle=2272,i,11420188687687927732,5079194736491471698,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1312"C:\Users\admin\AppData\Roaming\Liuliangbao\Á÷Á¿°æ.exe" C:\Users\admin\AppData\Roaming\Liuliangbao\Á÷Á¿°æ.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
流量宝流量版
Exit code:
3221225477
Version:
2,2,338,1
Modules
Images
c:\users\admin\appdata\roaming\liuliangbao\á÷á¿°æ.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
19 812
Read events
19 464
Write events
311
Delete events
37

Modification events

(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\liuliangbao_pup.zip
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(7284) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
37
Suspicious files
419
Text files
91
Unknown types
1

Dropped files

PID
Process
Filename
Type
7372liuliangbao.exeC:\Users\admin\AppData\Local\Temp\is-AKLF5.tmp\liuliangbao.tmpexecutable
MD5:44A8925981217239A5895B4FBB518968
SHA256:25FA0FF7D9CA6EB2695610B93965867FDB9B3E386DDEFA5D2297116DB3C2258F
7284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7284.20617\liuliangbao.exeexecutable
MD5:B0EFA24FD8935ED951024F4F01AB8A8C
SHA256:BF15B0B16C356ED990424820B6BBC8476BCA6457C086E5CA00715E3789664EDB
7856liuliangbao.tmpC:\Users\admin\AppData\Local\Temp\is-VRACI.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
7284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7284.21498\liuliangbao.exeexecutable
MD5:B0EFA24FD8935ED951024F4F01AB8A8C
SHA256:BF15B0B16C356ED990424820B6BBC8476BCA6457C086E5CA00715E3789664EDB
7856liuliangbao.tmpC:\Users\admin\AppData\Local\Temp\is-VRACI.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
7856liuliangbao.tmpC:\Users\admin\AppData\Roaming\Liuliangbao\Á÷Á¿±¦¹Ù·½ÍøÕ¾.urlbinary
MD5:6C60E1FB050D088644AF4994D3F4C16F
SHA256:7C1D33303D49A4F701FEEB329C90063CF99A5D28E12DCC07F6C957846C027F93
7856liuliangbao.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Á÷Á¿±¦\is-0SSPL.tmptext
MD5:5C8D666EE70A3310E7529DCF41425FF7
SHA256:8E2CE0968F6A44F8B92239D0D85B498AC61CB200AF9491FCD50ADC042C53B64A
7856liuliangbao.tmpC:\Users\admin\AppData\Roaming\Liuliangbao\¹Ò»ú°æ.exeexecutable
MD5:1322976545FBF43B75A66751D08CD026
SHA256:AE9A49DA91B5E76BC71944CE65AEB5C5A7374CA52E90E99E41F15F2EE79E6C28
7856liuliangbao.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Á÷Á¿±¦\Á÷Á¿±¦¹Ù·½ÍøÕ¾.urlbinary
MD5:6C60E1FB050D088644AF4994D3F4C16F
SHA256:7C1D33303D49A4F701FEEB329C90063CF99A5D28E12DCC07F6C957846C027F93
7856liuliangbao.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Á÷Á¿±¦\ʹÓÃ˵Ã÷.txttext
MD5:5C8D666EE70A3310E7529DCF41425FF7
SHA256:8E2CE0968F6A44F8B92239D0D85B498AC61CB200AF9491FCD50ADC042C53B64A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
84
DNS requests
94
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7968
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7684
Á÷Á¿°æ.exe
GET
200
18.66.145.213:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
whitelisted
7684
Á÷Á¿°æ.exe
GET
200
18.173.208.27:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAbDA3uNHBa3tHg9wFEje6E%3D
unknown
whitelisted
7684
Á÷Á¿°æ.exe
GET
302
47.243.139.44:80
http://ap.liuliangbao.cn/redirect/clthang2?preventCache=1212656&cid=C8822E6D581749FA89987E93BCB795B6&v=2.2.338
unknown
whitelisted
6252
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1748976790&P2=404&P3=2&P4=hjRcfUp5RGDvgKjIjBjodmm4BwcRbKsHSf%2b0xecjtfjY45uDbQC3jjd0eutAKjC6rWZvICQac15rjqK7hZ70EA%3d%3d
unknown
whitelisted
7684
Á÷Á¿°æ.exe
GET
302
47.243.139.44:80
http://ap.liuliangbao.cn/redirect/llUpCfg
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
8184
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7628
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.18
  • 23.216.77.23
  • 23.216.77.14
  • 23.216.77.10
  • 23.216.77.29
  • 23.216.77.30
  • 23.216.77.25
whitelisted
www.microsoft.com
  • 2.16.253.202
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.130
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.1
  • 40.126.31.128
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
ap2.liuliangbao.cn
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
liuliangbao_pup.zip