File name:

PiaProxy_2.1.7_202409061452_Cus.exe

Full analysis: https://app.any.run/tasks/1721c9aa-c106-4645-b8a6-8fc9aeceffad
Verdict: Malicious activity
Analysis date: October 19, 2024, 14:18:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

258A8AB87F035049DF8BBBFD010543E2

SHA1:

9C02D1AD6303737B17F20B7DB12279BD2E6E6E14

SHA256:

9D9E27A465351588B5E0860A1881658F7E1BAB99AEE3182039A06AB8067E3448

SSDEEP:

196608:tkRBL1eC3FQ49X2I/VrlxvayplBd2v+f+sth:tUBIC1Q4okjbPQ+WsH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • install.exe (PID: 6180)
      • PiaProxy.exe (PID: 3772)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)

    • Process drops legitimate windows executable

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)
      • install.exe (PID: 6180)

    • Drops a system driver (possible attempt to evade defenses)

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)
      • install.exe (PID: 6180)

    • Executable content was dropped or overwritten

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)
      • install.exe (PID: 6180)

    • The process drops C-runtime libraries

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)
      • install.exe (PID: 6180)

    • Searches for installed software

      • install.exe (PID: 6180)

    • Creates a software uninstall entry

      • install.exe (PID: 6180)

    • Creates file in the systems drive root

      • update.exe (PID: 2364)

  • INFO

    • Create files in a temporary directory

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)
      • install.exe (PID: 6180)
      • PiaProxy.exe (PID: 3772)

    • Reads the computer name

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)
      • install.exe (PID: 6180)
      • update.exe (PID: 2364)
      • PiaProxy.exe (PID: 3772)

    • The process uses the downloaded file

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)

    • Sends debugging messages

      • install.exe (PID: 6180)
      • update.exe (PID: 2364)
      • PiaProxy.exe (PID: 3772)

    • Checks supported languages

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)
      • install.exe (PID: 6180)
      • PiaProxy.exe (PID: 3772)
      • update.exe (PID: 2364)

    • Process checks computer location settings

      • PiaProxy_2.1.7_202409061452_Cus.exe (PID: 3852)

    • Creates files or folders in the user directory

      • install.exe (PID: 6180)
      • PiaProxy.exe (PID: 3772)
      • update.exe (PID: 2364)

    • Reads the machine GUID from the registry

      • install.exe (PID: 6180)
      • PiaProxy.exe (PID: 3772)
      • update.exe (PID: 2364)

    • Creates files in the program directory

      • install.exe (PID: 6180)
      • PiaProxy.exe (PID: 3772)
      • update.exe (PID: 2364)

    • Checks proxy server information

      • PiaProxy.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:08:11 13:54:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 188928
InitializedDataSize: 181248
UninitializedDataSize: -
EntryPoint: 0x1cec9
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start piaproxy_2.1.7_202409061452_cus.exe install.exe no specs install.exe piaproxy.exe update.exe

Process information

PID
CMD
Path
Indicators
Parent process
2364"C:\Program Files (x86)\PiaProxy_cata\update.exe" "C:/Program Files (x86)/PiaProxy_cata/update.exe" --check_enable --lang _enC:\Program Files (x86)\PiaProxy_cata\update.exe
PiaProxy.exe
User:
admin
Company:
MARS BROTHERS LIMITED
Integrity Level:
HIGH
Description:
PiaProxy
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\program files (x86)\piaproxy_cata\update.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
3772"C:\Program Files (x86)\PiaProxy_cata\PiaProxy.exe" C:\Program Files (x86)\PiaProxy_cata\PiaProxy.exe
install.exe
User:
admin
Company:
MARS BROTHERS LIMITED
Integrity Level:
HIGH
Description:
PiaProxy
Version:
0.1.0.0
Modules
Images
c:\program files (x86)\piaproxy_cata\piaproxy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
3852"C:\Users\admin\Desktop\PiaProxy_2.1.7_202409061452_Cus.exe" C:\Users\admin\Desktop\PiaProxy_2.1.7_202409061452_Cus.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\piaproxy_2.1.7_202409061452_cus.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll
6180"C:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\install.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\install.exe
PiaProxy_2.1.7_202409061452_Cus.exe
User:
admin
Company:
MARS BROTHERS LIMITED
Integrity Level:
HIGH
Description:
PiaProxy
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\piaproxy_release\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7136"C:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\install.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\install.exePiaProxy_2.1.7_202409061452_Cus.exe
User:
admin
Company:
MARS BROTHERS LIMITED
Integrity Level:
MEDIUM
Description:
PiaProxy
Exit code:
3221226540
Version:
0.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\piaproxy_release\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
4 076
Read events
4 065
Write events
11
Delete events
0

Modification events

(PID) Process:(6180) install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:PiaProxy
Value:
C:/Program Files (x86)/PiaProxy_cata/PiaProxy.exe
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:InstallPath
Value:
C:\Program Files (x86)
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:DisplayCata
Value:
C:\Program Files (x86)\PiaProxy_cata
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:DisplayName
Value:
Pia S5 Proxy
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:DisplayVersion
Value:
2.1.7
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:Publisher
Value:
MARS BROTHERS
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\PiaProxy_cata\uninstall.exe
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\PiaProxy_cata\uninstall.exe
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:EstimatedSize
Value:
1360
(PID) Process:(6180) install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PiaProxy
Operation:writeName:InstallTime
Value:
FCBF136700000000
Executable files
132
Suspicious files
586
Text files
842
Unknown types
0

Dropped files

PID
Process
Filename
Type
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\socks5\hxxd.dllexecutable
MD5:8BAA5B17B3AEF7252625861EDF60D17F
SHA256:D970BBB5727975525206B6DEE88904E33A0AE85DEDFC7CD3DC200CD899B86366
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\update.exeexecutable
MD5:3356362853899CE506E1156811F1FB79
SHA256:07634EF01332431154909792FD7FFB4BF4FEE51AD3CCABD1DCF7DF1812096401
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\PiaProxy.exeexecutable
MD5:B284BED9B32C0231B32CAB110B739EB0
SHA256:05A0D5C087FF4FC966ED13DEB294592BFF19B6D2E9FF4AEDAD4D06AA63F9FC22
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\libEGL.dllexecutable
MD5:CA13B087880D4C6EFFE7076059609261
SHA256:21D4D49646BB263214297532A883BBF88BC2347A052D093642386F13ADAE9F0C
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\uninstall.exeexecutable
MD5:F0E9DBA9A03AC5F5B0ECFA18CFF79BDF
SHA256:496354A24851DB801D0658D8BC56759109ECB8AB1BCDD2649DF4852F943FAD5B
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\socks5\PiaS5ProxyDivert.exeexecutable
MD5:8F5BC5C89B412B4F4ED5E5B7951447AC
SHA256:F88FCC8D74F0043EC0E2F1098447EDD2D94970D05897ABD4D8901781713CECCC
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\install.exeexecutable
MD5:A39359F1380EE171086A9FF85A7EB6F9
SHA256:07248D5910927055118419A5D7AAFBC0FE2E6FC1CA7A737C0CF08177BC0A8E50
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\QtQuick\Dialogs\Private\dialogsprivateplugin.dllexecutable
MD5:2A3CFD128C916D64DEB6BD14C72B0C80
SHA256:F6CC8A92F49393ACD9A1A8D800D8ADB63B8BDDB8CDD59F2DC844A8433A37B2AA
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\QtQuick\Controls\Private\style.jstext
MD5:42B5203954B0E4D9EFC477B558D3C8FD
SHA256:E337C73325AE18763172A328B819B036E6F42C412A77454731B14AC5F05A1E3D
3852PiaProxy_2.1.7_202409061452_Cus.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PiaProxy_release\file_flag.inibinary
MD5:0CB12EDFF5B77DFAC686C0D0B8E669F7
SHA256:71E01CEFFA00BFF46FC4FCE7D3A940E86362E37F7F5AB69C9647044BEF1FDA03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
69
DNS requests
15
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
104.26.15.22:443
https://standbyruapi.piaproxy.com/api/client/get_column_v2
unknown
POST
104.26.14.22:443
https://standbyruapi.piaproxy.com/api/socks/config
unknown
GET
172.67.74.242:443
https://download.piaproxy.com/file/img/7thlogcn.png
unknown
GET
104.26.15.22:443
https://download.piaproxy.com/file/img/PIAs5-banner263-90px-en.jpg
unknown
GET
172.67.74.242:443
https://download.piaproxy.com/file/img/7thlogen.png
unknown
GET
104.26.15.22:443
https://download.piaproxy.com/file/img/PIAs5-banner263-90px-en.jpg
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.160:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.186
  • 104.126.37.123
  • 104.126.37.171
  • 104.126.37.153
  • 104.126.37.178
  • 104.126.37.170
  • 104.126.37.144
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ipchanger-fjny.oss-cn-hongkong.aliyuncs.com
  • 47.79.65.202
unknown
standbyruapi.piaproxy.com
  • 104.26.14.22
  • 104.26.15.22
  • 172.67.74.242
unknown
download.piaproxy.com
  • 104.26.14.22
  • 104.26.15.22
  • 172.67.74.242
unknown
standbyapi.piaproxy.com
  • 104.26.15.22
  • 172.67.74.242
  • 104.26.14.22
unknown
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
9 ETPRO signatures available at the full report
Process
Message
install.exe
CApp Exe Begin...
install.exe
QT_VERSION 329984
install.exe
AA_EnableHighDpiScaling
install.exe
AppRun...
PiaProxy.exe
CApp Exe Begin...
PiaProxy.exe
QT_VERSION 329984
PiaProxy.exe
AA_EnableHighDpiScaling
PiaProxy.exe
AppRun...
update.exe
CAppCustom Exe Begin...
update.exe
appExist.isRunning() true
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PiaProxy_2.1.7_202409061452_Cus.exe