File name:

KinhDown.exe

Full analysis: https://app.any.run/tasks/fbf942f5-973e-4736-bea6-c0b09e9819ad
Verdict: No threats detected
Analysis date: September 24, 2020, 04:06:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C799AA389C4E7D0AE9932EFBD5B4828A

SHA1:

34ED58FC97387B2394A580FCDF0F0CD392978CE7

SHA256:

A0699347F5A3332B1C6D43F03469D99641AFE1944CAF65CC5C683623F781B53A

SSDEEP:

393216:YaQJyudTWxnpKFlg+pxq6Jt0+t6OZVsje:IjdTWgvgkxqcZVR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • KinhDown.exe (PID: 2680)

  • INFO

    • Manual execution by user

      • opera.exe (PID: 1480)

    • Dropped object may contain Bitcoin addresses

      • opera.exe (PID: 1480)

    • Creates files in the user directory

      • opera.exe (PID: 1480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:09:23 16:19:46+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 1294336
InitializedDataSize: 548864
UninitializedDataSize: -
EntryPoint: 0xecd947
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: KinhDown稳定版
ProductName: KinhDown稳定版
ProductVersion: 1.0.0.0
CompanyName: KinhUBAQ_Pro
LegalCopyright: 用户必须同意以下《协议》和《隐私条款》并详细阅读,才可使用KinhDown。 用户协议 尊敬的用户,欢迎使用由KinhDown(下列简称为本人)提供的服务。在使用前请您阅读如下服务协议,使用本应用即表示您同意接受本协议,本协议产生法律效力,特别涉及免除或者限制本人责任的条款,请仔细阅读。如有任何问题,可向本人咨询。 1. 服务条款的确认和接受 通过访问或使用本应用,表示用户同意接受本协议的所有条件和条款。 2. 服务条款的变更和修改 本人在必要时修改服务条款,服务条款一旦发生变更,将会在重要页面上提示修改内容。如果不同意所改动的内容,用户可以放弃获得的本应用信息服务。如 果用户继续享用本应用的信息服务,则视为接受服务条款的变更。本应用保留随时修改或中断服务而不需要通知用户的权利。本应用行使修改或中断服务的权利,不需对用户或第三方负责。 3. 用户在本应用上不得发布下列违法信息和照片: (1)反对宪法所确定的基本原则的; (2)危害国家安全,泄露国家秘密,颠覆国家政权,破坏国家统一的; (3)损害国家荣誉和利益的; (4)煽动民族仇恨、民族歧视,破坏民族团结的; (5)破坏国家宗教政策,宣扬邪教和封建迷信的; (6)散布谣言,扰乱社会秩序,破坏社会稳定的; (7)散布淫秽、色情、赌博、暴力、凶杀、恐怖或者教唆犯罪的; (8)侮辱或者诽谤他人,侵害他人合法权益的; (9)含有法律、行政法规禁止的其他内容的; (10)禁止骚扰、毁谤、威胁、仿冒网站其他用户; (11)严禁煽动非法集会、结社、游行、示威、聚众扰乱社会秩序; (12)严禁发布可能会妨害第三方权益的文件或者信息,例如(包括但不限于):病毒代码、黑客程序、软件破解注册信息。 (13)禁止上传他人作品。其中包括你从互联网上下载、截图或收集的他人的作品; (14)禁止上传广告、横幅、标志等网络图片; 4. 上传或发布的内容 软件仅提供下载加速功能,用户上传的内容是指用户在KinhDown上传或发布的视频或其它任何形式的内容包括文字、图片、音频等。除非本人收到相关通知,否则本人将用户视为其在本应用上传或发布的内容的版权拥有人。作为内容的发表者,需自行对所发表内容负责,因所发表内容引发的一切纠纷,由该内容的发表者承担全部法律及连带责任。本人不承担任何法律及连带责任。对于经由本应用而传送的内容,本人不保证前述其合法性、正当性、准确性、完整性或品质。用户在使用本应用时,有可能会接触到令人不快、不适当或令人厌恶的内容。在任何情况下,本人均不对任何内容承担任何责任,包括但不限于任何内容发生任何错误或纰漏以及衍生的任何损失或损害。本人有权(但无义务)自行拒绝或删除经由本应用提供的任何内容。个人或单位如认为本人存在侵犯自身合法权益的内容,应准备好具有法律效应的证明材料,及时与本人取得联系,以便本人迅速作出处理。 5. 对于因不可抗力或因黑客攻击、通讯线路问题等软件不能控制的原因造成的服务中断或其他缺陷,导致用户不能正常使用本软件的,本软件不承担任何责任,但将尽力减少因此给用户造成的损失或影响。 6. 本声明未涉及的问题请参见国家有关法律法规,当本声明与国家有关法律法规冲突时,以国家法律法规为准。 7.如您对本协议有任何异议,请联系本人邮箱 UallenQbit@Gmail.com 隐私条款 1.用户信息公开情况说明 尊重用户个人隐私是本人的一项基本服务。所以,本人不会在未经合法用户授权时公开、编辑或透露其注册资料及保存在本应用中的非公开内容,除非有下列情况: (1)有关法律规定或本人合法服务程序规定; (2)在紧急情况下,为维护用户及公众的权益; (3)为维护本人的商标权、专利权及其他任何合法权益; (4)其他需要公开、编辑或透露个人信息的情况; 2.隐私权政策适用范围 (1)用户启动软件时会在服务器留下IP信息; (2)用户开启共享提取码将会在服务器留下你的分享链接提取码;
Comments: KinhDown稳定版

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-Sep-2020 14:19:46

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 23-Sep-2020 14:19:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0013BA4A
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.rdata
0x0013D000
0x000566D0
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.data
0x00194000
0x00086A91
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.vmp0
0x0021B000
0x00AD2B82
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.vmp1
0x00CEE000
0x00D97EA0
0x00D98000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.99089
.rsrc
0x01A86000
0x00003F95
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.62377

Imports

ADVAPI32.dll
AVIFIL32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
MSVFW32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start kinhdown.exe kinhdown.exe opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
1480"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
1908"C:\Users\admin\AppData\Local\Temp\KinhDown.exe" 390276C:\Users\admin\AppData\Local\Temp\KinhDown.exe
KinhDown.exe
User:
admin
Company:
KinhUBAQ_Pro
Integrity Level:
HIGH
Description:
KinhDown稳定版
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\kinhdown.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2680"C:\Users\admin\AppData\Local\Temp\KinhDown.exe" C:\Users\admin\AppData\Local\Temp\KinhDown.exe
explorer.exe
User:
admin
Company:
KinhUBAQ_Pro
Integrity Level:
MEDIUM
Description:
KinhDown稳定版
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\kinhdown.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
594
Read events
477
Write events
117
Delete events
0

Modification events

(PID) Process:(2680) KinhDown.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2680) KinhDown.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1480) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe
(PID) Process:(1480) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1480) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\139\52C64B7E
Operation:writeName:@"%windir%\System32\ie4uinit.exe",-732
Value:
Finds and displays information and Web sites on the Internet.
Executable files
0
Suspicious files
26
Text files
10
Unknown types
6

Dropped files

PID
Process
Filename
Type
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr5C5D.tmp
MD5:
SHA256:
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr5C8D.tmp
MD5:
SHA256:
1480opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9KF6GJCXKKVLTXKWNXHN.temp
MD5:
SHA256:
1480opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BVAVFVUJ6XS8SEI2ANGO.temp
MD5:
SHA256:
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr6AD6.tmp
MD5:
SHA256:
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr6AE7.tmp
MD5:
SHA256:
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr6AE8.tmp
MD5:
SHA256:
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:E196D47A9C4EEEB8AC7E7E1318410766
SHA256:DE3616F0F6B2E04F0B1A578501E39138B9F0E6C231614D46C6B6D7712DD30B2A
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:6A1164310DD92D8F167708C582AD7686
SHA256:1353928C2D85254CE9EEE4214F66589F23F708D871E160C295DA1D3342B55724
1480opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:9CDD22D2BEEF43B263E735B86D98661F
SHA256:3209B79795D34A8F3581373C39D5DBD0DF6E55FF9FBB2005E58ECFE6F8F25826
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1480
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
592 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1480
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
1480
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1480
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted

DNS requests

Domain
IP
Reputation
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KinhDown.exe