File name:

a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc

Full analysis: https://app.any.run/tasks/98abef73-8b5e-409c-bf5d-efd3a3e284da
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 19:15:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
floxif
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C62F172C3B59196D73B8A8BA0BE84BFA

SHA1:

09D83E5578EDA48C72CFAD84579B9CDB7F09E77B

SHA256:

A4F9BC6D511E630A8629557F5B79BA9CD8FCD23BDC8786EE5EBE15D1F61A40FC

SSDEEP:

49152:ZHjgcDLEqUfkLY6npOHwWLm9MeSwpIplLcOUKA3lVBZqx8r9Qlf0dAe1Gg5j:5jgcD3UfkLyHwWvCCplQ13lrZqm2lfOJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • FLOXIF has been detected (SURICATA)

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Executing a file with an untrusted certificate

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Steals credentials from Web Browsers

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Actions looks like stealing of personal data

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Process drops legitimate windows executable

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Contacting a server suspected of hosting an CnC

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads security settings of Internet Explorer

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Checks Windows Trust Settings

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

  • INFO

    • The sample compiled with english language support

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads the computer name

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Checks supported languages

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Creates files in the program directory

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Process checks computer location settings

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Creates files or folders in the user directory

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads the machine GUID from the registry

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Create files in a temporary directory

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Checks proxy server information

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • UPX packer has been detected

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads the software policy settings

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:10 07:59:42+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 637440
InitializedDataSize: 519680
UninitializedDataSize: -
EntryPoint: 0x85c1e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.7710
ProductVersionNumber: 3.0.0.7710
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: CyberLink
FileDescription: CyberLink Downloader
FileVersion: 3.0.0.7710
InternalName: CLDownloader
LegalCopyright: Copyright (C) CyberLink Corporation. All rights reserved
OriginalFileName: CLDownloader.exe
ProductName: CLDownloader
ProductVersion: 3.0.0.7710
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #FLOXIF a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3224"C:\Users\admin\Desktop\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe" C:\Users\admin\Desktop\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
explorer.exe
User:
admin
Company:
CyberLink
Integrity Level:
MEDIUM
Description:
CyberLink Downloader
Version:
3.0.0.7710
Modules
Images
c:\users\admin\desktop\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
Total events
3 649
Read events
3 645
Write events
4
Delete events
0

Modification events

(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\CyberLink\CBE
Operation:writeName:UUID
Value:
S-1-5-21-1693682860-607145093-2874071422-1001-74ACAE95-BA92-4139-92FD-E69F4CE3D61D
Executable files
2
Suspicious files
12
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Temp\4ba0c5d1-4057-42ca-8333-d3d067066de2.jsonbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\ProgramData\CyberLink\Downloader\Item0.initext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe_v2\cc956974-8cbf-41a5-b25a-e64711173977.jsonbinary
MD5:349C19CD058EA7C4993D1691BD64C757
SHA256:8B712F7C7322EFF850786E8100F5BBAB8CD09E0B7FA24B85810E0333D53DCD50
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Temp\A1D26E2\70BEA74C98.tmpexecutable
MD5:6BEB9D113086247BC7529BBF08AAE03C
SHA256:B2523687F20EC36094FDA56804D85DE6C3852D0CCE3D33A9337841B15B5810B7
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E506CEBBC8B162CFB2D72DB4891DCAEbinary
MD5:F9C518B54414955B5D429BE873C7B508
SHA256:89EC236A01C365CDEF6EB533DB00BE5C687552B0D83DB8C7EAF7B65F07ADA300
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Temp\ade40243-d2cc-46c1-bf40-a812145798d0.jsonbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4EA555947766F67C3BB52DEDFD509C5binary
MD5:AE1D19E9D91BA267832F4A0329AB6F5C
SHA256:6136F04FA73E55D1851DC15689F7833C726F80D3C1DE7B566CFCED838923F489
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\get-link[1].htmtext
MD5:45882C251C7E03EB42C449A846EA7D6C
SHA256:45B24EB31B46BC71A3DD046E3D8911756597E3513B7374DC6C5DA9D01FE103B5
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4EA555947766F67C3BB52DEDFD509C5binary
MD5:AC29A87EF1E22154754FDD94CA90CF11
SHA256:8B4F820533D2844AAABA72D656B0960CE329F3380C74B79EBCE4BEE6D0652AAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
32
DNS requests
20
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
75.2.35.53:443
https://downloader.cyberlink.com/prog/util/downloader/update-info.jsp?TokenID=27A95FB3-3D5D-4177-B113-DDD330F7027D&PRODUCTNAME=YouCam&PRODUCTVERSION=10.0&VERSIONTYPE=Subscription&SR=YUC220317-02&VID=3.0.0.7710&LANGUAGE=ENU&platform=x64&Locale=USA&UUID=S-1-5-21-1693682860-607145093-2874071422-1001-74ACAE95-BA92-4139-92FD-E69F4CE3D61D&url=
unknown
unknown
GET
200
99.83.161.79:443
https://downloader.cyberlink.com/prog/util/downloader/update-status.jsp?TokenID=27A95FB3-3D5D-4177-B113-DDD330F7027D&status=Launch&detail_status=
unknown
unknown
1488
RUXIMICS.exe
GET
200
184.24.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1488
RUXIMICS.exe
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/sha2-assured-cs-g1.crl
unknown
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
GET
200
192.229.221.95:80
http://crl4.digicert.com/sha2-assured-cs-g1.crl
unknown
whitelisted
GET
200
75.2.35.53:443
https://downloader.cyberlink.com/prog/util/downloader/get-link.jsp?PRODUCTNAME=YouCam&PRODUCTVERSION=10.0&VERSIONTYPE=Subscription&SR=YUC220317-02&VID=3.0.0.7710&LANGUAGE=ENU&platform=x64
unknown
unknown
GET
200
99.83.161.79:443
https://downloader.cyberlink.com/prog/util/downloader/update-info.jsp?TokenID=27A95FB3-3D5D-4177-B113-DDD330F7027D&PRODUCTNAME=YouCam&PRODUCTVERSION=10.0&VERSIONTYPE=Subscription&SR=YUC220317-02&VID=3.0.0.7710&LANGUAGE=ENU&platform=x64&Locale=USA&UUID=S-1-5-21-1693682860-607145093-2874071422-1001-74ACAE95-BA92-4139-92FD-E69F4CE3D61D&url=ERROR:%20001https://update.cyberlink.com/Retail/YouCam/DL/VTP66C4WCTV8/CyberLink_YouCam_Downloader.exe
unknown
unknown
GET
200
75.2.35.53:443
https://downloader.cyberlink.com/prog/util/downloader/get-link.jsp?PRODUCTNAME=YouCam&PRODUCTVERSION=10.0&VERSIONTYPE=Subscription&SR=YUC220317-02&VID=3.0.0.7710&LANGUAGE=ENU&platform=x64
unknown
unknown
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
GET
403
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3416
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1488
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
35.85.142.113:443
dna.cyberlink.com
AMAZON-02
US
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
99.83.161.79:443
downloader.cyberlink.com
AMAZON-02
US
whitelisted
1488
RUXIMICS.exe
184.24.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
dna.cyberlink.com
  • 35.85.142.113
  • 35.82.193.44
  • 44.232.16.209
whitelisted
downloader.cyberlink.com
  • 99.83.161.79
  • 75.2.35.53
whitelisted
crl.microsoft.com
  • 184.24.77.30
  • 184.24.77.34
  • 184.24.77.11
  • 184.24.77.42
  • 184.24.77.14
  • 184.24.77.23
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 45.33.18.44
  • 45.33.23.183
  • 45.33.30.197
  • 45.56.79.23
  • 173.255.194.134
  • 72.14.185.43
  • 96.126.123.244
  • 45.79.19.196
  • 72.14.178.174
  • 45.33.2.79
  • 198.58.118.167
  • 45.33.20.235
malicious
crl3.digicert.com
  • 192.229.221.95
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc