URL:

http://www.duba.net

Full analysis: https://app.any.run/tasks/1551b43e-1ea8-40e7-89b3-a7e4f7be6d9a
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 06, 2024, 18:15:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MD5:

6E73D0B98F3574D03128E73EE0538E82

SHA1:

C882E2CAAEA320C93907311F32CA3F34373339FC

SHA256:

AE6194CED5A24D8F2A4AFF473B6BBCD41048AAC4A0C837550148EE17214BA0B8

SSDEEP:

3:N1KJS4xIR:Cc4+R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • kinstnui_150_15.exe (PID: 3968)

  • INFO

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 268)

    • Application launched itself

      • iexplore.exe (PID: 268)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 268)
      • iexplore.exe (PID: 3456)

    • The process uses the downloaded file

      • iexplore.exe (PID: 268)

    • Checks supported languages

      • kinstnui_150_15.exe (PID: 3968)

    • Reads the computer name

      • kinstnui_150_15.exe (PID: 3968)

    • Reads the machine GUID from the registry

      • kinstnui_150_15.exe (PID: 3968)

    • Create files in a temporary directory

      • kinstnui_150_15.exe (PID: 3968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe kinstnui_150_15.exe no specs kinstnui_150_15.exe

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.duba.net"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3456"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:268 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3644"C:\Users\admin\Downloads\kinstnui_150_15.exe" C:\Users\admin\Downloads\kinstnui_150_15.exeiexplore.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Kingsoft Security - 安装程序
Exit code:
3221226540
Version:
2022,10,22,2040
Modules
Images
c:\users\admin\downloads\kinstnui_150_15.exe
c:\windows\system32\ntdll.dll
3968"C:\Users\admin\Downloads\kinstnui_150_15.exe" C:\Users\admin\Downloads\kinstnui_150_15.exe
iexplore.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - 安装程序
Exit code:
0
Version:
2022,10,22,2040
Modules
Images
c:\users\admin\downloads\kinstnui_150_15.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
15 093
Read events
15 009
Write events
78
Delete events
6

Modification events

(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
3
Suspicious files
18
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\E5HLTQZC.htmhtml
MD5:9B77F974CA59A86C9F10C1E86E9D231D
SHA256:85BEB34736BBDF10BCF11899A20C1368C2C5C1136ACE902690020160DE59096C
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\c1b3b4d[1].jstext
MD5:B156E26E81EEECE5B022D68153CFA6F0
SHA256:F1E96900F8E0212DA2A59DD2DFFAA8B071008E94A5B89615185E8A6BAAFB4335
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\bg1[1].pngimage
MD5:B92CD95D671D97293089A4963B8C8E3C
SHA256:4B4E187145DD112480991549CDA03481931ED58FC9E9B2BCD3F5D3849C4F6A6C
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\bg3[1].pngimage
MD5:4F9B90DE5C5B53129A72003CC5B7855F
SHA256:C610D990CD32A1807246623C7BC538AA38437797033DD03880A23304D3741172
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:B09C1D9150C1A13B2F57D8AE81AE245A
SHA256:1E86C65798F09F3E9741F88DB86494544DB65AAC67F701A95AE7A5E79E0D34E3
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:95F04370AC3DB7B585EEFD80FEDCEF74
SHA256:F0DD9E3FAE20708260A1BFBB4064C8E19939CC3F87064FD4BA5C43CA80991920
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\bg2[1].pngimage
MD5:F5719C2F06B1B42BCC46ED2EC009FD47
SHA256:B8D5180B81803302D055D5A0F0D5211AABC74019288904685A8C8DA8F0D1E9F2
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\intro1[1].pngimage
MD5:2B40643A7252A7E909393A3BE75B3050
SHA256:6A72197498896E518FA968D97E95F63F06EFCCCA11710B172004E20E28F1113B
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\3ad083d[1].jstext
MD5:976CA52F6A78BFB2121AA5C799295781
SHA256:B51DB260A51E86B9EDFBDD40C0213481EDE90F8B6D2D162252C52E5220878679
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F5D72BD35E1BBA935C2314A01C54CC74
SHA256:A95A7F382F3A684F2618711E3307F7E3125C16E74FB74CE495441B11C917277D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
57
DNS requests
23
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro1.png
unknown
image
51.1 Kb
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/
unknown
html
8.60 Kb
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/bg1.png
unknown
image
9.97 Kb
3456
iexplore.exe
GET
302
218.12.76.165:80
http://www.ijinshan.com/images/20161227/logo-1.png
unknown
html
142 b
3456
iexplore.exe
GET
302
218.12.76.165:80
http://www.ijinshan.com/images/v3/down.png
unknown
html
142 b
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/bg3.png
unknown
image
6.80 Kb
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro3.png
unknown
image
72.8 Kb
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro2.png
unknown
image
62.4 Kb
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/bg2.png
unknown
image
4.83 Kb
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro5.png
unknown
image
67.9 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3456
iexplore.exe
120.232.206.80:80
www.duba.net
China Mobile communications corporation
CN
unknown
3456
iexplore.exe
103.235.46.191:443
hm.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
unknown
3456
iexplore.exe
218.12.76.165:80
www.ijinshan.com
CHINA UNICOM China169 Backbone
CN
unknown
3456
iexplore.exe
101.42.125.251:80
new.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
3456
iexplore.exe
218.12.76.165:443
www.ijinshan.com
CHINA UNICOM China169 Backbone
CN
unknown
3456
iexplore.exe
120.232.206.80:443
www.duba.net
China Mobile communications corporation
CN
unknown
3456
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
unknown

DNS requests

Domain
IP
Reputation
www.duba.net
  • 120.232.206.80
  • 36.42.77.164
  • 36.42.77.171
  • 120.52.95.235
  • 120.52.95.236
  • 120.52.95.241
  • 218.12.76.166
  • 120.232.206.78
  • 120.232.206.82
  • 36.42.77.167
  • 218.12.76.170
  • 218.12.76.168
unknown
hm.baidu.com
  • 103.235.46.191
unknown
fe-res.zhhainiao.com
  • 120.232.206.80
  • 36.42.77.164
  • 36.42.77.171
  • 120.52.95.235
  • 120.52.95.236
  • 120.52.95.241
  • 218.12.76.166
  • 120.232.206.78
  • 120.232.206.82
  • 36.42.77.167
  • 218.12.76.170
  • 218.12.76.168
unknown
www.ijinshan.com
  • 218.12.76.165
  • 120.52.95.239
unknown
dh1.cmcmcdn.com
  • 183.131.185.35
  • 182.140.225.35
  • 220.169.152.35
  • 180.97.198.35
  • 171.214.24.35
  • 42.81.98.35
  • 42.101.4.35
  • 42.101.56.35
  • 58.57.102.35
  • 58.222.20.35
unknown
new.duba.net
  • 101.42.125.251
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
unknown
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
unknown
ocsp2.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
unknown
api.bing.com
  • 13.107.5.80
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] PUP.Win32/KingSoft.E
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.duba.net