URL:

http://www.duba.net

Full analysis: https://app.any.run/tasks/1551b43e-1ea8-40e7-89b3-a7e4f7be6d9a
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 06, 2024, 18:15:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MD5:

6E73D0B98F3574D03128E73EE0538E82

SHA1:

C882E2CAAEA320C93907311F32CA3F34373339FC

SHA256:

AE6194CED5A24D8F2A4AFF473B6BBCD41048AAC4A0C837550148EE17214BA0B8

SSDEEP:

3:N1KJS4xIR:Cc4+R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • kinstnui_150_15.exe (PID: 3968)

  • INFO

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 268)

    • Application launched itself

      • iexplore.exe (PID: 268)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 268)

    • The process uses the downloaded file

      • iexplore.exe (PID: 268)

    • Checks supported languages

      • kinstnui_150_15.exe (PID: 3968)

    • Reads the computer name

      • kinstnui_150_15.exe (PID: 3968)

    • Reads the machine GUID from the registry

      • kinstnui_150_15.exe (PID: 3968)

    • Create files in a temporary directory

      • kinstnui_150_15.exe (PID: 3968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe kinstnui_150_15.exe no specs kinstnui_150_15.exe

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.duba.net"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3456"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:268 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3644"C:\Users\admin\Downloads\kinstnui_150_15.exe" C:\Users\admin\Downloads\kinstnui_150_15.exeiexplore.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Kingsoft Security - 安装程序
Exit code:
3221226540
Version:
2022,10,22,2040
Modules
Images
c:\users\admin\downloads\kinstnui_150_15.exe
c:\windows\system32\ntdll.dll
3968"C:\Users\admin\Downloads\kinstnui_150_15.exe" C:\Users\admin\Downloads\kinstnui_150_15.exe
iexplore.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - 安装程序
Exit code:
0
Version:
2022,10,22,2040
Modules
Images
c:\users\admin\downloads\kinstnui_150_15.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
15 093
Read events
15 009
Write events
78
Delete events
6

Modification events

(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
3
Suspicious files
18
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\intro1[1].pngimage
MD5:2B40643A7252A7E909393A3BE75B3050
SHA256:6A72197498896E518FA968D97E95F63F06EFCCCA11710B172004E20E28F1113B
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F5D72BD35E1BBA935C2314A01C54CC74
SHA256:A95A7F382F3A684F2618711E3307F7E3125C16E74FB74CE495441B11C917277D
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\E5HLTQZC.htmhtml
MD5:9B77F974CA59A86C9F10C1E86E9D231D
SHA256:85BEB34736BBDF10BCF11899A20C1368C2C5C1136ACE902690020160DE59096C
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3binary
MD5:2E0802B8957679A05A9BBEBBF6BF262E
SHA256:EE7D35129A268B571E7823254D69C71B8EC00DF474D8D95292DB2AFF17EE10F7
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173binary
MD5:B405FD1D6A3BF4009443EF254ACB4B53
SHA256:5E95161CCCBB90B8AF070193D505A77C941E7F3D94C154355E847DE58A7F4E5C
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\bg1[1].pngimage
MD5:B92CD95D671D97293089A4963B8C8E3C
SHA256:4B4E187145DD112480991549CDA03481931ED58FC9E9B2BCD3F5D3849C4F6A6C
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\bg2[1].pngimage
MD5:F5719C2F06B1B42BCC46ED2EC009FD47
SHA256:B8D5180B81803302D055D5A0F0D5211AABC74019288904685A8C8DA8F0D1E9F2
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\3ad083d[1].jstext
MD5:976CA52F6A78BFB2121AA5C799295781
SHA256:B51DB260A51E86B9EDFBDD40C0213481EDE90F8B6D2D162252C52E5220878679
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:95F04370AC3DB7B585EEFD80FEDCEF74
SHA256:F0DD9E3FAE20708260A1BFBB4064C8E19939CC3F87064FD4BA5C43CA80991920
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3binary
MD5:4E233F00E3B633D2C80112B79061B697
SHA256:BD5CBE7202D1B2A841A9B1949008F81D07044B898E79D0983D5644833370E50C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
57
DNS requests
23
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/
unknown
html
8.60 Kb
unknown
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro1.png
unknown
image
51.1 Kb
unknown
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/bg1.png
unknown
image
9.97 Kb
unknown
3456
iexplore.exe
GET
302
218.12.76.165:80
http://www.ijinshan.com/images/20161227/logo-1.png
unknown
html
142 b
unknown
3456
iexplore.exe
GET
302
218.12.76.165:80
http://www.ijinshan.com/images/v3/down.png
unknown
html
142 b
unknown
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/bg3.png
unknown
image
6.80 Kb
unknown
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro3.png
unknown
image
72.8 Kb
unknown
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro2.png
unknown
image
62.4 Kb
unknown
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/bg2.png
unknown
image
4.83 Kb
unknown
3456
iexplore.exe
GET
200
120.232.206.80:80
http://www.duba.net/images/index/intro5.png
unknown
image
67.9 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3456
iexplore.exe
120.232.206.80:80
www.duba.net
China Mobile communications corporation
CN
unknown
3456
iexplore.exe
103.235.46.191:443
hm.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
unknown
3456
iexplore.exe
218.12.76.165:80
www.ijinshan.com
CHINA UNICOM China169 Backbone
CN
unknown
3456
iexplore.exe
101.42.125.251:80
new.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
3456
iexplore.exe
218.12.76.165:443
www.ijinshan.com
CHINA UNICOM China169 Backbone
CN
unknown
3456
iexplore.exe
120.232.206.80:443
www.duba.net
China Mobile communications corporation
CN
unknown
3456
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
www.duba.net
  • 120.232.206.80
  • 36.42.77.164
  • 36.42.77.171
  • 120.52.95.235
  • 120.52.95.236
  • 120.52.95.241
  • 218.12.76.166
  • 120.232.206.78
  • 120.232.206.82
  • 36.42.77.167
  • 218.12.76.170
  • 218.12.76.168
unknown
hm.baidu.com
  • 103.235.46.191
whitelisted
fe-res.zhhainiao.com
  • 120.232.206.80
  • 36.42.77.164
  • 36.42.77.171
  • 120.52.95.235
  • 120.52.95.236
  • 120.52.95.241
  • 218.12.76.166
  • 120.232.206.78
  • 120.232.206.82
  • 36.42.77.167
  • 218.12.76.170
  • 218.12.76.168
unknown
www.ijinshan.com
  • 218.12.76.165
  • 120.52.95.239
unknown
dh1.cmcmcdn.com
  • 183.131.185.35
  • 182.140.225.35
  • 220.169.152.35
  • 180.97.198.35
  • 171.214.24.35
  • 42.81.98.35
  • 42.101.4.35
  • 42.101.56.35
  • 58.57.102.35
  • 58.222.20.35
unknown
new.duba.net
  • 101.42.125.251
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ocsp2.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
3456
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3968
kinstnui_150_15.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] PUP.Win32/KingSoft.E
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3968
kinstnui_150_15.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.duba.net